Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: Home/Boat network security

Home/Boat network security 30 Sep 2017 16:16 #1

  • Douggy
  • Douggy's Avatar Topic Author
  • Offline
  • Platinum Member
  • Platinum Member
  • Posts: 1425
  • Thank you received: 70
With cyber criminality on the increase and so much more at stake these days, our home or boat networks and devices need to be protected more than ever.

I'm currently in the process of upgrading my home network with a faster service (gigabit) and running Cat 6 network cables throughout the house. Then I need to make my network and devices as secure as reasonably possible. My plan is to not use wifi. Home class routers don't seem to focus on the security features needed for today's threats so I'm looking at alternatives like pfsense, OpenWrt running on a dedicated machine and/or upgrading my existing router with dd-wrt firmware.

Just curious if anyone here has done similar upgrades or have come up with a different approach to secure their home/boat network and devices.

Please Log in or Create an account to join the conversation.

2003 Bayliner 245
2007 Sedona F21
Last Edit: by Douggy.

Home/Boat network security 30 Sep 2017 18:40 #2

  • TenMile
  • TenMile's Avatar
  • Away
  • Administrator
  • Administrator
  • Posts: 1317
  • Thank you received: 215
I've got a number of things in place.

For home, I do use a combination of wireless and wired. Wireless inherently does have better security built into it now as many of the security vulnerabilities were patched over the years. The trick is to ensure that you're using the most up to date security and password protection. There are some other tricks you can do such as hiding your SSID, and locking access to the MAC address for specific devices if you wanted.

For security, as a basic measure I have my home router/firewall using OpenDNS for DNS resolution. OpenDNS actively block bad sites in real time so if a user on your network has Malware or is going to a site that distributes Malware, it protects your machine. I also use a Firewall from Meraki that allows me to do Content Filtering. I can block known Malware sites and other inappropriate sites from my network. OpenDNS for home use is Free. They also offer a Prosumer package that gets you reporting (the free package has no reporting of any Malware your machines may be infected with). I recommend OpenDNS to all family and friends.

For the boat, you could either use OpenWRT and OpenVPN together and create a tunnel back to your home network. Requires that you setup an OpenVPN server at home or in the cloud. That would use your home firewall and all it's protection. Alternatively, Meraki make a device called a Z1 (also now a Z3) that will create a tunnel back to your home network automatically.

Just yesterday, I also installed 2 outdoor security cameras from Meraki as well. I can manage all the WiFi, Firewall and Cameras from a single dashboard anywhere in the world which is very handy. They have a very handy "motion search" feature -- for example, highlight the front door and it will show me every recording where there was motion there rather than having to review hours of footage. I don't currently have a camera on my boat, however, the Meraki's at home just replaced 2 x Foscam cameras at home and I may move one to the boat.

Note that the Meraki gear is "commercial grade" not "consumer grade" and as such is expensive. There are likely lower cost consumer alternatives out there. If you take one of their Webinar's they will send you a free AP which is cool. Full disclaimer that I do work for the parent company and for my personal use I get an employee discount.

Please Log in or Create an account to join the conversation.

Terry
1999 Bayliner 3388
Twin Cummins 4BTA
Fisherman, Cruiser, Boaticus-enthusiasticus-maximus
Member Royal Victoria Yacht Club

Home/Boat network security 01 Oct 2017 00:17 #3

  • Douggy
  • Douggy's Avatar Topic Author
  • Offline
  • Platinum Member
  • Platinum Member
  • Posts: 1425
  • Thank you received: 70
Thanks for the reply and information.

What are the key security feature differences between enterprise or "commercial grade" and "consumer grade"?

Has behavioral network security become a standard?

Please Log in or Create an account to join the conversation.

2003 Bayliner 245
2007 Sedona F21

Home/Boat network security 01 Oct 2017 01:25 #4

  • TenMile
  • TenMile's Avatar
  • Away
  • Administrator
  • Administrator
  • Posts: 1317
  • Thank you received: 215

Douggy wrote: Thanks for the reply and information.

What are the key security feature differences between enterprise or "commercial grade" and "consumer grade"?

Has behavioral network security become a standard?


Commercial grade hardware will generally be better designed. Somewhat more rugged, better faster chipsets, power supplies etc. Usually the manufacturers have a large team of hardware and software developers supporting the gear and extended warranties etc... Over the life of the gear (say 5-7 years) the manufacturer will continue to push out new firmware/software and security packages along with new features. Consumer grade gear tends to focus more on low cost so the things noted above aren't readily available.

Behavioral network security isn't so much a standard, but something that the leading manufacturers are now doing. Security today is more dynamic and real time than it ever has been. In the past it was sufficient to download and install an AntiVirus program and have it update once a month or so. Today, that's completely insufficient with all the Malware variants, most security products create a real-time cloud connection to a Security Operations center where vulnerabilities are identified and pushed to the devices immediately. That's where services like OpenDNS shine. If a user downloads a Criptolocker type Malware program that tries to download a security key from the Internet -- OpenDNS will block it from "calling home" so it's unable to do it's job.

