Default Re: sshfs vs nfs
. . . If only used in a LAN without any possibility to access the shares from the “outside world”, nfs will perform better, however nfs is no real option if the shares should be available from outside the LAN.
(Same story for smb, of course, never make shares accessible to the WAN.)
So I’ve got a typical home wifi router. None of the machines inside this LAN are setup with port-forwarding, or as DMZ machines. The router uses WEP. One box is setup as a file-server using samba shares. The firewall on every box is set to only allow inbound contact from the LAN url range. Some Windows boxes are set to treat all incoming as hostile. Others allow the home LAN url range.
If I go to GRC’s Shields up, all ports are invisible.
So, how vulnerable is the Samba share? Can it be accessed via hard link? It can be accessed via wifi, I know, but I live in a rural setting, so real danger of “man-in-the-middle” attacks is more low than low. And, although I don’t know how to do it, I understand it takes considerable expertise to use such a hack.
If you’re using RFC1918 addresses then you’ld need to take special measures on the ROUTER to port-forward for outside connections.
NFS can be used in WAN (especially tcp/ip connection rather than udp/ip), it’s the machine belonging in same Admin domain, and using encrypted virtual lan tunnel, that’s important for security.
Sun did have in 90’s hardware crypto chips used for NFS, but it was not generally available for export.
Basically it’s your wireless that is most likely to be an issue, and the fact that you probably can’t keep your windows box applications patched for all known vulnerabilities, that are the main risks, nor prevent installation of spyware.
I have a neighbor who cracks networks for fun and from what he tells me, the best thing to do is use WPA or WPA2 and do not broadcast your bssid and have 128bit encryption. It is possible to retrieve your bssid if its not broadcasted by monitoring the air and waiting for a handshake to the specific router. But it makes things harder for the cracker.
WEP is very bad, it can be cracked in 15 min with 64bit and 20 min with 128bit encryption
While the gist of this statement is correct, there are some in accuracies. For one, there is no “bit” encryption that can be configured for WPA/WPA2. WEP had 64-bit and 128-bit encryption keys, but as you said, they are easily cracked.
The only difference between WPA and WPA2 are the standards implemented by them: WPA2 implements all mandatory items specified by the 802.11i security standard, while WPA only has a subset, so is “technically” not as secure on paper. Every user should have at least WPA enabled and use AES/CCMP encryption instead of TKIP. Also, if using pre-shared key authentication, the key should be at least 20 characters long, a mix of letters, numbers, and symbols, and not easily guessed. I actually use an authentication key that is 63-characters long and randomly generation, which provides the highest level of security available with pre-shared key authentication.
Broadcasting versus not broadcasting an SSID has no impact on security, and should never be relied on as a security measure. It is merely a privacy mechanism: I don’t want Joe Luser passing by with a laptop to see that I have a wireless network, just as I don’t want him to see what I have in my house unless I invite him in. If Joe Luser happened to be an attacker, however, his attack programs on his laptop would pick up on my wireless network almost as quickly as they would if I did broadcast my SSID. So there is no “extra work” needed to find a hidden wireless network.
Encryption and authentication are the cornerstones of wireless security. Hiding your network only improves privacy.
Edit: Another possible means of securing your network is adding a MAC-filter list to only allow known MAC addresses permission to connect to your wireless. This isn’t bullet-proof security, since MAC addresses can be spoofed, but at the very least it adds another level of (basic) security on top of the other methods already mentioned.
Thanks all! Some good answers, and a couple I learned from. Basically reinforces my faith in the steps I have in place.
Can’t yet do WPA, as I’ve still got a Win2K box on the network, and it doesn’t do WPA. In the process of fixing that, but for now - and, as I said, we are in a rural setting, so not many people drive by! SSID broadcast is blocked.
I’ve considered doing the mac address thing too. I’ll keep considering for now!
Yep, had all the latest updates. I hope it isn’t something hardware specific (which seems even weirder), but I was pretty sure that you can’t do WPA on W2K by itself. I think you could do it with add-on software tho.
But, it’s a moot point - the box has XP on it now, which for the most part works better, except it is locking up for some unknown reason. (It never ends.)
The router security starts with changing your admin password on your router. To do this, you need to login to your router. This is done by entering the IP address for your router into the address bar on your browser. Routers come with a factory default User ID and password to safeguard a router’s configuration panel.
Feeding back a little into the knowledge pool, on WPA for Win2K
from MS:
For wireless clients running Windows 2000 (or clients running Windows XP SP1 and using a wireless network adapter that does not support the Wireless Zero Configuration service), you must obtain and install a new WPA-compliant configuration tool from your wireless network adapter vendor.
So, it is a maybe. If your hardware supports it, you MIGHT be able to get a tool from your vendor to make it work.
