Announcement

Collapse
No announcement yet.

Home/Boat network security-gctid826390

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Home/Boat network security-gctid826390

    With cyber criminality on the increase and so much more at stake these days, our home or boat networks and devices need to be protected more than ever.

    I'm currently in the process of upgrading my home network with a faster service (gigabit) and running Cat 6 network cables throughout the house. Then I need to make my network and devices as secure as reasonably possible. My plan is to not use wifi. Home class routers don't seem to focus on the security features needed for today's threats so I'm looking at alternatives like pfsense, OpenWrt running on a dedicated machine and/or upgrading my existing router with dd-wrt firmware.

    Just curious if anyone here has done similar upgrades or have come up with a different approach to secure their home/boat network and devices.
    2003 Bayliner 245
    2007 Sedona F21

    #2
    I've got a number of things in place.

    For home, I do use a combination of wireless and wired. Wireless inherently does have better security built into it now as many of the security vulnerabilities were patched over the years. The trick is to ensure that you're using the most up to date security and password protection. There are some other tricks you can do such as hiding your SSID, and locking access to the MAC address for specific devices if you wanted.

    For security, as a basic measure I have my home router/firewall using OpenDNS for DNS resolution. OpenDNS actively block bad sites in real time so if a user on your network has Malware or is going to a site that distributes Malware, it protects your machine. I also use a Firewall from Meraki that allows me to do Content Filtering. I can block known Malware sites and other inappropriate sites from my network. OpenDNS for home use is Free. They also offer a Prosumer package that gets you reporting (the free package has no reporting of any Malware your machines may be infected with). I recommend OpenDNS to all family and friends.

    For the boat, you could either use OpenWRT and OpenVPN together and create a tunnel back to your home network. Requires that you setup an OpenVPN server at home or in the cloud. That would use your home firewall and all it's protection. Alternatively, Meraki make a device called a Z1 (also now a Z3) that will create a tunnel back to your home network automatically.

    Just yesterday, I also installed 2 outdoor security cameras from Meraki as well. I can manage all the WiFi, Firewall and Cameras from a single dashboard anywhere in the world which is very handy. They have a very handy "motion search" feature -- for example, highlight the front door and it will show me every recording where there was motion there rather than having to review hours of footage. I don't currently have a camera on my boat, however, the Meraki's at home just replaced 2 x Foscam cameras at home and I may move one to the boat.

    Note that the Meraki gear is "commercial grade" not "consumer grade" and as such is expensive. There are likely lower cost consumer alternatives out there. If you take one of their Webinar's they will send you a free AP which is cool. Full disclaimer that I do work for the parent company and for my personal use I get an employee discount.
    Terry
    1999 Bayliner 3388
    Twin Cummins 4BTA
    Fisherman, Cruiser, Boaticus-enthusiasticus-maximus
    Member Royal Victoria Yacht Club

    Comment


      #3
      Thanks for the reply and information.

      What are the key security feature differences between enterprise or "commercial grade" and "consumer grade"?

      Has behavioral network security become a standard?
      2003 Bayliner 245
      2007 Sedona F21

      Comment


        #4
        "Douggy" post=826421 wrote:
        Thanks for the reply and information.

        What are the key security feature differences between enterprise or "commercial grade" and "consumer grade"?

        Has behavioral network security become a standard?
        Commercial grade hardware will generally be better designed. Somewhat more rugged, better faster chipsets, power supplies etc. Usually the manufacturers have a large team of hardware and software developers supporting the gear and extended warranties etc... Over the life of the gear (say 5-7 years) the manufacturer will continue to push out new firmware/software and security packages along with new features. Consumer grade gear tends to focus more on low cost so the things noted above aren't readily available.

        Behavioral network security isn't so much a standard, but something that the leading manufacturers are now doing. Security today is more dynamic and real time than it ever has been. In the past it was sufficient to download and install an AntiVirus program and have it update once a month or so. Today, that's completely insufficient with all the Malware variants, most security products create a real-time cloud connection to a Security Operations center where vulnerabilities are identified and pushed to the devices immediately. That's where services like OpenDNS shine. If a user downloads a Criptolocker type Malware program that tries to download a security key from the Internet -- OpenDNS will block it from "calling home" so it's unable to do it's job.
        Terry
        1999 Bayliner 3388
        Twin Cummins 4BTA
        Fisherman, Cruiser, Boaticus-enthusiasticus-maximus
        Member Royal Victoria Yacht Club

        Comment


          #5
          The more important question is what else is running on your network.

          What devices do you use and what operating system are they running

          The weakest link is always going to be the devices using the network not the network itself

          Comment


            #6
            I hold a Cisco CCNP (Cisco Certified Network Professional) certification in Routing and Switching. This qualifies me to design and maintain enterprise class networks, these are scalable netowrks of unlimited size and complexity.

            Do not worry about wireless. Your risk zone is a radius of about 150 feet. Nobody outside that risk zone can connect to your wireless network. Use WPA PSK as your encryption methodology and make up a random authentication key.

            Use a current production router with a firewall built in, and do not bypass the firewall.

            Do not use a private IP address, if offered one.

