Well, after taking a CEH course at night, I have decided that I need to figure out a mechanism to protect my network from intruders. This is more of an exercise for me to apply some of the things that I have learned in the class. I have a number of different VLANs in the house, some pretty benign and some not so much (like access to TOR, etc.). Any one of these could lead to compromises in the network so I would like to re-evaluate what I am doing and make changes as necessary. I will be taking the CEH cert test in the next couple of weeks and that will free up time for me to become more involved in this process.
One specific thing that I would like to try is separation of connections from known or unknown entities to a special VLAN for that purpose. I want to separate out all of the internal networks from being compromised. In addition, I would like to put up an intrusion detection system for the existing networks and go about looking for unusual traffic patterns. Of course, one of the quirks about my setup is that I have everything going through an ActionTec router which can be almost a sieve without proper configuration. Updates to the firmware do not appear to be forthcoming and Verizon is insistent on my spending another $100 to get their "improved" ActionTec router just so I can get gigabit Ethernet to my other router connections.
One of the first things that I think I will try is to make all of the connections from the ActionTec router to be on separate VLANs. There really is no need for me to have everything on the same subnet and the router does have the ability to have completely separate VLANs from it.
This is a blog mostly about techie things, what I am doing to my apartment network on the cheap, IOT, 3D Printing, Raspberry Pis, Arduinos, ESP32, ESP8266, Home Automation, Personal Weather Stations, Things That Go Bump in the Night, and some side issues that need discussing. Remember, sometimes the journey to an end is as much fun as the goal achieved!
Thursday, May 15, 2014
Monday, May 12, 2014
Portable Pi Project - Part #2
Well work activities, dealing with CEH training and the cert test in two weeks, and other things has prevented me from really stepping up to the plate on the RPi Portable idea. But to get back to the overall plan on this, I have looked at the power through the system. The portable looks like the following (not updated from last time):
I have looked at the power lead outs and it looks like a DPDT toggle switch and one 14 position terminal block (I have a 12 position which will have to do) will be able to suit my needs to power everything from either the wall wart or via the battery which is encased with the RPi Portable. The DPDT will be able to choose the 1.0 amp or 2.1 amp lines from either the wall wart or the battery, and if it has a center off, will be able to act as an on-off switch as well. What I will need to do is cut up some perfectly good USB cables to make this work. The cables will end up having a USB plug on one end, and pigtail leads at the other. I just have to make sure that the data leads are not used in the setup. So the power circuit should look like the following diagram:
Notice that I have pulled the power out to the board sides for the wall wart. I have also included a power out to the side for charging the battery. In addition, I have added a board (breadboard) connection so that I can do experiments with this setup as well. All of the internal connections, except for the DPDT switch can be done with cut USB cables. It also only requires a 12 position terminal strip. The high side (2.1 amp connection) goes to the hub and breadboard. The low side (1.0 amp connection) goes to the RPi and LCD screen. All grounds are tied together. Black lines are ground and red lines are 5 volt power lines.
I have looked at the power lead outs and it looks like a DPDT toggle switch and one 14 position terminal block (I have a 12 position which will have to do) will be able to suit my needs to power everything from either the wall wart or via the battery which is encased with the RPi Portable. The DPDT will be able to choose the 1.0 amp or 2.1 amp lines from either the wall wart or the battery, and if it has a center off, will be able to act as an on-off switch as well. What I will need to do is cut up some perfectly good USB cables to make this work. The cables will end up having a USB plug on one end, and pigtail leads at the other. I just have to make sure that the data leads are not used in the setup. So the power circuit should look like the following diagram:
Notice that I have pulled the power out to the board sides for the wall wart. I have also included a power out to the side for charging the battery. In addition, I have added a board (breadboard) connection so that I can do experiments with this setup as well. All of the internal connections, except for the DPDT switch can be done with cut USB cables. It also only requires a 12 position terminal strip. The high side (2.1 amp connection) goes to the hub and breadboard. The low side (1.0 amp connection) goes to the RPi and LCD screen. All grounds are tied together. Black lines are ground and red lines are 5 volt power lines.
Saturday, April 26, 2014
Project #8 - Update the Network for Security
After taking some classes in CEH, I have decided that I need to really look at my network and make sure that security is taken care of.
Wednesday, April 23, 2014
Deciding on some alterations to the virtual basis for the network
I just finished taking some online classes for the Certified Ethical Hacker certification. Now I need to study my butt off in preparation for actually taking the test.
After I succeeded in setting up a pen testing lab to use for the class, it became obvious that I needed to change some things about the layout of my network. I currently do not have any way of isolating the Mac Mini from the VLAN implementations that are being used in VMWare Fusion. In other words, I am now realizing that I need to isolate the VLANs to the Fusion network and to not allow access via the Mac Mini. This really doesn't make a lot of sense except that I am trying to protect the Mac Mini from what I do on the other VLANs. My problem is how to go about doing this. I should be able via firewall settings to perform the isolation. The problem is that Apple doesn't like to give up control of things like the firewall (my supposition since they keep changing the firewall mechanism they use without documenting the same). I currently have a couple of tools which have not been used until now: IceFloor and fwbuilder. Both of these tools are highly rated and address some of the shortcomings on using the Apple Mac Mini for my intended purpose.
