[plug] Safely using an untrusted router

Dirk justanothergreenguy at gmail.com
Thu Oct 22 07:57:38 UTC 2015 

Oops, I'll try again...

Thanks for that Dean.

It looks a bit complicated for me, and it looks like you're having
to trust all 3 devices, whereas I'd prefer not to put any trust
in consumer-grade network devices at all, if any part of the network is
directly exposed to the Internet (preferring a VPN in such a case).

Actually, Steve Gibson (Security Now podcast) suggests chaining routers to
achieve segregation and protection of a LAN due to the NAT firewall of the
inner router, but I think the port 32764 fiasco might render this
protection useless.

But thanks anyhow.  I didn't know you could run OpenWRT in a RPi.
Interesting project :)




On Thursday, 22 October 2015, Dean Bergin <dean.bergin at gmail.com> wrote:

> Hello Dirk,
>
> This is probably not going to help solve your particular issue, but one
> thing I recently did, was install OpenWRT on a Rpi2 and set up PPPoE over
> one of two subinterfaces (VLAN) to a cheap netgear modem (with the help of
> a Cisco Catalyst switch). I also put the Rpi2 OpenWRT effectively into it's
> own routed subnet/DMZ (part of the design) so that even if there where to
> be some kind of funny business, things like uPNP theoretically should not
> work since my experience has taught me that most consumer-grade
> modems/routers do not route/NAT anything other than their resident subnet,
> therefore I believe that not only are uPNP implementations (and many other
> services on consumer-grade routers) usually bound to the subnet to which
> they are running on, but should be disabled in cases where the device is in
> pass-through mode.
>
> >Does anyone know whether 4G modems (and smart phones, for that matter)
> are assigned a publicly-routable IP address or are they
> typically NAT'd behind a small number of IP addresses of the mobile service
> provider's servers?  I can't imagine billions(?) of mobile phones
> all having unique publicly-routable IP addresses (on top of all the servers
> and so on, around the world).
>
> I had the opportunity to test this, as I was able to tether my phone to a
> Rpi2 running OpenWRT as part of the labs I did for my now current nework
> design, but I did not think to test this specific scenario.
>
> Shouldn't be too difficult to create a lab to test this, if someone has a
> spare raspberry pi (mine is currently in 'prod' now)?
>
>
> On Wed, Oct 21, 2015 at 6:27 PM Dirk <justanothergreenguy at gmail.com
> <javascript:_e(%7B%7D,'cvml','justanothergreenguy at gmail.com');>> wrote:
>
>> Thanks Andrew.  Will follow up on those ideas too, thanks.
>>
>> However, I have another idea, a bit left field, but it may just do the
>> trick...
>>
>> Does anyone know whether 4G modems (and smart phones, for that matter)
>> are assigned a publicly-routable IP address or are they
>> typically NAT'd behind a small number of IP addresses of the mobile service
>> provider's servers?  I can't imagine billions(?) of mobile phones
>> all having unique publicly-routable IP addresses (on top of all the servers
>> and so on, around the world).
>>
>> If they're NAT'd, then maybe a pre-paid 4G USB modem dongle would be the
>> way to go for low MB critical online work, eg. fetching package lists,
>> logging in to ASIC, ATO, webmail, our utilities, etc.  Should block
>> all scanners on the net that are looking for routers to exploit, by virtue
>> of sitting behind the Svc providers routers.  (...and then use an unsecured
>> computer and ADSL router pair for general web browsing, content streaming,
>> etc).
>>
>> Does anyone know if this would work?
>>
>> (Of course, if a 4G dongle is not NAT'd then I don't really gain
>> anything).
>>
>>
>>
>>
>> On Wednesday, 21 October 2015, Andrew Cooks <acooks at gmail.com
>> <javascript:_e(%7B%7D,'cvml','acooks at gmail.com');>> wrote:
>>
>>> On Wed, Oct 21, 2015 at 9:43 AM, Dirk <justanothergreenguy at gmail.com>
>>> wrote:
>>>
>>>>
>>>> Cheers for that Pavel.  And thanks again Brad for your input.  You've
>>>> both given me some ideas, although I was hoping for an easy OpenVPN option
>>>> :)
>>>>
>>>> If anyone else has any thoughts or suggestions, please let me know!
>>>>
>>>> My internet access is slow enough, so I'm not really excited about
>>> pushing everything through a VPN.
>>>
>>> I trust my router. I have a TP-Link TD-8817 modem in bridge mode,
>>> connected to a fit-pc (http://www.fit-pc.com/web/solutions/multilan/)
>>> running IPFire (http://www.ipfire.org/). IPFire tells me I can trust my
>>> DNS. IPFire packages are kept up to date. The modem could conceivably
>>> modify the PPPoE frames in transit, except that it's a dirt cheap consumer
>>> product with little functionality that could be exploitable and it's
>>> unlikely to have enough processing power to do that kind of thing.
>>>
>>> There is nowhere safe, only acceptable risks.
>>>
>>> a.
>>>
>>> _______________________________________________
>> PLUG discussion list: plug at plug.org.au
>> <javascript:_e(%7B%7D,'cvml','plug at plug.org.au');>
>> http://lists.plug.org.au/mailman/listinfo/plug
>> Committee e-mail: committee at plug.org.au
>> <javascript:_e(%7B%7D,'cvml','committee at plug.org.au');>
>> PLUG Membership: http://www.plug.org.au/membership
>
> --
>
> Kind Regards,
>
> *Dean Bergin*.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20151022/17e30ffb/attachment.html>

More information about the plug mailing list