On Fri, 14 Aug 2015 16:19:57 +0200 "B. M." <b-m...@gmx.ch> wrote:
> Hi list, > > - Not really a debian problem, but I value the knowledge of you > all :-) > > I'd like to get external input to my security considerations... > > Hardware / Network situation: > - Family in an apartment, several other apartments in the same > building > - Internet by our cable network operator; router offered "for free", > providing WLAN to us > - Several clients use WLAN exclusively (no ethernet ports) > - Several computers and tablets, one of them running several services: > - dovecot for mail: automatic download of all mails (no long-term > archiving online - privacy!). Other clients (laptops) use offline > imap to access my dovecot instance > - owncloud for calendar, contacts, files: to synchronize files > between different machines, synchronized per user > - I created a CA and (sub-) certificates for S/MIME as well as a > server certificate used for apache (owncloud, dovecot) > > Concerns: > - WLAN: SSID hidden, strong password, but I can't really trust the > router, can I ? > - Someone who has access to our local network could get access to > mails or files (owncloud) > - I have no control over the router (firmware updates? security > fixes? I assume it's "really cheap" ...) > - How can I maximize security? > > Ideas: > - Configure apache to only accept SSL connections, because of WLAN > sniffing (done) > - Configure dovecot to only accept SSL connections, because of WLAN > sniffing (done) > - Configure apache to require SSL client authentication - not yet > possible because the owncloud sync client doesn't support that yet > - apache: restrict allowed IP addresses using .htaccess file to > 192.168.1.1/24. Does this provide security / make sense? > - dovecot: is restricting the allowed IP addresses for dovecot > possible as well? Does this provide security / make sense? > - Any other measures? > It depends what you want to spend, and how much time you have to set it up. A two-NIC firewall machine between the router and the rest of the network (presumably your mail server is wired to the router, it's only clients that are wireless) will do a lot to minimise any security problems with the router, and give you detailed control of what protocols go in and out. A wireless access point inside the firewall (or even without the firewall) will allow your clients access without using the possibly suspect wireless capability of the router. You can leave the router wireless running for guests who need no access to your network, or better still, turn it on only when required. Running a freeradius server (pretty much all wireless routers/APs will work with 802.1x) will allow you to require digital certificates to be installed on wireless clients, other connections will be refused. You can run a web proxy on the firewall, and filter out any content you feel isn't safe for your clients. There are other possibilities, but it all requires a machine running at all times when Net access is required, which you may not be willing to do. I have a baby HP server which uses about thirty watts, which I'm willing to run continuously, but a low-power workstation or even laptop with a USB NIC added should also do the job. I've heard of people using a Raspberry Pi, but I don't think even the latest ones really have the computing power for the job, certainly not for a web proxy. The OS, obviously, is Debian Stable, preferably without X. If you make the step to a continuously-running server, you will think of all kinds of other things to do with it: mine is primarily a firewall and SMTP/IMAP mail server, but it also plays MP3s through the hi-fi system... -- Joe