I am currently running Mavericks on the Mac Mini (10.9.2). Everything, including the Mavericks Server is up to date.
After I succeeded in setting up a pen testing lab to use for the class, it became obvious that I needed to change some things about the layout of my network. I currently do not have any way of isolating the Mac Mini from the VLAN implementations that are being used in VMWare Fusion. In other words, I am now realizing that I need to isolate the VLANs to the Fusion network and to not allow access via the Mac Mini. This really doesn't make a lot of sense except that I am trying to protect the Mac Mini from what I do on the other VLANs. My problem is how to go about doing this. I should be able via firewall settings to perform the isolation. The problem is that Apple doesn't like to give up control of things like the firewall (my supposition since they keep changing the firewall mechanism they use without documenting the same). I currently have a couple of tools which have not been used until now: IceFloor and fwbuilder. Both of these tools are highly rated and address some of the shortcomings on using the Apple Mac Mini for my intended purpose.
I am currently running Mavericks on the Mac Mini (10.9.2). Everything, including the Mavericks Server is up to date.
Monday, February 10, 2014
Thinking to get back into the LED Cube Project
Now that I have more time to myself, I was thinking of getting back into the LED Cube Project. I was also thinking of adding a reflective LED projector to the experiment in order to have something that I can use later during the Halloween and Christmas seasons. The controls are about the same except that the LED projector would have moving mirrors to reflect an LED strip onto a wall (for instance). The reflection could also be done to a Conical shaped mirror for use on the lawn.
I have also purchased an additional breadboard to get some of the previous ideas prototyped up and working. Remember, at last juncture I was unable to get enough control lines due to the chip that I was using running out of address space.
I have also purchased an additional breadboard to get some of the previous ideas prototyped up and working. Remember, at last juncture I was unable to get enough control lines due to the chip that I was using running out of address space.
Manuevered Some connections around to make way for a special VLAN
Over the weekend I made some changes to my network in preparation for venturing out as an Anonymous user. My real reason for doing this is to see if I can somehow escape Google's tracking. This is an interesting twist since I am using Blogger to blog on and that in turn is owned by Google.
I have been reading up on the DarkNet and what that really means. Since I am getting more involved with security I thought it might be a good thing to explore various anonymization networks, e.g. TOR, to see how they function and what to expect when I am out there. This obviously involves assuming a pseudo id to mask who I really am - new territory, haven't ventured there before.
I was able to set up a VLAN on the ActionTec router from http://support.actiontec.com/doc_files/Creating_an_Ethernet_VLAN.pdf on the ActionTec site. The instructions are a little old but after a bit of trying out different things, I was able to have a VLAN (tagged) on a specific port with a DHCP server and a localized subnet. I then proceeded to change the wiring around a little, moving my MacMini ethernet connections from the tail-end switch to the one just before it. I set up the first switch to have a tagged input port then connected an Ethernet cable from the ActionTec to it. Next I set up the switch to send the new VLAN down a trunk line to the second switch and from there to the third and last switch. In the process of doing this I consolidated a number of Ethernet connections to one switch which actually speeded up my access to the outside. I was also able to reduce the usage of the last switch in the stream to make it more experimenter like, including adding the new VLAN.
I now have a line from the ActionTec router that has only one port (I will be putting a laptop on this port) isolated from my network that I will be able to use for Anonymity.
I have been reading up on the DarkNet and what that really means. Since I am getting more involved with security I thought it might be a good thing to explore various anonymization networks, e.g. TOR, to see how they function and what to expect when I am out there. This obviously involves assuming a pseudo id to mask who I really am - new territory, haven't ventured there before.
I was able to set up a VLAN on the ActionTec router from http://support.actiontec.com/doc_files/Creating_an_Ethernet_VLAN.pdf on the ActionTec site. The instructions are a little old but after a bit of trying out different things, I was able to have a VLAN (tagged) on a specific port with a DHCP server and a localized subnet. I then proceeded to change the wiring around a little, moving my MacMini ethernet connections from the tail-end switch to the one just before it. I set up the first switch to have a tagged input port then connected an Ethernet cable from the ActionTec to it. Next I set up the switch to send the new VLAN down a trunk line to the second switch and from there to the third and last switch. In the process of doing this I consolidated a number of Ethernet connections to one switch which actually speeded up my access to the outside. I was also able to reduce the usage of the last switch in the stream to make it more experimenter like, including adding the new VLAN.
I now have a line from the ActionTec router that has only one port (I will be putting a laptop on this port) isolated from my network that I will be able to use for Anonymity.
Wednesday, January 29, 2014
I've been out of the loop over the holidays
Sorry for not posting since the end of November. I have been busy with home life and work and have not had a chance to get back to this blog. New posts to come shortly.
Subscribe to:
Posts (Atom)