Security Archive

« Older Entries
Newer Entries »

Android VPN Articles and References

Posted January 28, 2012 By Landis V

Looking towards configuring StrongSwan as an IPSec VPN endpoint for Android.  The long-term goal is to set up a VPN configuration in which the phone automatically forwards all traffic through the IPSec VPN tunnel to be routed via my home connection unless 1.) the phone is connected to my private wireless network (perhaps one dedicated to the phone) or 2.) I manually disable forwarding, possibly to be resumed automatically after a timeout, and definitely to be resumed at phone reboot.  On the private network, will be doing some HTTP filtering, mangling, redirecting, and blocking; some file sync’ing and/or “private cloud” streaming; some monitoring; some outright blocking; some home automation… all kinds of wonderful, fun and exciting things.  I’m coming up on a year since I left the giant red atrocity that is Verizon and purchased an Android phone and plan from US Cellular (which has been an outstanding upgrade in every way… both the phone and the carrier), and I’m just now getting things in place to begin configuring the VPN hub, hence “long term”.  This post is primarily to note a few pages with hints, tips, and configurations for Android (and iPhone) device connections to a (Open|Strong)Swan server.  The biggest problem I seem to be encountering thus far is that I don’t think any I have yet encountered are descriptive in setting up an “always on, automatic at boot” connection, and I’m thinking I’ll need to get a working tun.ko module for my phone to really make this happen as I would like.  We shall see.

More to follow/update to post later.
Be the first to comment
Filed in Android, Communications, Security | Tagged: , ,

NTPD and the Terrible, Horrible, No Good, Very Bad Listening Sockets

Posted January 28, 2012 By Landis V 
Trying to get ntpd to stop creating listening sockets is a royal pain in the ass. Sure, I can set a firewall rule that blocks access to the port on undesired interfaces, but it's more work to make that happen, and it's just not as clean. Here's what I finally ended up doing to stop creating default (0.0.0.0:123 for IPv4 and :::123 for IPv6) listeners and just set a listening socket on one address on my internal interface. Hopefully it helps someone else out.
 # Add to ntp.conf, in order
 interface ignore all
 interface ignore ipv4
 interface ignore ipv6
 interface listen 192.168.0.1

While there’s not a gaping security window with NTP, I just feel a little safer not having anything listening at all.

2 Comments so far. Join the Conversation
Filed in Security, Software | Tagged:

10/27

Posted October 27, 2011 By Landis V

http://www.priceprotectr.com/

http://iscs.sourceforge.net/ ISCS administrators do not configure the security subsystems separately. They never write a single order dependent rule or complex security association. They describe the security environment in functional, practical, process oriented terms such as, “Sales needs access to Sales Data”, “Marketing, Financial, Engineering and the outside Advertising Agency need access to the New Product Line data”, “the 192.168.1.0/24 network should participate in the VPN”, “the new acquisition’s 10.1.1.0/24 network needs to NAT globally to 172.16.8.0/24 to avoid conflict with the existing 10.1.1.0/24 network” or “the credit card database servers should not be allowed to send packets any further than the e-commerce web server in the DMZ to prevent data theft over the Internet.”

Be the first to comment
Filed in Security, Software, Web Applications | Tagged: ,

Zone Firewall Taxonomy

Posted September 13, 2011 By Landis V

I’ve been thinking for some months (years, maybe) about how to properly implement a zone taxonomy/hierarchy for a global policy security configuration.  Perhaps because I’ve never really had the time to sit down and focus on the problem, it has always proven elusive.  I can see what I want to accomplish, but it requires just a little more thought than I’ve been able to devote to it.  Which is unfortunate.  I think this taxonomy/hierarchy combination could greatly simplify some of what I do.

Recently I’ve had an opportunity (scantily disguised as a shitload of work and frustration) to focus on this, think it through, and see if it actually has the potential to prove beneficial.  That’s what I’ve spent this afternoon doing, and it’s time to start making some notes on my thoughts and analyzing the conclusions therefrom to see if this is actually a workable idea or if it’s something that’s been nagging at me for years with no viable solution, or at least none that I can see clear.

For the reader, I’m writing this primarily to clarify and focus my own thought process, so I won’t go into any detail on concepts that are already clear in my mind.  I will define all zones with the prefix “Zone” to describe the type of element it is (since there are many possible elements in networking – lists, subnets, zones, services, etc.).  From there, I will append consecutively more specific elements to describe the particular zone.  This yields a few questions, and a few things that will require further thought.  I will immediately note the ones that come to mind to prevent their loss as my mind wanders.

Question:  Should zones become so specific as to be itemized down to a specific host, or even a specific service?

Implementation Thought:  Zone permissions should be configured in a top-down list from the most granular to the most generic.  This is in line with traditional list-based access control methodologies.

Be the first to comment
Filed in Security | Tagged:

5/19

Posted May 19, 2011 By Landis V

http://rss.slashdot.org/~r/Slashdot/slashdot/~3/3612AbuM154/CDC-Warns-of-Zombie-Apocalypse Looks like an amusing read.

http://thatwhichis.tumblr.com/post/5616002323/20-stats-about-the-us-housing-market-that-will-make-you

http://steveg769.bizland.com/spiralsbysteven2/ Wooden gears

http://idle.slashdot.org/comments.pl?sid=2170514&cid=36185434 A great idea for a honeypot FTP

http://www.lexinter.net/LOTWVers4/restatement_(second)_of_contracts.htm http://www.ali.org/

Really, really need to take some time to play with cfengine.

