SIEM for home network?

Guys what do you think about this?

https://www.indiegogo.com/projects/fingbox-network-security-wi-fi-troubleshooting#/

It appears to be a type of consumer grade SIEM. I tried out the app first it is good. I notice when app installed it offered a secret deal on the Fingbox which I did take advantage of due to the low price and my desire to always have SIEM on my network.

I wondered if anyone on forum here is beta tester or has any detailed information on it?

Disclaim: No involvement with company or website or campaign. Just that this security device may interest on the forum for people.

 

I saw that device before and dismissed it as an unneeded gimmick. A decent wireless router does the same thing (security wise).

 

No wireless router I know of will do all of this and I deal with enterprise stuff. Even a corporate router with wireless controller and WIDS won't do everything this can do. Only a SIEM can do all of this for the most part. But I know of no consumer grade router that can do anything close. Even my PfSense and Unifi AP's won't do anywhere near all of this. This isn't a router, it's job is not to protect the WAN. It's job is to protect your internal network from external threats. A corporate router with WIDS really only allows rogue-AP suppression but lacks heavily in notification, attack recognition and other things. I think where it shines is it is a single pane of glass that does what would require a variety of hardware/software to accomplish.

The simple thing this has of SMS notification of attacks, new devices, unknown devices is probably worth the price for most people. Also the electronic fence is a valuable feature notifying you of anyone approaching your home based on their devices they are carrying within a 50ft radius. Very unique in those features and not on any router in the world that I know of. This to my knowledge is the first non-defense digital fence product that will reach market.

If we get to 500k on Indiegogo, we’ll be adding a Home Digital Fence feature to your Fingbox. This new feature will alert you when ANY device is in the proximity of your home, whether the device is logged into your Wi-Fi or not! Any device including mobile phones will be detected within a 50-ft. vicinity of your Fingbox. How about that for complete digital security?

Why it’s useful?

• Know if a carrier or mail person has stopped by your house to deliver something
• Find out when your dog walker came by and how long they stayed
• Know when your vacation rental guest has checked in or out

Track all the events that happen in your home in real-time by mobile app, from anywhere.

 

Fing is an app that does very basic troubleshooting and look ups that you can do without the app and without the device. Unifi isnt exactly enterprise grade.

If its job is to protect your internal network from external threats and you need this as suggested, you dont have a firewall in place or have one setup correctly.

I use Cisco Meraki AP's and Meraki layer 3 POE switches at work and they can do all of this natively from a single dashboard.

 

I said "security wise" a router does the same thing. All the other features most people just don't need.

Which is exactly what a decent router does.

I get emails from UPS, FedEx, or the Post Office when they deliver a package - often before he/she can walk back to their truck! I walk my own dog. I don't have a vacation rental.

I live just a couple blocks from and between a high school and a middle school. I don't want to be alerted every time a kid with a cell phone walks on the side walk in front of my house. And no device is able to log into my network without me authorizing it first. Why? Because my router does not allow it.

I don't trust the cloud!

I am not saying there is anything bad about this device. But I am saying most users don't need it. All they need is a decent home router with SPI or packet filtering - which most home routers have. And of course, NAT prevents outside computers from initiating a connection to a local computer which in effect means the router is automatically acting as an inbound firewall.

Users just need to keep Windows updated, use a current anti-malware solution and a client based firewall and Windows Firewall is just fine for that. And most importantly, they must not be "click happy" on unsolicited links, downloads, attachments, and popups. The exact same things they must do if they have your device or not.

And there are lots of home intrusion systems out there you can check, monitor and control via a smart phone app that let you turn on and off lights, view cameras, turn on ovens, look inside your refrigerator, open and close the garage door and more.

 

Guys, I think you are being too harsh and/or misunderstanding the product. It actually seems like a decent product to me, but likely overpriced at $79.

