Re: Securing my PC at a Wireless Hotspot?
On Tuesday 10 of February 2009, Wade Richards wrote: On Tue, Feb 10, 2009 at 11:50:05AM +0100, Johan 'yosh' Marklund wrote: Bernd Eckenfels skrev: In article fe374f8d0902081747v4a99deadva1898142dac1d...@mail.gmail.com you wrote: Use a VPN or an SSH tunnel to a trusted source. A very neat trick is using dynamic port forwarding of SSH (-D 1080). You only need to login to any SSH Server and enable the auto forwarding. Then you can enter the SSH client as a SOCKS proxy server and you are done (for surfing). You could use the -w option in newer ssh server versions to tunnel through virtual tun devices =) One problem with tunnels is that you can accidently not use the tunnel. E.g. I have eth0 which is connected to the insecure network, and my encrypted tunnel to a secure network. Although the tunnel is available, the unsecure eth0 is still also available. I need to correctly set up the SOCKS proxy or set up the routing tables, or do something to be sure that all my network traffic is going through the tunnel and not just directly to the unsecure eth0. There's no easy way to tell if you're doing it right, either, since the web looks basically the same from the unsecure network as from the secure one. You can tell by checking routing tables, or visiting a web page that shows your IP. And you should know the IP of your tunnel server The Cisco VPN I use on my employer's Windows machine has an interesting feature: it completely hides the unencrypted network. Once I create the VPN tunnel, my machine releases it's local IP address and there is no way for any network connections (other than the tunnel, of course) to go over the unencrypted device. It is as if that device is disabled. This makes it idiotproof, which is an important but often overlooked aspect of security. So, is is possible to do that sort of thing with a Linux laptop? OpenVPN can do that as well - look for option --redirect-gateway -- regards Vladislav Kurz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Securing my PC at a Wireless Hotspot?
On Tue, 10 Feb 2009 10:51:16 -0800 Wade Richards wade-debian-secur...@wabyn.net wrote: ... This makes it idiotproof, which is an important but often overlooked aspect of security. As Tom Eastep, the Shorewall dev, notes in this email signature Nothing is foolproof to a sufficiently talented fool http://www.shorewall.net/shoreline.htm :) Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Securing my PC at a Wireless Hotspot?
Bernd Eckenfels skrev: In article fe374f8d0902081747v4a99deadva1898142dac1d...@mail.gmail.com you wrote: Use a VPN or an SSH tunnel to a trusted source. A very neat trick is using dynamic port forwarding of SSH (-D 1080). You only need to login to any SSH Server and enable the auto forwarding. Then you can enter the SSH client as a SOCKS proxy server and you are done (for surfing). Gruss Bernd You could use the -w option in newer ssh server versions to tunnel through virtual tun devices =) ssh -w 0:1 b...@example.com 0 is tun0 @ localhost 1 is tun1 @ example.com and enable ip forwarding on th remote host -- snip from ssh manpage -- -w local_tun[:remote_tun] Requests tunnel device forwarding with the specified tun(4) devices between the client (local_tun) and the server (remote_tun). The devices may be specified by numerical ID or the keyword “any”, which uses the next available tunnel device. If remote_tun is not specified, it defaults to “any”. See also the Tunnel and TunnelDevice directives in ssh_config(5). If the Tunnel directive is unset, it is set to the default tunnel mode, which is “point-to-point”. /yosh (sorry for the lack of precision, I r tired) -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Securing my PC at a Wireless Hotspot?
