I finally convinced myself of building an opnsense wifi router after years of procrastination. I want to take back control of my network, or at least monitor it properly.
What are the most interesting network analysis tools I should look into? I'm talking more about high-level visualisations. For example, I'd be interested in keeping a list of every device that's ever connected to my network, and maybe get alerts upon detecting it. Or map requests/connections in real-time/historically on a globe in HTML5. Just some fun stuff to actually get a sense of what's going on in my network.
I have used ntopng w/nprobe as collector of netflow data in both work environments and at home. If you have any educational affiliation there's a good chance you can get a pro and Enterprise license for free for both products that renews annually. The community edition is somewhat limited in what it can do but is worth taking a look at.
mitmproxy is what you need. I've installed it on a Raspberry Pi that then acts as a hotspot. mitmproxy allows me to see every bit of data that is being put on the wire. All telemetry, pings, contacts, and more being transmitted home (respective of encryption). A transparent proxy is essential if you want to deep drive into what the apps on your network are actually doing.
Do you happen to know what added latency one can expect from using one of those? (Apologies if my brief googling was off-point and this is a well answered question)
carpie.net has a great set of videos on using a Raspberry Pi as your own home network DHCP/DNS. I set it up relatively quickly and I definitely have a greater sense of control over my home network.
So for people like myself who don't know much about this stuff, I was wondering what we can learn to figure out if the routers we are using are compromised in any way. On a similar tangent, is there any way we can detect any editing being done by an ISP? Like how and where they might be inserting headers into our traffic for example.
I guess the preferred way to discover if your router is compromised would be by network analysis... And you would need to plug it into some other computer for that, what just shifts the problem to the other computer.
I guess you can gain some confidence that it isn't compromised, but can never be sure.
About edit being done by the ISP, once you fix on a not all powerful adversary (not the NSA), it's easy to get some machine it couldn't have tainted.
For non-technical people, or people who just don't know much about this kind of thing, I would suggest just reviewing what the latest firmware version is, and updating if there are new versions. Also, review release history, if available. If your router is getting less than 2 or 3 updates a year, assume there are unfixed bugs or security issues.
For this specific issue? It only affects Mikrotik routers, and the vulnerability has been patched. So if you aren't using Mikrotik, or if you are and have the latest firmware, you're good.
>For non-technical people, or people who just don't know much about this kind of thing, I would suggest just reviewing what the latest firmware version is, and updating if there are new versions.
I think you vastly overestimate how much technical knowledge non-technical people have. A huge swath of non-technical people that use computers won't even know which component the router is, let alone know how to log into the UI and check the firmware.
This is sadly true. When it comes to computer security most of humanity is incredibly vulnerable. It's all so confusing for them. Sometimes the URL bar in their browser is a URL, sometimes it's the search phrase they typed and there's no URL. Many can't tell you the difference (still in 2018 this blows my mind) the difference between their web browser and the internet. I actually had a discussion with someone yesterday where they told me they didn't download a document they just previewed it... FROM THEIR DOWNLOADS FOLDER. They thought quick viewing the doc in their OS's preview function was not the same as full blown opening it an app which was akin to "downloading it". I had to explain that the bits were in fact on their computer, downloaded.
It's easy for us to point the finger and say people need to invest in their own personal understanding of this stuff. To some extent I agree but I also want my CPA to spend his free time learning more about the tax code and my finances, not patching his router. Overall computer security needs a reset. For all the complaints of "walled gardens" and "lock in" etc... most folks' iPhone is the closest they'll ever get to a secure computer. That's a shame.
I'm surprised that neither here, nor in the article 2 days ago, I can find a list of affected routers. Or even a tip on how should I check if my Mikrotik is affected / has been pwnd by either of those attacks.
In hopefully unrelated story, my Mikrotik and/or my ISP has been acting up in the past hour; I've lost the ability to resolve many .com domains for ~30 minutes, even though I have Google's NS configured set up as the first two on the router. Manual queries (Mikrotik: resolve somedomain.com server 8.8.8.8 / Local: nslookup - 8.8.8.8) resolved correctly; it's just defaults that couldn't. Sad to admit this, but I have no clue what's going on -.-
Past edit window, but update on the DNS issue: it seems to have been a coincidence after all.