Yes, almost all modern wireless routers: (1) block external inbound IP connections inherently due to the many-to-one outbound-only NAT'ing, (2) support some form of firewalling, (3) support WPA/WPA2-Personal Wi-Fi access control, and (4) offer MAC address Wi-Fi restricted access. But, I don't believe Fingbox's role *is* to "protect your internal network from external threats"... if by "external threats" you mean externally sourced TCP/IP packets inbound over your ISP. No, as makes sense from its outgrowth from the Fing application, Fingbox is a continuous network scanner with some additional smarts and and elegance thrown in. Fingbox is for watching for unapproved devices/users that are connecting to your home LAN via either Wi-Fi or even an unsecured physical port. Really, to me, the enterprise comparison is not a SIEM product; but rather a little more akin to a network access control product like Cisco Identity Services Engine (ISE). But, having setup Cisco ISE on a corporate network with 802.1x and EAP-TLS... let me tell you that is a major pain in the rear... and most certainly not something for home use.

So, the wireless router functions 1 (many-to-one NAT) and 2 (firewall) are not relevant to Fingbox as we are not likely referring to externally sourced TCP/IP threats. And while 3 (WPA2) and 4 (MAC whitelisting) are somewhat relevant they both also miss-the-mark a bit. Almost no one utilizes MAC whitelisting in practice any more because: (1) it's too much of a pain in the butt to track and update, and (2) the hackers can watch legitimate traffic and then spoof as an authorized MAC if they want to connect. And sure, WPA2 is pretty good, but I don't know if it's infallible and what about the situation where your daughter gives out your home Wi-Fi password to a friend or neighbor one day and then they hang out on your LAN all the time, or worse they try to hack into your home LAN computers.

Fingbox just sits, scans, and watches for new endpoints on the LAN. But it adds some nice touches like push alerting you when a new device is seen, either authorized (i.e., your daughter coming back from school and her iPhone registering on network as per the example) or unauthorized; notifying you which devices are the current bandwidth hogs; and helping you find Wi-Fi sweet spots for highest throughput back to the Fingbox which is direct connected to your wireless router. I also don't think the push alerts would trigger with Wi-Fi attempts that don't actually pass authentication and that don't receive an actual private LAN IP. So, you don't have to worry about the kid outside the house with a cellphone... unless they actually happen to know your Wi-Fi password, in which case you would want the alert!

I'm not sure that it relies upon any cloud services, at least I didn't pick that up anywhere from their product page. I think it's purely a network scanner that pairs with your iPhone Fing app via the local Wi-Fi. Although they may have some "away from home" pairing functionality that has the device connect back to a Fing corporate cloud server, which then functions as a public "location point" for connecting back via the Internet when you and your iPhone are away.

 

To clarify, I did not say it wasn't decent or elegant. I said it wasn't necessary.

Exactly! But again, this is something you can easily control and monitor with any simple home wireless router or residential gateway device!

Hopefully, any home user already knows how to access their wireless router's admin menu. They should have already done this on day 1 to change the default WIFI security passphrase and admin account password.

You can also easily limit the number of connected devices by changing the DHCP starting and ending IP addresses. For example, assuming the router's IP address is 192.168.1.1, if you set the starting IP to 192.168.1.12 and the ending to 192.168.1.15, you have limited the number of devices that can connect to 4. If you only have your PC, a notebook, your cell phone, and your smart TV, setting the limit to 4 will greatly ensure only your 4 devices can connect.

You can easily go further by using MAC filtering (what, I believe, you are referring to as MAC whitelisting) and/or Reserved IP addresses. That is you tell your router to only allow devices with specific MAC addresses to connect and/or you only allow the assignment of specific IP addresses to specific devices. This later option is what I do with my network connected printer. This ensures my network printer always gets the same IP address and that IP address can only be assigned to that specific printer. This prevents IP "shift" - different IP addresses being assigned to the printer after extended power outages.

