DIY Cyber Audit: #4 Network Security
More than you wanted to know about networks
Continued from Part 3
For now, this is the final update for the DIY Cyber Audit series.
You can visit the complete guide on the website.
Computer networks are fascinating things. The ability to link two devices over a long distance to accomplish sophisticated tasks is what makes much of our modern computing environment seem outright magical. Of course, where there’s power there’s also danger, the massive capabilities of networked systems vastly complicate the challenges of securing systems. To do the best you can, it’s important to have a basic understanding of computer networking and take reasonable precautions.
An important place to start is to understand that every data connection relies on a physical connection on some form. You can relay data between two computers by linking them directly, or use routers to share data with networks outside your own local network.
Local Area Network (LAN)
Odds are, you likely have a modem/router machine in your house. It runs your local network and also provides a WiFi access point to wireless devices. This allows for all devices on the network to use the router to connect to your internet service provider (ISP).
The importance of protecting your local network can not be overstated. Usually, your router will have a web admin access that you can use to ensure only devices you’ve authorized are connected. Managing access to your local network is your first line of defense against many nefarious threats. For low-value targets, physical access may be sufficient, but for high value targets or high-traffic locations, the considerations differ.
WiFi
Use a strong WiFi password. Any device connected to your WiFi may as well be wired directly into every other computer or device on the network. Due to their nature as broadcasted signals, wireless networks are difficult to properly secure and may be vulnerable to unintuitive attacks. An open network, or even a weakly secured one creates opportunity for spying, compromise, or infiltration. There are many ways in which WiFi signals can be intercepted or jammed, in most cases it’s best to run sensitive systems over a direct wired connection. In situations where WiFi is needed, there are options such as segregating wireless clients from the same network. An option is to have the wireless network entirely disconnected or to relegate different devices to separate VLANs.
Router
Routers are what move messages between networks. Your router may connect to an internal modem that acts as a gateway to your internet service provider to connect to the rest of the Internet. Like any device on your network, it’s very important to ensure that you’re able to choose a router that has up to date software and isn’t compromised. Given its important role in your network, having a router you can trust is arguably one of the most important aspects of network security. At least in Canada, the status quo for many customers is to rely on a single device managed by their ISP, for better or worse. In some cases, people will decide to buy their own device running software that they trust and is maintained, to separate their network from the ISP provided router.
Firewalls
A firewall is a useful tool to manage connections that come in the network. While it’s worth remembering that Firewalls Don’t Stop Dragons, they are a vital tool in making connecting to the Internet without necessarily giving complete access. A firewall accepts incoming connections and ignores any connections that aren’t explicitly allowed. Firewalls can be software on a router, such as the one included in many ISP-provided routers or a dedicated device. A go-to recommendation for custom firewall software is OPNsense which is built on pfsense.
Your feedback, questions, encouragement and support mean a great deal to me.
Domain Name System (DNS)
Every site or service online has a publicly routable IP address, to connect to it your browser or applications need to get the correct IP address from the service’s domain. This means that DNS is effectively a real-time system divulging what you’re connecting to, how often, and when. One solution to resolve this is to encrypt your DNS queries. To do this, you’ll want to make sure your devices and browsers are configured with a deliberately chosen DNS provider. Encrypting your DNS requests is as important as not making them to a malicious or negligent entity.
There are many providers, but this only protects you from protecting onlookers from monitoring your requests, the provider may still have that information. Another important technique is to cache your requests with a recursive DNS resolver. This means that your devices will all connect to a resolver you run yourself, it then asks another DNS provider for the information and remembers it for a short period of time. Pihole is a fairly popular option for achieving this, and it also includes ad-blocking features.
Why?
…for many actors, metadata is far more valuable than the content. From a privacy perspective, DNS seems to be one of the most under-appreciated aspects of protecting oneself.
In many ways it is because most good VPNs will handle DNS as well, but there are other considerations.DNS can also be set at the application level. Browsers, for example, will have their own DNS settings. Most major browsers now support DOH, which is a very convenient way to encrypt your browser’s DNS queries. For encrypting all of your system’s DNS queries you may want to consider using DNSCrypt.
End-to-End Protection
For a connection to be fully secure, it needs to:
Reach its destination
Not be modified or interfered with
Have reasonable protection against being identified
This turns out to be quite a high bar, even encryption often only protects the content of communications but it can be much easier to observe who’s communicating with who, how often, or other metadata. You can do everything right on your end but if you connect to a malicious or compromised service, you can have problems. Man-in-the-middle attacks are even possible with modern encrypted websites, anyone able to use a certificate recognized by your device can do many malicious things including deep packet inspection to effectively nullify most web encryption. Resolving this is much more complicated, and requires much more effort.
Proxies, VPNs & Darknets
For computer networks to work, every computer needs a public IP address. How this works in practice (with IPv4 usually…) is that your machine has a number that your router knows, which has a number your ISP knows, which is then shared with the rest of the internet. That last number is your IP (public) address. Using a VPN does two things: 1) encrypts traffic between you and the service 2) forwards your connections through one of their IP addresses.
Virtual Private Network are often seen as the solution to all online privacy issues. This is people being mislead by slick advertising. VPNs are very useful for accessing content that is blocked in specific regions or protecting your IP from being known by online services. There are many ways users using a VPN can have their IP leaked so it is essential to make sure you are using your VPN properly.
Your internet service provider (ISP) may not be trustworthy so you may want to use a VPN, it is important to realize that by using a VPN you are effectively transferring the risk of your ISP logging, tracking, censoring your information to that VPN provider. Like ISPs VPNs are businesses and it is foolish to assume they will put your needs as an individual or customer before the interests of their business.
Just like DNS providers, your ability to trust your VPN provider is quite important as well. Your ability to protect your information from them is just as difficult as masking your internet activity from your ISP. In addition to this, VPNs are prone to very unintuitive attacks. DNS leaks are when your VPN is working fine, but your DNS queries are being routed from your home IP address instead of the VPN providers, effectively unmasking you. Ironically, VPNs are often recommended in circumstances where you can’t trust the network, such as a public WiFi, but this is the exact scenario where a recent attack would allow somebody to reroute your traffic outside the VPN. A proxy is a simpler way of changing where your requests come from than a VPN, but has similar concerns.
Unless you plan to work entirely offline, you’re going to have to consider how you connect to the internet, and specific sites & services.
I would argue, that it’s more important these days to hide one’s IP address than it was in the past. Internet geolocation as only gotten more precise over time. Depending on the accuracy, someone may be able to identify your neighborhood.
There is no one-size-fits-all solution when it comes to VPNs. Just like email, there are many VPN services out there and you should choose the service that works best for you. Depending on which one you choose, you can benefit from an increased level of security when connected to networks you wouldn’t ordinarily trust. But this means you’re placing your trust in the VPN.
Consider your goals:
Are you just trying to avoid disclosing your IP with sites & services you visit? Good VPNs & Proxies will suit this purpose.
Are you trying to evade ISP-level censorship and connect to services that are online but inaccessible to you?
This is what Tor was built for, potentially being difficult to identify is also a useful feature but is much less guaranteed.Or are you trying to connect to specific “hidden services” served anonymously?
Then you’ll need want to consider darknets like Tor or I2P.
What VPN do you use, Gabe?