Without a NGFW..

Discussion in 'privacy technology' started by Mayahana, Mar 11, 2015.

  1. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    a_sophos.png

    All of the security/privacy talk may just be security theater. Quite simply, you cannot effectively secure your network, or devices without a NGFW/UTM deployed, and more specifically, without the capability to reputation/region/category block.

    Last night during a 6 hour period while everyone was sleeping, roughly 99.7% of all of the traffic from my home were data mining/ad/spying firms attempting to siphon data from various devices in the home. Over 2GB of potential traffic was blocked, and nearly 81,000 sessions/requests. Considering all devices in the home have adblockers(uBlock, etc), Antivirus products installed, and privacy lockdowns. It's then we start to realize that much of the security/privacy talk is security theater without an effective gateway appliance.

    Here's a log grab from this morning after a night of siphon attempts. It varies from night to night, but last night MoPub decided it was time to siphon data from my network - and failed obviously.
     

    Attached Files:

    Last edited: Mar 11, 2015
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    I guess its time for me to run some tests. However; I normally shut my security/computer devices down during the night. Are your devices mainly computers, or are you also getting data from Sat TV, Tivo, etc..?
     
  3. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    You need to write Twitter and ask what the &^%% they were doing?
    Mopub is a Twitter company.
     
  4. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    It looks like telemetry data, and lots of it. Some of the data appears to be personal/confidential data, and almost all of it was attempting to be directed from Lan->Wan which is pretty concerning to me. Palancar, we have a lot of different devices. That's why I feel a UTM/NGFW is the only proper way to secure a network - blended appliances = blended threats.. Tivo's, ROKU, Smart TV's, Servers, Cameras, Phones, Kindles, Notebooks, all kinds of internet capable stuff.

    I guess my point is, without a proper appliance you aren't going to secure a network. You can install 30 different products on a system but if you aren't in full control of outbound, then it's all theater.
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    On the perimeter router, for iptables you want:
    Code:
    *nat
    ...
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [0:0]
    ...
    COMMIT
    Nothing gets in, forwarded or out except what you allow.
     
  6. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    How about if we back this up just a bit to let me wrap my head around it on one device so I can visualize the flow. Example: I'm on a "Mother Theresa" network with devices I don't really care about securing (other than normal malware/homeowner stuff, but I basically don't care) in what might be security theater anyway. But what if I want to use ONE device (session specific and not 24/7) on that network that I want isolated and of course outbound on a leash! That is what I am attempting to build. Normal theater; linux, encryption, ufw/iptables, vpns, tor, vm's, etc.... I think I have it locked down but would like to further investigate if a device specific NGFW approach would add anything to the mix.

    What might be the best tool to employ so I could record/view ALL outbound stuff on my configuration for this device only? All internet activity happens in linux virtual machines so the linux host really should see nothing other than vpn1 nat'd to a vm. The vm's are swapped out often with clean ones.

    I really would like a steer here because I love learning this stuff and don't know if I have anything to worry about with my setup as it is. I can't discover any holes or leaks but maybe I am missing some. Ideas?
     
  7. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Good luck maintaining that. You need to be full-time IT if you do.

    By default all appliances have Deny/Deny/All What happens beyond that is determined by your policies and rules. But it's difficult, and in my case impossible to run deny all w/rules. A corporate or SMB business it's possible, and in fact the best way to run it according to many experts. But you need full time IT constantly evaluating, and entering exclusions(whitelist). In the case of a good UTM, you can block by Region/Reputation/Karma, which does the job for you. The karma isn't going to be good on datamining firms, so they will be rejected. So either you drop/reject everything, and enter EVERY IP you want out, and live with the terrible restrictions, or you setup some sort of system to block via what above conditions, and then keep an eye on things.
     
  8. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    @mirimir, whitelists by IP are a bear to maintain. Whitelists by port would probably not help in most of cases. I think the correct way to do that would be a transparent filtering proxy.

    It might also be doable to whitelist IPs by subnet. The problem is that a lot of companies don't subnet things neatly at all.

    @Mayahana: do you have any idea which machine or device the requests came from? It'd be interesting to know who's preinstalling spyware.