            If you want to be extra careful, which I recommend , do not use your marinas free wifi as the WAN connectiom for your boat, and do not ever use public WIFI.

            Thats a network engineers $0.02 opinion

            KEVIN SANDERS
            4788 LISAS WAY - SEWARD ALASKA
            www.transferswitch4less.com

            Whats the weather like on our boat
            https://www.weatherlink.com/embeddab...59665f4e4/wide


            Where are we right now? https://maps.findmespot.com/s/36S4

            Comment


              #7
              Excellent credentials! Thank you for that.

              "ksanders" post=826432 wrote:
              If you want to be extra careful, which I recommend , do not use your marinas free wifi as the WAN connectiom for your boat, and do not ever use public WIFI.
              Why? If we never keep our credit cards or personal information on it, what can they get into, and how? We will be world cruisers in a couple years, and plan to use both of those on a regular basis.

              And if we are using an iOs or OS X platform, is there less or more chance of this happening?
              "B on D C", is a 1989 2459 Trophy Offshore HT, OMC 5.7L, Cobra OD, Yamaha 15hp kicker. Lots of toys! I'm no mechanic, just a blue water sailer and woodworker who loves deep sea fishing.
              MMSI: 367637220
              HAM: KE7TTR
              TDI tech diver
              BoD Puget Sound Anglers North Olympic Peninsula Chapter
              Kevin

              Comment


                #8
                "ksanders" post=826432 wrote:
                I hold a Cisco CCNP (Cisco Certified Network Professional) certification in Routing and Switching. This qualifies me to design and maintain enterprise class networks, these are scalable netowrks of unlimited size and complexity.

                Do not worry about wireless. Your risk zone is a radius of about 150 feet. Nobody outside that risk zone can connect to your wireless network. Use WPA PSK as your encryption methodology and make up a random authentication key.

                Use a current production router with a firewall built in, and do not bypass the firewall.

                Do not use a private IP address, if offered one.

                If you want to be extra careful, which I recommend , do not use your marinas free wifi as the WAN connectiom for your boat, and do not ever use public WIFI.

                Thats a network engineers $0.02 opinion
                Thanks for the input!

                It's not so much that I worry about wifi, its more that I don't need wifi much and the risks that come with it. I will have wifi available if I need it and I can easily enable it but as a default I will keep the radio off.

                I do currently use security cam's that use wifi but my network rewiring of the house will include these cam's. I just need to figure out a clean way to get cat 6 into to my barn.

                I do use vpn to mask my ip address, provide data encryption and avoid geoblocking and content filters. The vpn will be at the router/firewall so all devices (including cam's) will utilize vpn.
                2003 Bayliner 245
                2007 Sedona F21

                Comment


                  #9
                  "TenMile" post=826426 wrote:
                  "Douggy" post=826421 wrote:
                  Thanks for the reply and information.

                  What are the key security feature differences between enterprise or "commercial grade" and "consumer grade"?

                  Has behavioral network security become a standard?
                  Commercial grade hardware will generally be better designed. Somewhat more rugged, better faster chipsets, power supplies etc. Usually the manufacturers have a large team of hardware and software developers supporting the gear and extended warranties etc... Over the life of the gear (say 5-7 years) the manufacturer will continue to push out new firmware/software and security packages along with new features. Consumer grade gear tends to focus more on low cost so the things noted above aren't readily available.

                  Behavioral network security isn't so much a standard, but something that the leading manufacturers are now doing. Security today is more dynamic and real time than it ever has been. In the past it was sufficient to download and install an AntiVirus program and have it update once a month or so. Today, that's completely insufficient with all the Malware variants, most security products create a real-time cloud connection to a Security Operations center where vulnerabilities are identified and pushed to the devices immediately. That's where services like OpenDNS shine. If a user downloads a Criptolocker type Malware program that tries to download a security key from the Internet -- OpenDNS will block it from "calling home" so it's unable to do it's job.
                  I need to research OpenDNS. Thanks!
                  2003 Bayliner 245
                  2007 Sedona F21

                  Comment


                    #10
                    "CptCrunchie" post=826433 wrote:
                    Excellent credentials! Thank you for that.

                    "ksanders" post=826432 wrote:
                    If you want to be extra careful, which I recommend , do not use your marinas free wifi as the WAN connectiom for your boat, and do not ever use public WIFI.
                    Why? If we never keep our credit cards or personal information on it, what can they get into, and how? We will be world cruisers in a couple years, and plan to use both of those on a regular basis.

                    And if we are using an iOs or OS X platform, is there less or more chance of this happening?
                    The risks go beyond just using a credit card on a device. Personal information exposed can lead to identity theft. If you access email on a device and/or use social media like Facebook on a device then your personal information can be obtained including the personal information of people you connect and associate with online. An quick example on just how easy personal information is available: Looking at your BOC post I noticed your HAM radio ID. If I do a HAM ID lookup I will probably find your full name and location.
                    2003 Bayliner 245
                    2007 Sedona F21

                    Comment


                      #11
                      "Douggy" post=826439 wrote:
                      If I do a HAM ID lookup I will probably find your full name and location.
                      I have news for you. You can look up my HAM license number online by just my last name and the city and state I live in, and you don't even need to be registered to do that. Go to http://wireless2.fcc.gov/UlsApp/UlsS...rchLicense.jsp and do an advanced search for 'Holden' in 'Sequim WA'. You will see my VHF license for my boat. Click on that and you have my address and all the details about my boat. And if you enter the ZIP instead of the city, you will see both my and Wifey's licenses. Click on any one of them and you will have our address. This is all public knowledge.