Please Log in or Create an account to join the conversation.

Terry
1999 Bayliner 3388
Twin Cummins 4BTA
Fisherman, Cruiser, Boaticus-enthusiasticus-maximus
Member Royal Victoria Yacht Club

Home/Boat network security 01 Oct 2017 01:41 #5

  • Framedtrash
  • Framedtrash's Avatar
  • Offline
  • New Member
  • New Member
  • Posts: 36
  • Thank you received: 2
The more important question is what else is running on your network.
What devices do you use and what operating system are they running
The weakest link is always going to be the devices using the network not the network itself

Please Log in or Create an account to join the conversation.

2000 Bayliner 3055 Ciera - Wine Down
Townsville, QLD Australia

Home/Boat network security 01 Oct 2017 03:29 #6

  • ksanders
  • ksanders's Avatar
  • Offline
  • Administrator
  • Administrator
  • Posts: 3334
  • Thank you received: 231
I hold a Cisco CCNP (Cisco Certified Network Professional) certification in Routing and Switching. This qualifies me to design and maintain enterprise class networks, these are scalable netowrks of unlimited size and complexity.

Do not worry about wireless. Your risk zone is a radius of about 150 feet. Nobody outside that risk zone can connect to your wireless network. Use WPA PSK as your encryption methodology and make up a random authentication key.

Use a current production router with a firewall built in, and do not bypass the firewall.

Do not use a private IP address, if offered one.

If you want to be extra careful, which I recommend , do not use your marinas free wifi as the WAN connectiom for your boat, and do not ever use public WIFI.

Thats a network engineers $0.02 opinion

Please Log in or Create an account to join the conversation.

KEVIN SANDERS
4788 LISAS WAY
SEWARD, ALASKA
www.mvlisasway.com

Home/Boat network security 01 Oct 2017 04:45 #7

  • CptCrunchie
  • CptCrunchie's Avatar
  • Away
  • Platinum Member
  • Platinum Member
  • Posts: 1307
  • Thank you received: 147
Excellent credentials! Thank you for that.

ksanders wrote: If you want to be extra careful, which I recommend , do not use your marinas free wifi as the WAN connectiom for your boat, and do not ever use public WIFI.

Why? If we never keep our credit cards or personal information on it, what can they get into, and how? We will be world cruisers in a couple years, and plan to use both of those on a regular basis.

And if we are using an iOs or OS X platform, is there less or more chance of this happening?

Please Log in or Create an account to join the conversation.

"B on D C", is a 1989 2459 Trophy Offshore HT, OMC 5.7L, Cobra OD, Yamaha 15hp kicker. Lots of toys! I'm no mechanic, just a blue water sailer and woodworker who loves deep sea fishing.
MMSI: 367637220
HAM: KE7TTR
TDI tech diver
BoD, North Olympic Peninsula Puget Sound Anglers, Sequim, WA
Kevin
Last Edit: by CptCrunchie.

Home/Boat network security 01 Oct 2017 11:23 #8

  • Douggy
  • Douggy's Avatar Topic Author
  • Offline
  • Platinum Member
  • Platinum Member
  • Posts: 1425
  • Thank you received: 70

ksanders wrote: I hold a Cisco CCNP (Cisco Certified Network Professional) certification in Routing and Switching. This qualifies me to design and maintain enterprise class networks, these are scalable netowrks of unlimited size and complexity.

Do not worry about wireless. Your risk zone is a radius of about 150 feet. Nobody outside that risk zone can connect to your wireless network. Use WPA PSK as your encryption methodology and make up a random authentication key.

Use a current production router with a firewall built in, and do not bypass the firewall.

Do not use a private IP address, if offered one.

If you want to be extra careful, which I recommend , do not use your marinas free wifi as the WAN connectiom for your boat, and do not ever use public WIFI.

Thats a network engineers $0.02 opinion


Thanks for the input!

It's not so much that I worry about wifi, its more that I don't need wifi much and the risks that come with it. I will have wifi available if I need it and I can easily enable it but as a default I will keep the radio off.

I do currently use security cam's that use wifi but my network rewiring of the house will include these cam's. I just need to figure out a clean way to get cat 6 into to my barn.

I do use vpn to mask my ip address, provide data encryption and avoid geoblocking and content filters. The vpn will be at the router/firewall so all devices (including cam's) will utilize vpn.

Please Log in or Create an account to join the conversation.

2003 Bayliner 245
2007 Sedona F21
Last Edit: by Douggy.

Home/Boat network security 01 Oct 2017 11:27 #9

  • Douggy
  • Douggy's Avatar Topic Author
  • Offline
  • Platinum Member
  • Platinum Member
  • Posts: 1425
  • Thank you received: 70

TenMile wrote:

Douggy wrote: Thanks for the reply and information.