Had a funny thought about Apple (of the garden) being treated like a religion, “meticulous management of customer experience” (i.e., “herding the flock”), and suddenly it’s now the Rapture.

openssl s_client -connect #Command-line SSL connections

Would be nice to have a ping command with a configurable (via command line switches) exponential weighted moving average for packet loss. That way, you could watch some statistics on loss over intervals while running from a command line, and not just be interpreting loss for the time since you started the command an hour (day/week/whatever) earlier.

http://www.wired.com/wiredscience/2011/03/diy-cellphone-microscope/?pid=1112&viewall=true I’m a little more interested in the spectrometer.  I always thought it would be interesting to have one of those.

Be the first to comment
Filed in Economics, Government, Healthcare, Hobby Engineering, Humor, Law, Security, Software, Technology | Tagged:

4/7

Posted April 7, 2011 By Landis V

Thoughts on changing passwords daily (possibly multiple times daily) on any non-personally owned systems. There are a couple of potential pluses for this thought: if your password is ever compromised, or if it is subpoena’ed for any purpose, it has likely already changed by the time an attempt is made on the account. Cons: incredibly unwieldy to manage for multiple or all accounts; would have to be managed by an automated process on a personally owned system, with a method to sync/provide the updated password to end user in real time; providers might see as suspicious; tracking what characters are allowed in passwords for what providers; managing password resets if required (and syncing back to the changer controller, as it would have to know a changed password in order to be able to update it).

http://xkcd.com/radiation/

http://www.aviary.com/ – like an online Photoshop

http://designfestival.com/the-cicada-principle-and-why-it-matters-to-web-designers/and the related previous article on CSS seamless tiles.

“But I will accept any rules that you feel necessary to your freedom. I am free, no matter what rules l surround me. If I find them tolerable, I tolerate them; If I find them too obnoxious, I break them. I am free because I know that I alone am responsible for everything I do.” (“The Moon Is A Harsh Mistress”, 1966) Heinlein?

http://dev.pulsed.net/wp/ Interesting projects.

http://www.ibiblio.org/harris/500milemail.html Great story

Be the first to comment
Filed in Communications, Humor, Quotes, Security, Uncategorized, Web Applications | Tagged: ,

Much going on

Posted March 11, 2011 By Landis V

My world is eventful at present, and it seems to be preventing me from properly accomplishing much of anything.  Last Saturday my wife and I got new cell phones, finally extricating ourselves from Verizon (don’t get me started…). US Cellular has done well for us thus far – my wife has already had a support issue, and it was handled to resolution in a courteous manner.  My experience with Verizon was always courteous, but never resolved.  As part of this, I finally have an Android phone – very exciting, and I am enjoying it a great deal.  I have loaded the Froyo pre-release ROM, and it’s doing fairly well.  Haven’t had enough time to really play in detail (phone is the Samsung Mesmerize… another good reason to get away from Verizon; no locked down, eFuse Moto’s here :)).  Was hoping to port my old Verizon number to my Google Voice account since they are now allowing porting of mobile numbers, but it appears that BFE Nebraska is not on their list of locations which they can support porting from.  So, I will have to see if US Cell can port it to my new phone post hoc.  Wish me luck :/.

Have also been trying to get the WordPress app for Android to work with my blog, but that doesn’t seem to be happening just yet.  Had some issues with the client on my BlackBerry as well, so I think the finger currently points at the hosting provider configuration and not the phone(s).  Will work on that when (if?) I get the time.  Will also get back to my experimentation and testing of LxC’s hopefully sooner than later.  However, with my wife in Chicago from Saturday through Monday and myself on parent duty, it will probably be later rather than sooner.

Did experiment a little bit with the live disc for Clonezilla recently.  Acquired a bunch of systems, some of which will be finding new homes as soon as I can get them finished.  For the handful that came with drives, I had built a Windows image on one of them and tested replicating it to others.   Since the systems were all of similar-to-near-identical configuration, imaging was surprisingly fantastic and generally fast.  Imaging to a test VirtualBox on my daily driver Ubuntu box didn’t work quite as well, but I suspect there were a number of factors impacting that including 32-vs-64-bit processor config.  Again, something to worry about later since the actual PCs did great.  Kudos to Clonezilla on that one.

Have been looking at some of the descendants of FreeS/WAN recently, specifically StrongSwan (don’t bite me on the case tonight, I’m friggin’ tired!).  Looks neat, and I was hopeful to get a chance to run a test drive with it.  Don’t think that will actually happen unless I can somehow get it done tomorrow night (yeah, right).  May perhaps do so at home if I get the time.  It has pushed me to a somewhat better understanding of IPSec (I think), especially Main Mode vs Quick Mode.  I will continue to look at it and hope to at least make it work in a lab environment in case I ever have need of it in the future.  My current direction, as a result of tight time constraints, is probably going to be the ASR series of Cisco routers if their licensing proves tolerable, and something in the 7206 G2/VSA category if not.  I’m hearing 1.8Gbps throughput on those boys at the low end (though I assume that’s with 1400 byte packets, it’s still quite something).

Anyway, have to call it for tonight and work on some POs.  Just really needed to get some of what was going on out of my head and down on “paper”.  There is something at least mildly therapeutic about writing 🙂

Be the first to comment
Filed in Communications, Family & Personal, Security, Software, Technology | Tagged:
« Older Entries
Newer Entries »