Date: Mon, 16 Oct 2017 16:05:25 -0700 From: John-Mark Gurney <jmg@funkthat.com> To: "Ronald F. Guilmette" <rfg@tristatelogic.com> Cc: freebsd-security@freebsd.org Subject: Re: WPA2 bugz - One Man's Quick & Dirty Response Message-ID: <20171016230525.GA94181@funkthat.com> In-Reply-To: <25911.1508192029@segfault.tristatelogic.com> References: <25911.1508192029@segfault.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ronald F. Guilmette wrote this message on Mon, Oct 16, 2017 at 15:13 -0700:
> Just like everybody else on this list, I guess, I'm rather less than
> happy about the WPA2 story that has emerged within the past 24 hours.
>
> Due to the announcement that WPA2 is, apparently, badly broken, I'm
> trying now to figure out how to lock down my home network a little
> better... as, I suspect, are many others all over the world... at
> least until the equipment vendors get around to issuing firmware patches.
>
> Up untill last night, when I read the WPA2 news, I just blindly trusted
> everything on my local network, with the result being that I've got
> and /etc/exports file, and also its Samba equivalent, that are making
> each of the several top-level directories that hold most of the stuff
> on my central FreeBSD "file server" machine available, without restriction,
> to the local subnet as follows:
>
> #/etc/exports
> /home/mini-me -alldirs -network 192.168.1.0 -mask 255.255.255.0
> /one -alldirs -network 192.168.1.0 -mask 255.255.255.0
> /two -alldirs -network 192.168.1.0 -mask 255.255.255.0
> /three -alldirs -network 192.168.1.0 -mask 255.255.255.0
>
> (There's basically equivalent stuff also in my Samba config files.)
>
> In light of the recent WPA2 disclosures, it has occured to me that
> as of today it may be a Bad Idea for me to be exporting all of this
> stuff, read/write, to all of 192.168.1.0/24.
Doesn't matter, if your network is compromized, only strong encryption
and authentication will save you.. For this you need NFSv4+kerberos,
SMBv3 (which I have no clue how to ensure things are auth/enc'd) or
WebDAV over https for file sharing.
Restricting what hosts doesn't solve the problem.
Also, w/ your config, you have to make sure your router does ingress
filtering, as many times you can spoof packets between subnets too...
> Of course, none of this is optimal... not like having real working
> WiFi security would be. But in my specific case, if somebody manages
> to get in and fiddle, in arbitrary ways, with the communications between
> my WiFi devices... which mostly consist of just "home theater" type
> stuff in the living room... then it will be no biggie, just as long as
> whoever is doing it will, at worst, just have read-only access to my
> content files.
Best way to assume is that the network is always compromized, and that
it's up to the nodes to protect the data...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171016230525.GA94181>