<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
On 05/03/2010 06:46 AM, Scott Ehrlich wrote:
<blockquote
cite="mid:z2rb39d9f831005030346zad8cf6e4x6137c72c24a1e3f4@mail.gmail.com"
type="cite">
<pre wrap="">A question for the comm techies out there -
You have a wired network via a major provider - comcast, verizon, rcn,
etc, at your home.
</pre>
</blockquote>
I have Charter Cable.<br>
<blockquote
cite="mid:z2rb39d9f831005030346zad8cf6e4x6137c72c24a1e3f4@mail.gmail.com"
type="cite">
<pre wrap="">Your neighbor (someone on your street) also subscribes to the same
provider. Can they see your traffic? Can you see theirs?
</pre>
</blockquote>
<br>
I just captured 5 minutes of packets and after filtering out traffic to
my network the only thing I saw was DHCP broadcasts and arp.<br>
<br>
So, the short answer is "No, I can't." Traffic seems to be isolated.
For my provider. In my neighborhood. Right now. As long as no one is
poisoning the arp cache. YMMV :-)<br>
<br>
This is an improvement because some years ago I recall seeing
peoples NETBIOS traffic -- to the point where I put an explicit ignore
line in my firewall rules to avoid filling up my disk with dropped
packet logs.<br>
<br>
None the less, paranoia....er....good security practices require me to
assume that someone at Charter will fat finger a configuration and
traffic will be visible or someone will intentionally crack in upstream
some where.<br>
<br>
<blockquote
cite="mid:z2rb39d9f831005030346zad8cf6e4x6137c72c24a1e3f4@mail.gmail.com"
type="cite">
<pre wrap="">Thanks for any good educational insight on this. Depending on the
answer, it _might_ help sway me to consider wifi at home.
</pre>
</blockquote>
<br>
I'm going to spend a bit more time talking about the question you
didn't really ask -- WiFi security.<br>
<br>
Overview:<br>
<ul>
<li>You can't make WiFi bullet-proof</li>
<li>You can make the vulnerability irrelevant</li>
<li>It's likely not necessary unless you live in Cambridge or
Berkeley or similar environment.<br>
</li>
</ul>
<br>
I haven't updated myself on state-of-the-art WiFi cracking in about a
year but I have done enough WiFi pen testing against my own networks to
realize that many of the common "just do this and you'll be secure"
bits of advice are effectively useless. <br>
<br>
Take, for example, lack of SSID broadcast -- that only helps you when
you have no other traffic. My net always has some traffic, so a WiFi
sniffer (e.g. Netstumbler) will pick up network existence regardless
of SSID broadcast. <br>
<br>
WEP is like securing your house by locking a screen door. WPA2 is more
like a solid front door, which means you'll keep out casual attackers
but anyone sitting nearby (such as a neighbor) has plenty of time to
crack in using a variety of detectable and undetectable methods.<br>
<br>
There are some things you can monitor -- such as MACs appearing on your
net that you don't own -- that are a give-away for an attack. You can
also whitelist your own MACs and use a default exclude policy and feel
all warm and cozy until someone clones an existing MAC and gets on your
net anyway. There are some things which you theoretically could
monitor (such as WiFi retransmission rates) that could detect an attack
but I haven't found available to monitor in a home level WiFi device
(though I did not search exhaustively, because...)<br>
<br>
I think the biggest problem in WiFi security is that home-class devices
have very slow patch cycles so any newly discovered vulnerability will
take a huge amount of wall time to patch and vendors aimed at the home
market have very little incentive to release security patches. A
secondary consideration is that they have a relatively low
power/transistor budget for complex security protocols. <br>
<br>
My conclusion is that WiFi is inherently insecure and I should treat it
as such.<br>
<br>
Therefore I put it on the *outside* of my firewall and use OpenVPN for
all clients I want to allow in to my network. I started down this path
when I got a TiVo Series 2 and discovered it didn't support WPA. <br>
<br>
Doing this requires a bit more routing/firewalling than a typical home
WiFi router from Staples can handle out of the box. I use a book size
C7 based dual-NIC PC from NewEgg running Ubuntu Server to which I added
an extra USB NIC. This also gives me a good point to run various
monitoring apps, intelligently filter out IRC and outbound SMTP (except
from my mail server) and shape/control traffic.<br>
<br>
However, I think you should be able to achieve this with alternate
firmware such as DD-WRT as well if you're willing to spend the time
figuring it out -- the hardware underlying e.g. a
Linksys WRT series router is pretty capable. <br>
<br>
This setup means I can just "lock the screen door" and do nothing fancy
with MAC excludes (which are a pain), post my network key on the frig
for any of my geek friends who just have to have WiFi for their iPhone
when they come over, and incidentally because I don't take a lot of
steps to keep out the neighbors I can easily monitor for people who try
to break in to my system using the easy methods.<br>
<br>
There are only a few problems with this setup:<br>
1) I have to generate an OpenVPN key for all of my devices and install
OpenVPN. I had it deployed anyway for remote access, so it is
relatively small incremental cost.<br>
2) My Mom was confused at why she could get to Google but her mail
server kept timing out and spent a few hours before she asked me<br>
3) This is really all for my own amusement and that of 2 network savvy
neighbors -- other than my own pen testing, this neighborhood is either
so tame that no one has even tried to launch a break-in against my
network, or I've been totally pwned by the prep-school kiddies down the
street who's idea of amusement is swapping neighborhood lawn ornaments
after midnight.<br>
4) I believe the threat environment for home WiFi (as opposed to
corporate WiFi) is much less harsh. There's little reason for a
knowledgeable attacker to try an individual home network and script
kiddies are should be fairly easy to detect.<br>
<br>
Hope this helps,<br>
--<br>
Dewey<br>
</body>
</html>