What are the key security feature differences between enterprise or "commercial grade" and "consumer grade"?

Has behavioral network security become a standard?


Commercial grade hardware will generally be better designed. Somewhat more rugged, better faster chipsets, power supplies etc. Usually the manufacturers have a large team of hardware and software developers supporting the gear and extended warranties etc... Over the life of the gear (say 5-7 years) the manufacturer will continue to push out new firmware/software and security packages along with new features. Consumer grade gear tends to focus more on low cost so the things noted above aren't readily available.

Behavioral network security isn't so much a standard, but something that the leading manufacturers are now doing. Security today is more dynamic and real time than it ever has been. In the past it was sufficient to download and install an AntiVirus program and have it update once a month or so. Today, that's completely insufficient with all the Malware variants, most security products create a real-time cloud connection to a Security Operations center where vulnerabilities are identified and pushed to the devices immediately. That's where services like OpenDNS shine. If a user downloads a Criptolocker type Malware program that tries to download a security key from the Internet -- OpenDNS will block it from "calling home" so it's unable to do it's job.


I need to research OpenDNS. Thanks!

Please Log in or Create an account to join the conversation.

2003 Bayliner 245
2007 Sedona F21

Home/Boat network security 01 Oct 2017 12:31 #10

  • Douggy
  • Douggy's Avatar Topic Author
  • Offline
  • Platinum Member
  • Platinum Member
  • Posts: 1425
  • Thank you received: 70

CptCrunchie wrote: Excellent credentials! Thank you for that.

ksanders wrote: If you want to be extra careful, which I recommend , do not use your marinas free wifi as the WAN connectiom for your boat, and do not ever use public WIFI.

Why? If we never keep our credit cards or personal information on it, what can they get into, and how? We will be world cruisers in a couple years, and plan to use both of those on a regular basis.

And if we are using an iOs or OS X platform, is there less or more chance of this happening?


The risks go beyond just using a credit card on a device. Personal information exposed can lead to identity theft. If you access email on a device and/or use social media like Facebook on a device then your personal information can be obtained including the personal information of people you connect and associate with online. An quick example on just how easy personal information is available: Looking at your BOC post I noticed your HAM radio ID. If I do a HAM ID lookup I will probably find your full name and location.

Please Log in or Create an account to join the conversation.

2003 Bayliner 245
2007 Sedona F21

Home/Boat network security 01 Oct 2017 15:29 #11

  • CptCrunchie
  • CptCrunchie's Avatar
  • Away
  • Platinum Member
  • Platinum Member
  • Posts: 1307
  • Thank you received: 147

Douggy wrote: If I do a HAM ID lookup I will probably find your full name and location.


I have news for you. You can look up my HAM license number online by just my last name and the city and state I live in, and you don't even need to be registered to do that. Go to wireless2.fcc.gov/UlsApp/UlsSearch/searchLicense.jsp and do an advanced search for 'Holden' in 'Sequim WA'. You will see my VHF license for my boat. Click on that and you have my address and all the details about my boat. And if you enter the ZIP instead of the city, you will see both my and Wifey's licenses. Click on any one of them and you will have our address. This is all public knowledge.

Moreover, the moment I begin a HAM broadcast and use my callsign, anyone can go online and do an FCC search for who I am.

Now do an FCC search to see if they are giving away your information too.

My name and address is already all over the internet. It's on the advertising crap I get in my mailbox. It's on the Whois of any of the websites domains I own, any online reverse directory, and they can look me up even if I am mentioned once in the local newspaper. I've had my email accounts hacked at a time when some of the email was of a personal property nature between myself and one county and one city official. It also appears that changing my password 4 times had no effect, they still read my email. But when the dust settled, had they used that information, they would have given themselves away.

Most show where I live, some show how old I am, and some even show my photo. In fact, the HAM site even shows who I am married to, and what kind and size of boat I own. It also shows my MMSI number, the same one I show in my signature block. So, if all that is readily available, what am I needing to protect?

Guess this all begs the question: Does anyone here use LifeBlock?

Please Log in or Create an account to join the conversation.

"B on D C", is a 1989 2459 Trophy Offshore HT, OMC 5.7L, Cobra OD, Yamaha 15hp kicker. Lots of toys! I'm no mechanic, just a blue water sailer and woodworker who loves deep sea fishing.
MMSI: 367637220
HAM: KE7TTR
TDI tech diver
BoD, North Olympic Peninsula Puget Sound Anglers, Sequim, WA
Kevin
Last Edit: by CptCrunchie.

Home/Boat network security 01 Oct 2017 20:15 #12

  • ksanders
  • ksanders's Avatar
  • Offline
  • Administrator
  • Administrator
  • Posts: 3334
  • Thank you received: 231
Regarding public WIFI and other issues.

First off, my knowlwdge begins and ends at the network. There are others here that apparently work as ITpeople professionally. They are the people to turn to regarding vunerabilities of computers, operating systems and the like. I just think about the network.