    As for proprietary UTMs... No. The things cost more than a brand new computer. I'm not going to buy into yet another vendor-locked security protection racket, sorry.
     
  9. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,089
    Clearly, one or more of your devices is NOT well locked down. IIRC, Mopub is a well-known ad network that is geared towards mobile platforms. I even have it in my filters and I don't use mobile devices.

    Which device(s) were the problem and WHY was such traffic not blocked on the device itself? Did you configure something incorrectly? Is there a problem with the protective software that is installed on the device? Could it affect other users and thus be worthwhile to mention?

    I think it would be wise to focus on the devices responsible and fix them first. In part because mobile devices can leave the home and attach to other networks. Few users will configure their mobile devices to route all their traffic through a protective device they have at their home. Are you doing so?
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    It's easy for me, because only VM hosts running VPNs need out of my LAN. My wife and the rest of the house have their own LANs, and they are deny/deny/allow ;) My VM hosts are also deny/deny/deny, and then there are pfSense VMs to run nested VPNs, and to further isolate stuff.
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    Just add a router/firewall to your LAN, and put your sensitive device(s) on its LAN. You could use a Raspberry Pi 2 running Raspbian wheezy. Or pfSense on a Soekris box.
     
  12. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    You seem to really lack the understanding of network/device/blended infrastructures, and BYOD environments. Allow me to explain.

    For one, this is a BYOD environment, I don't even own, or have access to many devices that would connect in my home, so some self responsibility is required. However for a wireless device to connect they would be on their own VLAN anyway, and segregate from the LAN, so that's not an issue in terms of raw security. 'Protective' software as you put it largely wouldn't prevent any of this. Unless you are rooted, and have a FW, then it's not, but more importantly, many devices don't have 'protective' software. How do you plan on securing a ROKU, PBX, Tivo, or even your thermostat?

    That's the whole point of a NGFW isn't it? So everything routes through it, and hence, it protects your infrastructure... Unless someone has a DMZ in place then 'everything' is going through the device anyway, so I don't get your point here? Also realize, almost nobody has a 'protective device' to route anything through, they have a cheap $29 router from Best Buy that doesn't do anything other than look silly, and toss a NAT on their LAN.
     
    Last edited: Mar 12, 2015
  13. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Err. Sophos UTM is free.. Toss it on any $50-80 dual core laying around. You can even deploy 10 endpoint AV's for free from it, Sophos+Avira engines. Check out the Firewall section of this board.
     
  14. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    But not open-source. For that, there is IPFire pfSense, etc.
     
  15. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I could care less about Opensource. I found Pfsense to be miserable, and IPfire to be good, but hopelessly behind Sophos. I just seek good solutions.

    Sophos is a 'thousands' of dollars UTM for free that far surpasses anything out there, even Fortigate's.
     
  16. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    They go on isolated LANs, or at least vLANs. Just in case.
    Yes, I agree. But with isolated LANs. Compartmentalization!
    Well, then maybe they have problems ;)
     
  17. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,186
    Location:
    USA
    What is the definition of NGFW? I use Blur to stop incoming trackers. So far it has stopped over 16,000.
     
  18. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    My understanding is that the Sophos offering is very "business" oriented, and therefore was hard work to apply to a more domestic context with gaming etc. Is that your impression?

    On what basis did you think pfsense was "miserable", and did you include add-ons in that assessment?

    Regarding issues of BYOD and indeed the myriad of devices you do own, I guess they are big risks in my mind. With the "simpler" devices, you have a typically poorly secured powerful machine you cannot control, with direct access (unless you segregate & defend). It's an obvious way to attack a hardened host, to subvert a device on the same LAN which can then probe the local network and ports for vulnerabilities and leaks.
     
    Last edited: Mar 13, 2015
  19. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    It's the outbound you need to be worried about.
     
  20. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I already do vLAN segregation in the home. Specifically a 'blue zone' for wireless with a Deny/Deny/All policy for subnet access, which then requires specific policies for specific things, so for example that vLAN can access the network printer on a different subnet. Isolation/segregation is a fundamental aspect of security for sure.
     
