[conspire] Perimeter vs. host-edge security (wqs: MIMO wireless cards cheap at Fry's)

Rick Moen rick at linuxmafia.com
Mon Dec 12 21:42:44 PST 2005


Quoting Tony Godshall (togo at of.net):

> I always assume Wifi is insecure.  Iptables shields up and all
> transfers via ssh.  Machines don't even ping.  And even a little
> security by obscurity on top of that- sshd on a nonstandard port,
> unique per host (which is also handy when port-forwarding from the
> router- ssh to multiple hosts from single ip with a little simple
> $HOME/.ssh/config magic).

This seems as good a time as any to mention the security policy of 2033
Sharon Road (Deirdre's and my house), which is where CABAL has met for
the last five years:

Basically, we provide unfiltered Internet access, period.  When you
connect machines to our LAN, absent special arrangements you will be on
a Dynamic NAT network segment (wired or wireless), serviced by an Apple
Airport base station that to my knowledge does no filtering other than
(if Deirdre has set up the device correctly) disallowing ICMP broadcast
and IP-address spoofing.  In consequence, guests are largely responsible
for their own security.  Be warned.

Our stance owes partly to personal preference, and partly to
circumstance.  The preference part is that we're accustomed to
unmediated, unfiltered Internet access, we're used to the idea of hosts
not trusting each other or the network, and we basically like things
wide open.  The circumstance part is that the incoming broadband
connection provisions our /29 IP subnet arrives over an aDSL bridge,
with the result that unfiltered Internet traffic from Raw Bandwidth
Communications (RBC) touches our five outside IP addresses (my server,
Deirdre's, the base station, and up to two others) whether we like that
or not.

It would be theoretically possible to interpose IP-filtering between
inside and outside LANs where they meet at the Airport base station, but
we basically don't really bother.

                    wired                      wired and wireless
                 IP network                        IP network
             198.144.195.184/29                    10.0.1.0/24
 - - - - - - ---------------------------  ------------------------------
 |           |              |          |  |        |            |      |
RBC     linuxmafia.com  deirdre.net   Airport    Cheryl's PC   Rick   guest
router                                (DNAT)                 laptop    PC

Because we don't control RBC's router, and because of the bridged
connection to that firm, our five usable IPs on the "outside" LAN have
never had, within reason, the option of some magic firewall
contraption to collectively protect them, so each host has a "security
perimeter" at the edge of its case:  Each machine looks out for itself.

Now, I'm not trying to be critical of your approach, Tony, but just
wanted to call your attention to a security model that differs
conceptually from yours.  (You probably have a physical layout with an
incoming "single IP" chokepoint that lends itself better to perimeter
security, for one thing.)  

We don't bother running sshds or anything else on non-standard ports.
We assume that all services on our hosts will be port-scanned, probed,
and attacked continually.  And we assume that intruders might at some
point compromise various hosts and use them to attack the others.

So, everything's exposed, nothing's hidden, and no host trusts any
other.  Which turns out to work very well, and suit us.  Advantages
include extreme clarity and simplicity about where the risks lie, no 
false sense of security about perimeter security, and no bizarre and
mysterious network failures caused by hidden network nannies.  (If
you've never had a difficult time diagnosing a network problem, and
hours later discovered an IP filter that someone forgot to mention, 
count yourself lucky.)

We _do_ have a few monitoring and detection tricks deployed that we
don't talk about much, but those are the only exceptions.





More information about the conspire mailing list