In message <20171016230525.GA94181 at funkthat.com>,
John-Mark Gurney <jmg at funkthat.com> wrote:
>> In light of the recent WPA2 disclosures, it has occured to me that
>> as of today it may be a Bad Idea for me to be exporting all of this
>> stuff, read/write, to all of 192.168.1.0/24.
>
>Doesn't matter, if your network is compromized, only strong encryption
>and authentication will save you..
Hummm... I *think* that maybe I'm starting to understand now. But maybe
not. I'm at a bit of a disadvantage, because like 99.999% of the
population I'm still not entirely 100% clear on what can and can't
be done with these new WPA2 exploits.
But the thought did just occur to me... based on your comment... that
these WPA2 problems might possibly be leveragable to the point where
an attacker could be talking to my router via WiFi -and- could be
doing so while using an IP address within the range (192.168.1.16/28)
that I had hoped to export some NFS volumes to with read/write access.
Is this, in effect, what you were suggesting? Or have I misunderstood
yet again?
Assuming that I am basically on the Right Track, now, what should I
do? What can be done?
I am not just asking for me, but also on behalf of the few zillion
other poor sods who, like me, know just enough about networking to be
dangerous, and who, like me, have been caught rather flat footed by
these WPA2 issues.
I suspect that I am somewhat typical of a lot of folks. I have a file
server system (mine happens to run FreeBSD) in one room (the office)
and some clients that need at most read-only access to files on the
file server in another room (i.e. the living room) where the connectivity
is down with WiFi. I could use Samba/SMB for this, but in my experience
NFS provides drastically better performance, so I've used that instead
of SMB.
In the living room there's an x86-based HTPC running a crusty old version
of OpenELEC (and it is this box, specifically, that needs the read-only
access to the stuff on my file server) and also there's an Amazon Fire TV
box, which has "secure" (giggle) access to some paid content elsewhere
on
the Internet.
Meanwhile, in the office, in addition to the FreeBSD machine which is
my main workstation -and- file server, I also have a second machine
running Linux/Ubuntu and a third machine running Windoze7. These are
both hardwired into my Linksys E4200... a fact which I had hoped to
leverage to give me some extra protection from these new WPA2 issues,
but now I'm thinking maybe that won't actually fly. (I want these two
machines to have read/write access to almost everything on my main
file server machine.)
Based on your comments, John-Mark, and the earlier and equally worrying
comments by Karl Denninger, I'm beginning to think that perhaps the
only Right Way to solve all of the issues/problems/requirements that
I'm facing is perhaps for me to set up a second local "more
trusted"
network, e.g. 192.168.2.0/24 and for me to add a simple switch and
additional ethernet cards to each of my hardwired machines so that
they can all talk to the new switch. Then I can export my NFS volumes,
read/write, to 192.168.2.0/24, including even home directories and
other exceptionally sensitive stuff, but then also just NFS-export
just my content/media volumes read-only to the (now entirely and
physically separate) 192.168.1.0/24 network.
Is this a Good Plan or a Rotten Plan? As I've already stipulated,
I know just enough about networking to be dangerous, so advice would
be appreciated.
Also, what about the Amazon Fire TV box in the living room? It seems
that it contains some magical crypto secrets that allow me to access
certain paid content, in preference to others who haven't paid for it.
Are all of those secrets now going to be up for grabs to anyone,
staring tomorrow, who is physically close enough to connect to my
WiFi router and who has his his/her possession appropriate WPA2
exploit code? If so, then what should I do... what -can- I even do
about *that*? (Obviously, that is all closed-source proprietary
stuff under the hood in that box, which greatly limits my options,
and those of untold millions of others.)
>Also, w/ your config, you have to make sure your router does ingress
>filtering, as many times you can spoof packets between subnets too...
Two obvious questions: (1) "How?" and (2) "On which port(s),
exactly?
All of them?"
I frankly don't know enough about -either- my Linksys E4200 -or- the
ASUS RT-AC56U that's been sitting on my shelf for awhile now, waiting
to replace the Linksys. And I specifically don't have any notion of
how I either can or should tweek the filtering to comply with your
suggestion, but I am more than wlling to be instructed.
Lastly, with respect to SOHO routers generally... Shall I start up
a betting pool? It will be interesting to see, in the weeks and
months ahead, for each given SOHO WiFi router model, which comes
out first, i.e. either (a) vendor-supplied firmware updates that
deal with all of these WPA2 issues, or else (b) "WPA2-fix" versions
of DD-WRT, OpenWRT, or Tomato for the same model(s).
I'm betting that for a lot of these things, the open source firmwares
with the WPA2 fixes are going to be out sooner that the equivalent
vendor-supplied fixed firmwares. And of course, for a lot of older
"orphaned" routers, fixed-up open source firmwares are likely to
be the -only- choice, forever.
Maybe that's a Good Thing.