Your risk of intrusion is at the edge of the network. Once you reach a Internet Service Provider your risk of intrusion or attack goes way down. Almost to zero. That is because unless you are one of the trusted few in the world of nnetworking it is impossible to see someones data. I'm not talking about trusted like a help desk person. I'm talking about trusted like a network engineer level person.

So now that we realize that our vunerabilities are at the network edge, we can see that minimizing that vunerability removes the vast majority of risk.

When you use public WIFI you are sharing your connection to the internet with all the other people on that system. You have no knowledge or control over the security precautions that the WIFI network has in place. You do not even know if the person that is running the WIFI service has nefarious intent.

Thats why I recommend against using public WIFI.

The solution is to use the cellular network. Your cellular data is just safer to use. For one it is run by a major carrier, with all of the security protocols that major carriers employ. Yes theoretically someone could use cellular test equipment to see the contents of your data stream, but that is allot less risk than a guy sitting at the table next to you with his laptop on a public WIFI system.

Again, this is network security. Device security is best advised by the professionals in that field.
The following user(s) said Thank You: CptCrunchie

Please Log in or Create an account to join the conversation.

KEVIN SANDERS
4788 LISAS WAY
SEWARD, ALASKA
www.mvlisasway.com
Last Edit: by ksanders.

Home/Boat network security 01 Oct 2017 21:52 #13

  • TenMile
  • TenMile's Avatar
  • Away
  • Administrator
  • Administrator
  • Posts: 1317
  • Thank you received: 215
It's not always possible to avoid public WiFi so the other alternative is to VPN via the public WiFi into your home network. All your traffic and confidential data is encrypted and secure that way.

Please Log in or Create an account to join the conversation.

Terry
1999 Bayliner 3388
Twin Cummins 4BTA
Fisherman, Cruiser, Boaticus-enthusiasticus-maximus
Member Royal Victoria Yacht Club

Home/Boat network security 01 Oct 2017 22:28 #14

  • ksanders
  • ksanders's Avatar
  • Offline
  • Administrator
  • Administrator
  • Posts: 3334
  • Thank you received: 231

TenMile wrote: It's not always possible to avoid public WiFi so the other alternative is to VPN via the public WiFi into your home network. All your traffic and confidential data is encrypted and secure that way.


I never use public WIFI, so yes it cvan be avoided...

That said a VPN tunel as you suggested seems to mitigate the risk

Please Log in or Create an account to join the conversation.

KEVIN SANDERS
4788 LISAS WAY
SEWARD, ALASKA
www.mvlisasway.com
Last Edit: by ksanders.

Home/Boat network security 01 Oct 2017 23:07 #15

  • Douggy
  • Douggy's Avatar Topic Author
  • Offline
  • Platinum Member
  • Platinum Member
  • Posts: 1425
  • Thank you received: 70

ksanders wrote:

TenMile wrote: It's not always possible to avoid public WiFi so the other alternative is to VPN via the public WiFi into your home network. All your traffic and confidential data is encrypted and secure that way.


I never use public WIFI, so yes it cvan be avoided...

That said a VPN tunel as you suggested seems to mitigate the risk


VPN is a good security practice. VPN back to your home network or VPN to a VPN service provider. The cost for the service is surprisingly inexpensive.

Please Log in or Create an account to join the conversation.

2003 Bayliner 245
2007 Sedona F21

Home/Boat network security 01 Oct 2017 23:22 #16

  • CptCrunchie
  • CptCrunchie's Avatar
  • Away
  • Platinum Member
  • Platinum Member
  • Posts: 1307
  • Thank you received: 147
While I understand computers, I am completely server illiterate. Following your direction, I looked up VPN - Virtual Private Network.

How does this actually work? Since I'm on a cable modem, does that mean my IPS will now be a VPN through a site like NordVPN? Or do I still need my current ISP to connect to the VPN?

It says up to 6 devices, but does that my iPhone too? And how would I use this if we were in a marina with either my computer or my iPhone? Would my email address change?

And what does, "Onion over VPN" mean? I found this on Google, but I'm not sure what it means:

> Onion Over NordVPN. With unique Onion over VPN solution, your Internet traffic will be routed through our VPN server first and then sent to the Onion Router. ... However, if you prefer, you can also connect to our regular servers, and then use the Onion browser as usual.

If I can get super fast internet connection for $79 for 2 years, AND I can leave my current ISP, I'm all over that!

Please Log in or Create an account to join the conversation.

"B on D C", is a 1989 2459 Trophy Offshore HT, OMC 5.7L, Cobra OD, Yamaha 15hp kicker. Lots of toys! I'm no mechanic, just a blue water sailer and woodworker who loves deep sea fishing.
MMSI: 367637220
HAM: KE7TTR
TDI tech diver
BoD, North Olympic Peninsula Puget Sound Anglers, Sequim, WA
Kevin
Last Edit: by CptCrunchie.