I disagree that it is a PITA - determining the MAC address is typically as easy as looking at the label on the device, accessing the device's internal menu, or with a printing device, printing out a printer status or configuration page. And setting it up in the router is a 1-time thing. Yes, MAC addresses can be spoofed, but when it comes to home networks, bad guys are opportunists. They look for the easy pickings and if they don't find any, they move on. You pretty much have to be targeted specifically and if that is the case, you have bigger problems than your network being hacked.

If they know your passphrase, you either gave it to them or you picked something stupid like your dog's name. And in that case, it is probably your neighborhood whiz kid. And unless your house is the only house on the block, the kid would not know where that RF signal was coming from (assuming you did not name your network, AlecsHomeNetwork). He would have to have a DF (direction finding), unidirectional antenna pointing at houses to see. And hopefully that would bring unwanted attention to himself. Now if you live in a crowded apartment complex, he or she could be sitting inside his own apartment with his DF antenna and signal strength meter - but that 's where a non-descript network name (SSID) and very strong, unguessable passphrase comes in.

And if a bad guy is accessing your network via an "unsecured physical port" - ie; Ethernet, then they must be inside your home!

That said, just because a bad guy is able to access your network, that in NO way means they can access your computer(s). What is most likely is they will use your Internet connection just to steal access to the Internet, or worse; to use your Internet access to distribute spam or malware, etc. under your ISP assigned IP address.

Don't forget that just about every router out there keeps logs you can easily access via the router's admin menu. I have my router email a copy of the log every morning. But I could have it every hour if I wanted, or once a week.

Now once again, this is about protecting home networks, not business networks where you have the additional responsibility of protecting your business data, as well as client information.

 

Well, I will agree that it is likely unnecessary for most people... or maybe not unnecessary but simply not worth the price. My intention isn't really to get into an argument on the finer points, but I did want to respond to a few.

The size of the DHCP scope is not a security measure. That number may be all the addresses your DHCP server device is willing to lease... but that does nothing to prevent someone from assigning an IP statically to their own device within the assigned subnet and having LAN access (note: device static not static reservation). So, assuming your hacker is clever enough to crack your WPA passphrase, they can certainly statically assign their own IP within the subnet, say to 192.168.1.150, and they will have LAN access even though your scope is set to only .12 through .15. Now, I suppose that you could play games with the subnet definition... making it a /29 (6 hosts), say, rather than the likely default /24 (254 hosts), but then you are limited on granularity to powers of 2... and it wouldn't really be a "security" measure anyway.

I also suppose the MAC address filtering / whitelisting may not be a PITA if you have 4 or fewer wireless devices and you rarely acquire new devices. I don't think I'm especially extravagant, but I would say that I easily have over 30 wireless devices connected at one time or another in my family of four: 4 home PCs / laptops, 1 work laptop, 4 phones, 2 tablets, 3 gaming devices, 3 wireless printers, 3 DirecTV genie set tops, 3 AppleTVs, 4 misc devices, and 4 VMs on my personal computer that are in bridged network mode rather than shared and which have their own unique MAC assignments. While it is usually easy for me to discover a MAC address for a device, as you say, it is still a pain for me to add them every time I have something new. Sure it sounds like a "one and done" type thing, but when people are breaking and replacing iPhones, or purchasing a new printer, or building a new VM, or coming home with a new work laptop... it becomes a PITA. At least it certainly was in my experience.

Finally, I don't know what you are saying when you state "just because a bad guy is able to access your network, that in NO way means they can access your computer(s)". Yes... it sort of does. If they are on the same subnet, then they are on the same broadcast domain and have direct layer 2 access to all the devices on the LAN. Now, yes, just because one host can address another host directly... that does not necessarily mean the second host will automatically become compromised or that that the second host is listening on a vulnerable port. But the odds have gone up infinitely (from zero to now something finite). The new device can do full port scans and vulnerability scans against all of your connected LAN/WLAN devices, and odds are they will find something to exploit. You may be running host-based firewalls or host-based IPS software on your PCs, but what about the other devices... like, say, an Android phone which is running old firmware? Or, perhaps, a DVR or webcam such as were some of the key culprits in the massive DDoS attack this past October against Dyn DNS. Furthermore, with internal WLAN access maybe they can guess or crack your router's admin password, and then they can have even more fun and games. Or what if they just want to perform DoS attacks against either your gear or external, public hosts using your ISP bandwidth and your public NAT address? Or send SMTP spam using the same? There are all sorts of no good actions they could take.