  21. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    It's actually less difficult then I thought to adapt Sophos for the home. One major tip I discovered, when you do categorization of web filtration, set 'games' category to be a trusted category and that will pass through the majority of games properly without specific rules.

    Sophos seems to place web filtration ahead of firewall rules. So even if you say punch through some STEAM ports, the Web Filtration may block it. But that's fixed by the above method. Most issues I found were actually the web filter, and I discovered this after my policies/rules had no effect, but when I put in web filtration exclusions, and opened up some categories, everything worked perfectly.

    Also you need to be careful with region and reputation block, as well as HTTPS inspection! You may find your smart tv for example using it's own CERT which will then be killed by Sophos. Or you may find a game that uses update servers in South America, and have that area region blocked..
     
  22. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    I'm doing the same. Except for one, the media devices I have are completely unknown as far as what they do on the network besides streaming from listed sources. I don't trust them one bit. They are on their own router and connect through a VPN.

    I have been implementing network isolation to an extreme degree. I basically don't want any computers or devices on the router LAN talking to each other in any way. The only thing they get from the router is connection to the WAN, not each other. Reading this has caused me to start hardening the LAN isolation and testing it.

    UTM is interesting but totally overkill for what I'm doing. I'm still considering testing it on an unused Core Due laptop I've got lying around. I just have to get a second NIC working with it. I have several cardbus ones in a box somewhere. It might not work for me but it is something I could consider setting up for others.
     
  23. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Of course my ghetto vLAN technique even works for crappy home routers.

    Guest Connections w/lan restriction checkbox contain a default deny.deny.all for LAN access.

    But you don't need multiple routes, all you need is a router capable of vLAN and Subnet segregation. Not a lot of consumer grade stuff does this save for a few higher end models. But all of the appliances do it.. Untangle, Sophos, etc. Putting them on their own routers with statics is really not the way to do it.
     
  24. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    I've got several reflashable routers--around 5 or 6 right now. I keep getting them from the old router bin at our local thrift store for $3-5 a pop. Cheap in both price and power consumption--around 2.4 watts per router--so no reason not to use more than one. The ones I've got in service now use Tomato firmware but I want to flash a couple with DD-WRT and play with them. Hardware segregation is nice because I can have different LANs on different wifi channels and use WAN/LAN isolation to keep them apart. As far as I can see, I could keep daisy chaining them indefinitely with each router having its own VPN and security settings but 2 full time and one to experiment with are more than enough for all practical purposes.
     
  25. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Once again, having SSID's with their own subnet is a halmark feature of non-consumer gear. Essentially it's like this on non-consumer stuff; Define interface --> Define parameters of interface --> DHCP or Static --> Policies/Rules relating to interface. So it's quite simple, create an SSID, then assign a subnet to it with DHCP on the SSID. You are basically doing what a single appliance can do, and do it much more efficiently, less hassle, less ping loss, and more importantly, with greater reliability. One device that can go bad, instead of 5-6. Certainly what you are doing works, but there isn't logic to it.

    SSID #1, 10.1 subnet, policy for egress on WAN only. SSID #2, 192.2 subnet, policy for 'limited' connectivity on LAN for XYZ services/ports/protocols, everything else restricted to WAN egress. SSID #3, Full Access to WAN and LAN. Then you can get really indepth, and turn on specific URL rules for specific subnets, special AV scanning, restrictions, time restrictions, limitations on applications, etc. Fun stuff. But really, all doable on a 'cheap' commercial appliance/router, you can even do this on a LEGACY router since you don't need to license for UTM if you just want to play with policies/vLANs/rules/SSID's and Subnets. I tossed a few Juniper 5GT's in the recycle bin last year, those run $19 each, and can do this all day long - all on a single device, with no hassle.

    Fortigate 50B's - legacy - but $20 or so on Ebay, you can do AMAZING things with it - that's without licensing it. So no real need to hit the resale shop tubs for a half dozen routers, just buy one cheap legacy enterprise grade one and roll with it. I set up 5 VPN's, and 3 VLAN's on a 50B last week for a customer that refused to upgrade, no sweat on it.