Home/Boat network security 02 Oct 2017 00:34 #17

  • Solandri
  • Solandri's Avatar
  • Offline
  • Senior Member
  • Senior Member
  • Posts: 156
  • Thank you received: 38

ksanders wrote: Do not worry about wireless. Your risk zone is a radius of about 150 feet. Nobody outside that risk zone can connect to your wireless network. Use WPA PSK as your encryption methodology and make up a random authentication key.

This is simply not true. I use a big parabolic dish antenna to connect to a hotspot a mile away. A lot of people have the mistaken impression that a directional antenna only helps one-way, and that you need directional antennas at both ends for long-range two-way transmission. You don't. A directional antenna like a Yagi or a parabolic dish helps with both reception (boosts received signal) and transmission (concentrates the max 1 Watt of RF energy into a narrower beam so it can travel further while still being strong enough to be picked up by the hotspot).

TenMile wrote: For home, I do use a combination of wireless and wired. Wireless inherently does have better security built into it now as many of the security vulnerabilities were patched over the years. The trick is to ensure that you're using the most up to date security and password protection.


It's important to understand that real cryptographic security is complex and slow. So slow that the way pretty much all security works (WiFi, VPNs, SSL, SSH, etc) is by using strong cryptography to exchange a long random key. That key is then used to encrypt everything with a faster encryption algorithm (usually double or triple DES or AES, since those have been in use for decades and no known vulnerabilities have yet been discovered). If the attacker can get through that initial key exchange, then they can decrypt everything else.

That's how WEP was broken. The way it exchanged keys allowed an attacker to detect a pattern depending on the key. Collect enough key exchanges and you could back out the key based on that pattern. Do not use WEP.

Technically, WPA was never cracked. Just that you could capture WiFi data and brute-force the key in less and less time as computers got faster. From decades, to weeks, to I currently believe it's hours.

Do not use WEP nor WPA. Also, do not use TKIP - a vulnerability was discovered in TKIP which totally compromises WPA and WPA2. Use AES instead (TKIP is basically a software stand-in for AES. It should not be possible to use TKIP with WPA2 since it was specifically excluded from the strandard, but I know some vendors implemented it anyway to shut up people complaining their really old devices without AES support couldn't connect to their new WiFi router.)

WPA2 is what you should currently be using. But it just uses a longer key than WPA, so buys us more time before computers get faster again. Be aware that both WPA and WPA2 lack forward secrecy. As long as your WPA2 password is unchanged, an attacker who collects your WiFi packets and manages to crack it can decrypt all past packets as well as future packets, even though the key for each session changes. So if you're paranoid, you should be routing everything you send over WiFi through a VPN (https websites are OK since the SSL encryption happens on your computer before transmission).

(Personal vs Enterprise just relates to how the password is allocated. Personal = pre-shared key. You enter the password once in the router and all devices, and they can connect. If the password is compromised, you have to change it on the router and all devices. Enterprise = password server. A master server somewhere coordinates the passwrod between the router and your computer. Enterprise is really only necessary if you wish to have the ability to revoke a single device's password without requiring everyone else also update their devices with a new WiFi password.)

There are some other tricks you can do such as hiding your SSID, and locking access to the MAC address for specific devices if you wanted.


Hiding your SSID degrades performance while offering almost no protection. A MAC address block is also trivial for a knowledgeable hacker to bypass. Furthermore, both these steps advertise to hackers "Hey I'm trying to hide important stuff here. Break in to get it!" You want to blend in with the masses with regular (but strong) encryption: WPA2 + AES.

If you're really paranoid about security but want WiFi, you can set up your network so it goes Internet <=> WiFi network <=> protected LAN. The firewall in front of the protected LAN will prevent intrusion from both the Internet and attackers who manage to break into your WiFi network. When you wish to connect to the protected LAN via WiFi, you first connect to the WiFi network, then you use a VPN to hop into the protected LAN. Just as if you were accessing the protected LAN over the Internet. Even if an attacker has managed to hack your WiFi and can read your WiFi data, they'd still only see encrypted gibberish as all your traffic is being sent through the VPN.

Do make sure you've configured your VPN to route all network traffic through the VPN (i.e. your computer -> VPN over WiFi -> protected LAN VPN server -> protected LAN -> WiFi network -> Internet). Otherwise only data sent to other computers in the protected LAN will occur over the VPN. Data to the Internet will go straight over WiFi to the Internet, and could be vulnerable to interception. Not a huge risk what with SSL protecting HTTPS websites, but if you want to absolutely minimize risk...

For security, as a basic measure I have my home router/firewall using OpenDNS for DNS resolution. OpenDNS actively block bad sites in real time so if a user on your network has Malware or is going to a site that distributes Malware, it protects your machine.


Yes! I don't really care about OpenDNS blocking bad sites. But if you don't use OpenDNS or Google DNS (8.8.8.8, 8.8.4.4) or some other trusted DNS server, you're using your ISP's DNS. ISPs are not as vigilant at protecting their DNS servers as these two companies.