On Tue, Feb 10, 2009 at 11:50:05AM +0100, Johan 'yosh' Marklund wrote: Bernd Eckenfels skrev: In article fe374f8d0902081747v4a99deadva1898142dac1d...@mail.gmail.com you wrote: Use a VPN or an SSH tunnel to a trusted source. A very neat trick is using dynamic port forwarding of SSH (-D 1080). You only need to login to any SSH Server and enable the auto forwarding. Then you can enter the SSH client as a SOCKS proxy server and you are done (for surfing). You could use the -w option in newer ssh server versions to tunnel through virtual tun devices =) One problem with tunnels is that you can accidently not use the tunnel. E.g. I have eth0 which is connected to the insecure network, and my encrypted tunnel to a secure network. Although the tunnel is available, the unsecure eth0 is still also available. I need to correctly set up the SOCKS proxy or set up the routing tables, or do something to be sure that all my network traffic is going through the tunnel and not just directly to the unsecure eth0. There's no easy way to tell if you're doing it right, either, since the web looks basically the same from the unsecure network as from the secure one. The Cisco VPN I use on my employer's Windows machine has an interesting feature: it completely hides the unencrypted network. Once I create the VPN tunnel, my machine releases it's local IP address and there is no way for any network connections (other than the tunnel, of course) to go over the unencrypted device. It is as if that device is disabled. This makes it idiotproof, which is an important but often overlooked aspect of security. So, is is possible to do that sort of thing with a Linux laptop? --- Wade -- ___ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . / \ Plain text e-mail | Wade Richards --- w...@wabyn.net | RIP |c1970 ~ c2000| You can never tell which way the train went |ASCII| Killed by HTML/RTF | by looking at the tracks. | | in e-mail | -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Securing my PC at a Wireless Hotspot?
Hello You've probably been to a café before that offered WiFi via a Wireless Hotspot. Or maybe you've been to an airport that had some hotspots? Well whatever the case, I'm sure you've seen a Public Wireless Hotspot. Or, at the very least, heard of them. So my question to you is, NOT on how to secure the Wireless Hotspot, but rather on how to secure the connection on my end, to the Hotspot. So, how do I secure my PC at a Wireless Hotspot? Would there be a way to have 256-bit AES or 256-bit Camellia encryption on all outgoing traffic? Or would you recommend a different method? If this is of any use, I will be using the following laptop: Dell Inspiron 700m. Can I please have some recommendations on what I need in order to secure my connection to the Wireless Hotspot? Thanks in advance, Chip D. Panarchy -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Securing my PC at a Wireless Hotspot?
You could use a VPN after connecting. This is one way you can have encrypted traffic at an open hotspot. D. On Feb 8, 2009, at 09:56 , Chip Panarchy wrote: Hello You've probably been to a café before that offered WiFi via a Wireless Hotspot. Or maybe you've been to an airport that had some hotspots? Well whatever the case, I'm sure you've seen a Public Wireless Hotspot. Or, at the very least, heard of them. So my question to you is, NOT on how to secure the Wireless Hotspot, but rather on how to secure the connection on my end, to the Hotspot. So, how do I secure my PC at a Wireless Hotspot? Would there be a way to have 256-bit AES or 256-bit Camellia encryption on all outgoing traffic? Or would you recommend a different method? If this is of any use, I will be using the following laptop: Dell Inspiron 700m. Can I please have some recommendations on what I need in order to secure my connection to the Wireless Hotspot? Thanks in advance, Chip D. Panarchy -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Securing my PC at a Wireless Hotspot?
On Sun, Feb 8, 2009 at 3:56 AM, Chip Panarchy forumanar...@gmail.com wrote: So, how do I secure my PC at a Wireless Hotspot? This is on the borderline of debian-user and debian-security. People will argue both ways on that. Use a VPN or an SSH tunnel to a trusted source. I use one of my servers, either a VPS I rent for about $10/mo or a server I own and maintain that's on the Internet in a data center. My trust level of those servers is much higher than any other method. I know that my traffic is secure from my point to my server, then off the to the internet. As far as securing my own laptop while on the hotspot, I will make sure I do not have unnecessary ports open. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Securing my PC at a Wireless Hotspot?
In article fe374f8d0902081747v4a99deadva1898142dac1d...@mail.gmail.com you wrote: Use a VPN or an SSH tunnel to a trusted source. A very neat trick is using dynamic port forwarding of SSH (-D 1080). You only need to login to any SSH Server and enable the auto forwarding. Then you can enter the SSH client as a SOCKS proxy server and you are done (for surfing). Gruss Bernd -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org