Apparently, ISP's NS stopped resolving a lot of .com domains, and it must have poisoned my router's cache. After disabling DNS peering (to avoid ISP's NS injecting itself) and flushing cache, the problem seems to be resolved.
After the last one of these articles, I finally flashed my router with OpenWRT, and it's been pretty nice so far. Best feature: Installed `adblock` package, and now I get DNS-level ad blocking, which is simply fantastic. Works on all clients (including mobile) and significantly faster than blocking in browser.
A nice alternative which allows you to keep using your router's own software or routers not compatible with open source software is PI-HOLE (https://pi-hole.net). Provides the same DNS level blocking with a lot more information and features.
I've been thinking of getting a Pi-Hole for a while, but also have a router running OpenWRT. Are there any advantages/disadvantages to using a Pi-Hole vs. using an AdBlock package on the router?
I used an adblock package in pfSense but not OpenWRT. The issues I had with pfSense's package was it wasn't nearly as configurable as pi-hole and it used up a bit too many resources on the Soekris 5505 box. I had to uninstall it because it took too many resources.
I ended up installing Docker on my laptop, grabbing the Pi-Hole container, and configuring my laptop to use the docker container as the DNS server.
So far this has worked very well. Wherever I go, I have pihole running in the background. I can access the web interface and do everything I could do on the rasp pi-hole, without the extra hardware. It does take a minute or two to start up in the background after logging in though.
You get a lot more info from Pi-Hole about what IPs and URLs your devices are accessing. Lots of good information outside the ad blocking realm - which devices are phoning home and where and how often is just one example.
Anyone here used Plume[0]? A friend of mine recently suggested it, and it sounds interesting but also... a bit scary. I suspect it has a centralized attack point (get into the Plume infrastructure, and you can probably automatically roll a virus out to all Plume routers in the world).
If you really need a mesh (you probably don't), there are other solutions. If you know at least a little about home networking and WiFi, just setup a Unifi system and be done with it.
Part of the improvement is the hardware. The latency improvement is awesome, for example. But part of it seems to legitimately be the optimization that their software is doing re: signal strength, which backhaul to use, auto updates, the level of customer support, and other stuff.
I don't know how it compares, but it seems it may be better than people were initially thinking.
I read their entire website and still have no idea what precisely Plume is or what they're selling.
"What makes Plume different from my traditional Wi-Fi router or extender?
Single router Wi-Fi systems can give you the speed you need as long as you’re close enough to the router. Wi-Fi extenders or repeaters can improve coverage, but are often complicated, unreliable, and degrade performance. Plume is a cloud coordinated Wi-Fi system that replaces your current router and gives you stable and consistent Wi-Fi coverage and speed in every room within your home using blazing fast tri-band SuperPods coupled with auto-channel hop technology."
If I understand this word salad correctly, it's a router which uses a cloud service to auto-configure itself.
Well, that's perhaps reductionist a bit too far to be a useful statement. There are other things outside the kernel that are important too, and design decisions that matter to user space.
Things like OLE can be said in retrospect wasn't a good idea security wise. Autorun kept delivering for more than a decade. Perhaps GDI could do with a security model. That sort of things makes it unnecessarily difficult to secure the system.
The reason we don't hear about Windows router botnets is because nobody bothers building those boxes in the first place. You put your Windows box behind a small Linux box in order to connect it to the Internet, not the other way around.
Quite a few are placed behind small BSD boxes rather than Linux. But yeah, internet facing Windows routers aren't exactly common. Certainly not without spending a good bit of time in group policy editor turning off almost everything.
In the past, security focused on multiple users of the same machine. Users should be safeguarded from each other. Applications are installed system wide by a knowledgeable sysadmin and can be trusted.
But this threat model was completely dated. Today, most machines have 1 user. But the applications are either cheaply written with no respect for other applications, or are actively harming the user by stealing his data, and the average user is his own sysadmin but really doesn't want to do the job or knows how. Additionally, DRM means the machine tries to defend itself from its owner, preferring multinationals instead.
The windows XP and standard unix security model defend against the old threat model. Android, iPhone and Vista + defend against the new model.
What are the most interesting network analysis tools I should look into? I'm talking more about high-level visualisations. For example, I'd be interested in keeping a list of every device that's ever connected to my network, and maybe get alerts upon detecting it. Or map requests/connections in real-time/historically on a globe in HTML5. Just some fun stuff to actually get a sense of what's going on in my network.
Any recommendations?