 

Whoa! That's a bit far fetched, don't you think? Assuming someone can look into the keyhole of my car lock, they can counterfeit a key and steal my car too.

But sorry, you are incorrect anyway. Just because someone can magically hack my passphrase, that only gives them access to the network. It does NOT give them access to the admin menu of the router, nor does it give them access to any of my connected computers.

No it doesn't! You have 4 PCs. Are you seriously saying you can access every thing on PC 1 from PC 2 without having to open up sharing, knowing user names on PC 1, knowing passwords on PC 1, join a workgroup, etc.?

If what you said were even remotely true, then everyone on any network can easily access every computer on that network. That is simply false - even on a simple home network. Windows alone will not allow it unless the user of that computer opens up access. By default, it could not happen like you describe.

 

They do not need access to your router to assign an IP to their own device. It's called static assignment, it existed before DHCP. DHCP was invented as a lazy way to assign an IP address and several other common settings. DHCP is not a requirement for network operation, nor is it a security protocol by any means. I've assigned static IPs to dozens of devices over the years, no DHCP whatsoever, and have only had network access issues if I accidentally assign a duplicate IP or make a typo on the subnet mask. If they have layer 2 access via 802.11 & WPA, and they use a non-duplicate, self-assigned layer 3 IP address and a valid subnet mask (not something difficult to guess nor even necessarily requiring absolute accuracy in many cases)... then they have access to your network. DHCP scope is meaningless from a security standpoint.

What I am saying is that most home computers aren't even current on their OS patches. Most home computers have more vulnerabilities than you are suggesting or allowing for. Many home computers do have file & printer sharing enabled. What I am saying is that if you have a skilled hacker that can get on your WLAN by cracking an insecure passphrase (as many, if not most, likely are)... then said hacker will most likely find an avenue to compromise or do damage to your computer if they wish.

If you doubt me, then go ahead and enable default port forwarding (of all ports) to your home PC and disable any firewalling functionality in your wireless router. Let's see how long that computer remains uncompromised. I will agree that most modern operating systems have some level of host-based firewalling enabled by default that greatly assists in protecting the computer, but it's a not a risk I would knowingly take to leave a system essentially open to scanning, fingerprinting, and attacking.

 

Dude, you really should do some homework before commenting because it is clear you really don't know what you are talking about here. And you keep making that more and more clear as you go along. Check the link in my sig if you think it is me that does not have a clue here.

"Static" means "fixed". An airplane on "static" display is a retired plane such as found in an air museum or in front of a military base. A static IP address is also called a fixed IP address. As seen here it is assigned to a device by the network administrator. Lazy way? BS! DHCP is automated. Static assignment requires the authorized admin to manually assign the IP address to each device. Nothing lazy about manual, time consuming labor.

To suggest DHCP cannot be made secure is just ludicrous. I already explained ways to do it for the home user. But even so, DHCP only assigns an IP address and perhaps DNS and gateway addresses to the connected device. The user still needs the necessary credentials to access any files or resources on the network, or to even connect to the domain in an enterprise network! There are other methods a qualified network administration could easily implement and manage on a larger network to ensure only authorized machines and users gain access - but again, we are talking about smaller home networks that typically have less than 10 connected devices, if near that.

Come on! Now you are flip flopping all over. That is no where near what you first said. First you suggest anyone can access any network, then anybody on a network has access to every computer on that network. Now it is that most computers are not up to date. It is you who are woefully out of date. This is not the age of XP any longer.