                      Moreover, the moment I begin a HAM broadcast and use my callsign, anyone can go online and do an FCC search for who I am.

                      Now do an FCC search to see if they are giving away your information too.

                      My name and address is already all over the internet. It's on the advertising crap I get in my mailbox. It's on the Whois of any of the websites domains I own, any online reverse directory, and they can look me up even if I am mentioned once in the local newspaper. I've had my email accounts hacked at a time when some of the email was of a personal property nature between myself and one county and one city official. It also appears that changing my password 4 times had no effect, they still read my email. But when the dust settled, had they used that information, they would have given themselves away.

                      Most show where I live, some show how old I am, and some even show my photo. In fact, the HAM site even shows who I am married to, and what kind and size of boat I own. It also shows my MMSI number, the same one I show in my signature block. So, if all that is readily available, what am I needing to protect?

                      Guess this all begs the question: Does anyone here use LifeBlock?
                      "B on D C", is a 1989 2459 Trophy Offshore HT, OMC 5.7L, Cobra OD, Yamaha 15hp kicker. Lots of toys! I'm no mechanic, just a blue water sailer and woodworker who loves deep sea fishing.
                      MMSI: 367637220
                      HAM: KE7TTR
                      TDI tech diver
                      BoD Puget Sound Anglers North Olympic Peninsula Chapter
                      Kevin

                      Comment


                        #12
                        Regarding public WIFI and other issues.

                        First off, my knowlwdge begins and ends at the network. There are others here that apparently work as ITpeople professionally. They are the people to turn to regarding vunerabilities of computers, operating systems and the like. I just think about the network.

                        Your risk of intrusion is at the edge of the network. Once you reach a Internet Service Provider your risk of intrusion or attack goes way down. Almost to zero. That is because unless you are one of the trusted few in the world of nnetworking it is impossible to see someones data. I'm not talking about trusted like a help desk person. I'm talking about trusted like a network engineer level person.

                        So now that we realize that our vunerabilities are at the network edge, we can see that minimizing that vunerability removes the vast majority of risk.

                        When you use public WIFI you are sharing your connection to the internet with all the other people on that system. You have no knowledge or control over the security precautions that the WIFI network has in place. You do not even know if the person that is running the WIFI service has nefarious intent.

                        Thats why I recommend against using public WIFI.

                        The solution is to use the cellular network. Your cellular data is just safer to use. For one it is run by a major carrier, with all of the security protocols that major carriers employ. Yes theoretically someone could use cellular test equipment to see the contents of your data stream, but that is allot less risk than a guy sitting at the table next to you with his laptop on a public WIFI system.

                        Again, this is network security. Device security is best advised by the professionals in that field.

                        KEVIN SANDERS
                        4788 LISAS WAY - SEWARD ALASKA
                        www.transferswitch4less.com

                        Whats the weather like on our boat
                        https://www.weatherlink.com/embeddab...59665f4e4/wide


                        Where are we right now? https://maps.findmespot.com/s/36S4

                        Comment


                          #13
                          It's not always possible to avoid public WiFi so the other alternative is to VPN via the public WiFi into your home network. All your traffic and confidential data is encrypted and secure that way.
                          Terry
                          1999 Bayliner 3388
                          Twin Cummins 4BTA
                          Fisherman, Cruiser, Boaticus-enthusiasticus-maximus
                          Member Royal Victoria Yacht Club

                          Comment


                            #14
                            "TenMile" post=826465 wrote:
                            It's not always possible to avoid public WiFi so the other alternative is to VPN via the public WiFi into your home network. All your traffic and confidential data is encrypted and secure that way.
                            I never use public WIFI, so yes it cvan be avoided...

                            That said a VPN tunel as you suggested seems to mitigate the risk

                            KEVIN SANDERS
                            4788 LISAS WAY - SEWARD ALASKA
                            www.transferswitch4less.com

                            Whats the weather like on our boat
                            https://www.weatherlink.com/embeddab...59665f4e4/wide


                            Where are we right now? https://maps.findmespot.com/s/36S4

                            Comment


                              #15
                              "ksanders" post=826469 wrote:
                              "TenMile" post=826465 wrote:
                              It's not always possible to avoid public WiFi so the other alternative is to VPN via the public WiFi into your home network. All your traffic and confidential data is encrypted and secure that way.
                              I never use public WIFI, so yes it cvan be avoided...

                              That said a VPN tunel as you suggested seems to mitigate the risk
                              VPN is a good security practice. VPN back to your home network or VPN to a VPN service provider. The cost for the service is surprisingly inexpensive.
                              2003 Bayliner 245
                              2007 Sedona F21

                              Comment

                              Working...
                              X