First of all, as has been said above, with the possible exception of WEP, your system is about as tight as it gets. Your system is essentially exactly like mine and others above.
To put your mind further at ease, there are two considerations. First, while it might be POSSIBLE to crack your system, it would cost an immense amount of time and money. ±$10,000 to start. This would only happen if you have something several times that valuable on your system. Otherwise the thief would go out and just get a job.
Second, even if #1 is true and you do have something that valuable, if nobody knows its there, nobody will come after it. Thieves do not work on spec. No one will blindly put up $10K on the off chance that you have something worth $100K in your system. The best way to keep a secret is to tell no one.
And a third thing I just thought of, if you do have something valuable or incriminating on your disks, are they encrypted? Encryption of the OS disk is problematic still. That means temp files are a bit of a problem, though IMHO a small one generally. You can encrypt your swap file with linux though you have to enter a password to boot up. You don’t have to, but if you setup an auto boot password, what good is the encryption. Just use a stand alone system like TrueCrypt or any util which ablolutely requires a pass phrase, with a non automatic pass phrase so that even if someone cracks your system, when they come to pick up your system, if the system can be shut off before they get access (even a strong screen saver/wakeup password is sufficient here) they will never be able to re open the encrypted volumes.
What I want to know is, who knows something about port forwarding. I’m ****ed if I can get it to work. I need to go back up through a router to access machines on the other side. All my machines on the subnet side can see each other. Those machines can see the one machine on the internet side of router’B’. The one machine on the internet side of router"B" cannot see the machines in the subnet. I’ve tried every which way I can think of to set the virtual server settings of my routers (A & B) but nothing seems to work. Do I need to set anything in Yast Network Settings? I notice there is an ‘allow port forwarding’ setting.
Well, yes. I meant to ask where your claim of a required cost of $10,000 to crack the security on his system is coming from.There is an abundance of evidence suggesting that all is really required to crack WEP encrypted wireless networks is a personal computer, some open source security software, and a very small amount of time.
PC: ~$250-$4000 and beyond
FOSSware: $0
Time: Depends on whether you include opportunity costs, but even then, not that expensive.
So… I’m missing something here in the calculation because I’m $6000-$9750 short.
I thought so. Again, and I really mean this with respect, you need to take a…Oh, I don’t know, 3rd grade reading course or something. I just pulled the $10K out of the air. But the point of what I wrote was not about the actual cost of theft. The point of what I wrote was simply that the cost of codebreaking, even WEP, I’ll allow you, is quite high compared to the possibility of finding something of serious value on a random PC as you drive down the street. But I’ll give you that. I’ll use your figures. If you’ll allow that the point of what I was saying is as I just said and you’ll allow that you’re wasting time here.
There is an abundance of evidence suggesting that all is really required to crack WEP encrypted wireless networks is a personal computer, some open source security software, and a very small amount of time.
You’re missing the value of the knowledge of network software, hardware, cryptographics and how to tie it all together. Or are you a Charity Thief? Robin Hood perhaps. If you think that the cost of hardware, software, or even time, is the major cost in what we do, you’ll be out of business quick.
PC: ~$250-$4000 and beyond
FOSSware: $0
Time: Depends on whether you include opportunity costs, but even then, not that expensive.
So… I’m missing something here in the calculation because I’m $6000-$9750 short.
So now we start Accounting 101:
PC: $30 (I picked up an old single processor box in the alley. Is that easy enough on you?)
FOSSware: $0
FOSSware development cost: $5 (Now we’ve REALLY insulted this guy, but we’re being easy on you.)
Now comes something you seem to have neglected, but the average thief wouldn’t dream of ignoring:
Education and Job Prep:
2Yrs into a 4Yr degree: $10K Notice, I’m still taking it easy on you.
4Yr degree: $20K
30 Yrs of Self taught PC @ $1/yr: $30+$20K for all the PC’s I’ve run into the ground
Or if you don’t like any of these, ask the guy who started this thread asking about the security of his net. He was asking about this stuff because he didn’t know, but ask him what his collected knowledge of information technology is worth and we’ll go with his estimate.
Forget opportunity costs. Think about the capitalization of start up costs. What it cost to learn how to do this stuff. What would YOU charge someone to break into a random PC net?
Add it up and tell me it’s less than $10K. Tell me that any professional thief doesn’t count the cost of going to jail when he sizes up a score. The only people who actually think that there are people driving up and down our streets with high tek equip breaking into every WEP hot spot they come to are TV reporters trying to dream up a cheap story to scare your mom.
I think some of the accounting here is a bit skewed. You seem to think that nobody has anything on their home machines worth stealing. That seems very questionable claim. And WEP cracking is dirt cheap and easy.