When it comes to home networks, you are simply wrong in just about everything you have said. DO YOUR HOMEWORK. Use Google. The fact is most home computers are current. Why? Because ever since Windows 7, Windows Update has been automated by default and the fact is, most computers remain in their default setting. This means, unless the user changed the defaults and shut down Windows Update, their computers are updated.

While some (though most don't) home computers do have file & print sharing enabled, that IN NO WAY means anyone who attaches to that network suddenly has full access to those shares. It just doesn't work that way!

Now you are also talking about skilled hackers and insecure passphrases. Hogwash! First, no lock or vault or security system can thwart a skilled and determined bad guy intent on getting in. That is why major banks like Stanley Morgan, and companies like Yahoo, Sony, DNC - even the NSA was hacked.

Home networks are not the targets of skilled hackers as you imply - unless they know you've got something valuable they want. And even then, it is typically to gain use of your network to spread spam and malware and use for DDoS attacks, not to gain access your computers. But the fact is, most home hackers are just wannabes, nosy neighbors, or mischievous kids. Any resistance and they are thwarted and move on to what they hope to be easier pickings.

Are there exceptions? Of course! But exceptions don't make the rule and yet that is exactly what you are trying to imply. But that is simply wrong. Most home networks don't use insecure passphrases! And most home computers are secured and current. The biggest problem is click-happy users. The user is, was, and always will be the weakest link.

But even still, if a nosy neighbor kids guesses your passphrase, that ONLY gives them access to your network - NOT your computers.

That is just about the most ridiculous thing I've ever heard. That's like saying "Your car is unsafe. Doubt me? Cut your brake hoses and see if your brakes still work".

But of course, once again, you are wrong anyway!!!! Why? Because like most other W7, W8 and W10 and Linux and Mac users, for all my computers my OS is current, I use a current anti-malware solution, and I use a client based firewall too.

And again, if what you said were even remotely true, badguys would have already capitalized on that and EVERY computer that ever connected to a free "hot spot" in a coffee shop, McDonalds, hotel, or Pandora Bread would already be compromised. But guess what? Didn't happen!

So just as before, if what you pretend were even remotely true, the vast majority all networks in the entire world, and nearly every computer too would already be hacked and compromised. And that is just not true. Doubt me? Look it up!

Oh, just to ease the fears of others who might still be reading from your falsehoods and rumormongering, Windows 10 security: 'So good, it can block zero-days without being patched'.

Now unless you can show some evidence to back your wild and unfounded claims, I'm moving on. I recommend you do the same.

 

The reason I am continuing to take issue is because you are spreading mis-information. To assign a static IP does not require a network administrator, it simply takes someone who has local administrator privileges of that device to do so. You continue to imply that it requires network administrator privileges and/or access to your wireless router for your home network. You ask me to do my homework and use Google. I don't need to as I have assigned static IPs before, but for your sake here are some instructions for: Windows 10, macOS, and various Linux distributions.

The intruder would almost certainly have administrative privileges over their own device. We are not talking about the intruder altering the IP addressing on your devices. He or she simply does not need your DHCP server for the assignment of a private IP and subnet mask for his own device, and therefore restricting your DHCP scope to .12 through .15 does next to nothing from a security standpoint. The reason that some articles conflate network administrator with device administrator in regards to static IP assignment is because, yes, a network admin is likely in a better position to know what the values should be (to avoid duplicate IP assignment or a subnet mask mismatch), but that does not mean a local administrator cannot setup a static IP on their own device.

I'm not sure why you also apparently took issue with my use of the word lazy. I too use DHCP everywhere I can. I did not mean it as a denigration of you. My apologies if you took it personally. I meant it as a shorthand for a 'convenient and easy' way to configure IPs. Is that better? I was trying to convey the sense of frustration that early network engineers likely had when they had to go around and manually assign static IPs on all network devices prior to DHCP. It is a convenience protocol, not a security protocol. And, yes, DHCP primarily is for automatic assignment of IP address, subnet mask, and default gateway... but it has tons of options and while most aren't used in practice, some actually are in a corporate environment like option 150 (TFTP server) for VoIP phones.