DNS is what translates the human-readable domain names (e.g. www.google.com ) into the IP addresses computers use (216.58.216.4). I've twice experienced DNS poisoning - once at home before I began using Google DNS, and once at work (I set them up with OpenDNS after). That's where an attacker modifies your ISP's (or their upstream provider's) DNS table so well-known domain names resolve to different IP addresses, usually under the attacker's control.

So you'd open your browser and hit your www.citibank.com bookmark. Your computer makes a DNS request for www.citibank.com , and your ISP's DNS server returns 123.45.67.89 instead of 192.193.102.175 (which is the real Citibank site). Your browser then dutifully makes a request to 123.45.67.89, all the while displaying www.citibank.com in the address bar. And if the attacker has anticipated this, he's set up a citibank-lookalike site at that IP address which will act as a man-in-the-middle to forward your requests to the real Citibank site, while capturing info like your login and password.

As for commercial vs home vs open source, I don't really have an opinion. I don't really have enough experience with commercial tools to fairly judge them. Compared to home products, they do have the advantage of being on the hook financially if their products fail (companies are more likely to sue). But because there are fewer users, bugs may lurk in the code whereas they'll be found and reported more quickly by millions of home users. Likewise, open source is in theory more secure, but it also means both the good guys and the bad guys have access to the code to try to find bugs. Just use something you trust.

A long, long time ago (like 1990s), I'd audit the access logs of my email server to see if there were a disproportionate number of connection attempts coming from the same place. But nowadays there are just so many random port scans (mostly coming from China and India) that it's futile. I did notice a large number of SSH connection attempts on a friend's server, so implemented a temporary 24 hour ban on any IP address making more than 5 failed attempts in the span of 1 minute. (It would look like they were still trying to login, but it would auto-fail every time, even if they stumbled onto the correct user/password/key combo).

If you have anything that truly needs to be protected, ask yourself: Does this even need to be connected to the Internet? An air gap (no physical nor WiFi connection) is the best defense.
The following user(s) said Thank You: CptCrunchie, Douggy, Jack Skell, Technomadia

Please Log in or Create an account to join the conversation.

1994 2556, 350 MAG MPI Horizon, Bravo 2
Last Edit: by Solandri.

Home/Boat network security 02 Oct 2017 11:39 #18

  • Douggy
  • Douggy's Avatar Topic Author
  • Offline
  • Platinum Member
  • Platinum Member
  • Posts: 1425
  • Thank you received: 70

CptCrunchie wrote: While I understand computers, I am completely server illiterate. Following your direction, I looked up VPN - Virtual Private Network.

How does this actually work? Since I'm on a cable modem, does that mean my IPS will now be a VPN through a site like NordVPN? Or do I still need my current ISP to connect to the VPN?


From NordVPN: "A Virtual Private Network (VPN) redirects your connection to the Internet via a remote server run by a VPN provider. This way, the VPN server becomes secure launching pad for you before you access various websites."

I take this to mean your NordVPN app will create a secured vpn tunnel through your ISP to the NordVPN server you select. You still need your ISP to provide the internet connection to your device.


CptCrunchie wrote: It says up to 6 devices, but does that my iPhone too? And how would I use this if we were in a marina with either my computer or my iPhone? Would my email address change?


I believe "6 devices" means you can use NordVPN up to 6 devices at a time. NordVPN does not care where your internet access comes from so you can connect from your home network, your cell connection or a public wifi and more. You access on any device by logging into NordVPN. NordVPN can be setup to login automatically once your device is booted. Depending on your router, NordVPN can be configured in the router instead of each individual device within the router network. Using a public wifi would be done as you normally would except you would also start the NordVPN app. Your email address would not change.


CptCrunchie wrote: And what does, "Onion over VPN" mean? I found this on Google, but I'm not sure what it means:

> Onion Over NordVPN. With unique Onion over VPN solution, your Internet traffic will be routed through our VPN server first and then sent to the Onion Router. ... However, if you prefer, you can also connect to our regular servers, and then use the Onion browser as usual.


Here is the link to NordVPN regarding https://nordvpn.com/features/onion-over-vpn/Onion Over VPN


CptCrunchie wrote: If I can get super fast internet connection for $79 for 2 years, AND I can leave my current ISP, I'm all over that!


NordVPN is not a ISP, they are a VPN service provider, so you still need your ISP.
The following user(s) said Thank You: CptCrunchie

Please Log in or Create an account to join the conversation.

2003 Bayliner 245
2007 Sedona F21
Last Edit: by Douggy.

Home/Boat network security 02 Oct 2017 20:37 #19

  • TenMile
  • TenMile's Avatar
  • Away
  • Administrator
  • Administrator
  • Posts: 1317
  • Thank you received: 215
Be very wary of the VPN "Service Providers" they are little better than just using public WiFi and just shift the attack from the cafe to their datacentre. Good article here: gist.github.com/joepie91/5a9909939e6ce7d09e29

If you're really concerned about your privacy and protection of your data, set up your own VPN Server at home. OpenVPN is a good option. Can run on a server or a router or you can purchase an off-the-shelf device like I mentioned above.

Please Log in or Create an account to join the conversation.

Terry
1999 Bayliner 3388
Twin Cummins 4BTA
Fisherman, Cruiser, Boaticus-enthusiasticus-maximus
Member Royal Victoria Yacht Club

Home/Boat network security 02 Oct 2017 22:02 #20

  • Douggy
  • Douggy's Avatar Topic Author
  • Offline
  • Platinum Member
  • Platinum Member
  • Posts: 1425
  • Thank you received: 70

TenMile wrote: Be very wary of the VPN "Service Providers" they are little better than just using public WiFi and just shift the attack from the cafe to their datacentre. Good article here: gist.github.com/joepie91/5a9909939e6ce7d09e29

If you're really concerned about your privacy and protection of your data, set up your own VPN Server at home. OpenVPN is a good option. Can run on a server or a router or you can purchase an off-the-shelf device like I mentioned above.


? Who is the author of this article? joepie91?

Please Log in or Create an account to join the conversation.

2003 Bayliner 245
2007 Sedona F21

Home/Boat network security 03 Oct 2017 02:37 #21

  • TenMile
  • TenMile's Avatar
  • Away
  • Administrator
  • Administrator
  • Posts: 1317
  • Thank you received: 215
No idea who the guy is, but his points are all good. Here's another article from Wired Magazine: www.wired.com/2017/02/beware-mobile-vpns-arent-safe-seem/

His major point is that when you purchase a VPN via some Internet service, your VPN traffic actually terminates on their servers where your traffic is then decrypted. They are basically acting as an Internet Proxy and these guys KNOW that their users have data they want to hide. It's like a big honeypot. Who knows what they do with your traffic? They could sell your data (sites you visit, things you purchase etc...) and they may even try to intercept and steal your private data. Its a question of trust. Who knows where they are located (Russia, China, Canada....) and what they intend to do.

If you're going to go through the trouble, set up the VPN server at home and then you don't have the same risks or concerns.

Please Log in or Create an account to join the conversation.

Terry
1999 Bayliner 3388
Twin Cummins 4BTA
Fisherman, Cruiser, Boaticus-enthusiasticus-maximus
Member Royal Victoria Yacht Club

Home/Boat network security 03 Oct 2017 03:01 #22

  • ksanders
  • ksanders's Avatar
  • Offline
  • Administrator
  • Administrator
  • Posts: 3334
  • Thank you received: 231

TenMile wrote: No idea who the guy is, but his points are all good. Here's another article from Wired Magazine: www.wired.com/2017/02/beware-mobile-vpns-arent-safe-seem/

His major point is that when you purchase a VPN via some Internet service, your VPN traffic actually terminates on their servers where your traffic is then decrypted. They are basically acting as an Internet Proxy and these guys KNOW that their users have data they want to hide. It's like a big honeypot. Who knows what they do with your traffic? They could sell your data (sites you visit, things you purchase etc...) and they may even try to intercept and steal your private data. Its a question of trust. Who knows where they are located (Russia, China, Canada....) and what they intend to do.

If you're going to go through the trouble, set up the VPN server at home and then you don't have the same risks or concerns.


I agree completely!

If you use a VPN service then everything you do using the internet goes through them, everything. They see it all. I do not like that.

While I think it’s overkill if you are going to use a VPN for your traffic, terminate the VPN in a device you control.

Please Log in or Create an account to join the conversation.

KEVIN SANDERS
4788 LISAS WAY
SEWARD, ALASKA
www.mvlisasway.com

Home/Boat network security 03 Oct 2017 04:11 #23

  • CptCrunchie
  • CptCrunchie's Avatar
  • Away
  • Platinum Member
  • Platinum Member
  • Posts: 1307
  • Thank you received: 147

ksanders wrote: While I think it’s overkill if you are going to use a VPN for your traffic, terminate the VPN in a device you control.


Excellent information, guys! Thanks. Now, ....did I mention I'm server illiterate? How do I set up a VPN at home? I have a cable modem and a NetGear router. The router has a different IP than my IOs. I also have an HP wireless printer, and a booster to serve Wifey's puter in her office. The TV also has internet access, and we have a cable phone too.

ADDITIONALLY: I've been watching the TV ads about monitoring your home security on your Phone, telling vandals to get off your property. If I set up a VPN in my home and connect this monitoring system, how do I connect to it when I am away?

Please Log in or Create an account to join the conversation.

"B on D C", is a 1989 2459 Trophy Offshore HT, OMC 5.7L, Cobra OD, Yamaha 15hp kicker. Lots of toys! I'm no mechanic, just a blue water sailer and woodworker who loves deep sea fishing.
MMSI: 367637220
HAM: KE7TTR
TDI tech diver
BoD, North Olympic Peninsula Puget Sound Anglers, Sequim, WA
Kevin
Last Edit: by CptCrunchie.