Bottom line... Bill, if you don't believe me, just try this. Let's assume, for sake of clarity of the example, that you have your wireless router configured as you stated: router IP: 192.168.1.1, subnet mask: 255.255.255.0; and that you have your DHCP defined to only lease 192.168.1.12 through 192.168.1.15. Take any one of those devices and manually configure the TCP/IPv4 properties on the wireless network adapter for that device and set the IP to something like 192.168.1.100, subnet mask 255.255.255.0, gateway 192.168.1.1, and DNS to 8.8.8.8 (a Google public DNS server). Tell me if you aren't still able to ping your other 192.168.1.x devices as well as browse the Internet. Is your wireless router doing anything via DHCP to prevent you from connecting? (BTW, I just simply picked 8.8.8.8 for DNS server because some wireless routers use themselves as the DNS server, while some forward your ISP provided DNS servers, and I did not want to get caught up in discussing a DNS resolution problem rather than a network access problem.)

Now you are just putting words into my mouth. What I originally said was that if someone does gain access to your WLAN, then they do have the ability to perform port scans and VA scans against your home network because they have full layer 2 (data link access in the OSI model) network access. I did NOT say that they have full and complete layer 7 (application access). But remote code execution vulnerabilities exist and are discovered every year for nearly every personal operating system and many application programs people routinely install. Many of such vulnerabilities can lead to full system access. Further, with WLAN access I also tried to suggest that there are other avenues of attack... such as ARP cache poisoning leading to a man-in-the-middle attack that can lead to packet sniffing of your network watching your unencrypted network sessions (sometimes leading to various forms of password discovery), or to malicious javascript or flash injection on return HTTP traffic that could lead to remote code execution on your computer and potential systemwide compromise. No, the analogy of a cut brake line is not appropriate, as the majority of consumer grade wireless routers (or at least that I have used) do not function as a stateful packet inspection firewall on intra-WLAN traffic (i.e., device to device); rather they generally function as a firewall solely between the Internet and the WLAN. And, yes, people do get hacked at coffee shops. Generally, not in the "I have full application access over your computer" but more frequently in discovering passwords to various web services. Typically, the lack of full system compromise in such a situation has as much to do the lack of interest in doing so and the mobility of victims as it does with the increasing inherent security in personal operating systems. I will certainly concede, and have never disputed, that today's operating systems are more robust than yesterday's... but that doesn't mean that I would be perfectly comfortable in allowing an unauthorized intruder on my wireless LAN for extended periods as you seem to continue to insinuate as acceptable to you.

 

I am going to comment on this because I should have been more clear, and then I'll step away. You are right that a user with admin privileges on a device can "request" a static IP. But that is not really the right way to do it because it does not ensure there will be no conflicts on the network, or that another device will not get that IP first.

For example, if PC 1 requests 192.168.1.7, it may get it. But should that computer go off-line for awhile (say PSU failure), there is nothing to stop the router to assign 192.168.1.7 to PC 3 via DHCP. Then several days later when the replacement PSU comes in, PC 1 may not get connected if PC 3 is on line.

So, as I indicated long ago, it is better to use MAC filtering and limit the range of assignments.

But lets not forget, for Alec's scenario to come true, this intruder would already have to have access to this network. And that would not happen unless he was able to physically connect via Ethernet to the network (that is, be inside the house already), or be in close enough proximity to your network to see the wifi, then know your passphrase to get in. In either case, you would be in bigger trouble.

Can all that be thwarted by a skilled hacker? Of course. But again, if a skilled hacker is targeting you, then again, you have bigger problems. And lastly, just because a hacker gains access to your network, that in no way means they have access to the computers on that network, as was suggested.

Sorry for not making that clear before.