Home/Boat network security 03 Oct 2017 05:41 #24

  • ksanders
  • ksanders's Avatar
  • Offline
  • Administrator
  • Administrator
  • Posts: 3334
  • Thank you received: 231

CptCrunchie wrote:

ksanders wrote: While I think it’s overkill if you are going to use a VPN for your traffic, terminate the VPN in a device you control.


Excellent information, guys! Thanks. Now, ....did I mention I'm server illiterate? How do I set up a VPN at home? I have a cable modem and a NetGear router. The router has a different IP than my IOs. I also have an HP wireless printer, and a booster to serve Wifey's puter in her office. The TV also has internet access, and we have a cable phone too.

ADDITIONALLY: I've been watching the TV ads about monitoring your home security on your Phone, telling vandals to get off your property. If I set up a VPN in my home and connect this monitoring system, how do I connect to it when I am away?


My opinion is to not go through the trouble. The ONLY thing a VPN will do is encrypt your mobile devices traffic from wherever they are to your house. A home based VPN requires either a static IP address as the WAN gateway, or a automatically updated DNS entry. These things are not difficult but they are necessary for device outside your home network to establish the VPN connection.

As far as accessing your home security system, cameras, etc... they can be accessed very easily using your mobile phone or tablet using the APP provided by many companies. Easy peasy

I use Dlink cameras, and Lowes Iris for security. I do not have a VPN on my home or my boats networks, which are online 100% of the time, each having multiple internet connections, with failover.

Please Log in or Create an account to join the conversation.

KEVIN SANDERS
4788 LISAS WAY
SEWARD, ALASKA
www.mvlisasway.com

Home/Boat network security 03 Oct 2017 11:05 #25

  • Douggy
  • Douggy's Avatar Topic Author
  • Offline
  • Platinum Member
  • Platinum Member
  • Posts: 1425
  • Thank you received: 70

TenMile wrote: No idea who the guy is, but his points are all good. Here's another article from Wired Magazine: www.wired.com/2017/02/beware-mobile-vpns-arent-safe-seem/

Wired claims in the article that not all vpn providers are good, but some are gems. Wired actually recommended my vpn provider which is NordVPN.


TenMile wrote: His major point is that when you purchase a VPN via some Internet service, your VPN traffic actually terminates on their servers where your traffic is then decrypted.


Yes, the encrypted vpn tunnel is between my protected home network and the vpn provider, to and from, and from the vpn server to internet content my ip is masked (anonymous). But when you say decrypted this just means it's the same as it would be from my protected home network but without the vpn encrption, but with the ip mask. So bottom line is I added a layer of security on top of what I had without a vpn provider.


TenMile wrote: They are basically acting as an Internet Proxy and these guys KNOW that their users have data they want to hide. It's like a big honeypot. Who knows what they do with your traffic? They could sell your data (sites you visit, things you purchase etc...) and they may even try to intercept and steal your private data. Its a question of trust. Who knows where they are located (Russia, China, Canada....) and what they intend to do.


Yes, a vpn provider user wants their data encrypted, ip address masked and geoblock removed, this is the goal. I agree that it's a matter of trust between you and the vpn provider. The vpn provider can only see the data that would normally come from your home protected network when you access internet content. A home vpn server won't change this.

As far as a matter of trust goes: Anytime you use a internet service or make an internet based purchase it's a matter of trust. Using OpenDNS is a matter of trust. Using a cloud service is a matter of trust. Most internet services is a matter of trust. One can only research to determine if a provider or service is trustworthy.

The internet is full of opinions on services and providers, pro and con. For example, In my research on OpenDNS and Google DNS I found multiple articles on each that tell me I should not use them because they are untrustworthy. Am I not going to use one of these services just because I found a few negative articles ... no. I look at the totality of my research results.


TenMile wrote: If you're going to go through the trouble, set up the VPN server at home and then you don't have the same risks or concerns.


A VPN provider serves a different purpose than a home vpn server. It's an encryption, geoblock/filter avoidance and ip masking product when your accessing internet content. I'm not saying a home vpn server is bad or you should not have it, matter of fact I think you (or I) should but for a different purpose. A home vpn server allows you to vpn between your protected home network and your mobile device outside the home. You can't use a home vpn server to access internet content with vpn encryption. The only thing it can do is allow you to access internet content from within your protected home network when you are away from home. I use NordVPN from within my protected home network. A vpn provider provides another layer of security on top of my secure home network.

Please Log in or Create an account to join the conversation.

2003 Bayliner 245
2007 Sedona F21
Last Edit: by Douggy.
  • Page:
  • 1
  • 2
Moderators: Jeffwrafaelfigueira
Time to create page: 0.168 seconds
Powered by Kunena Forum