Author Topic: Why VPN (was: setup qorbiter to be used from ouside internal network i.e. across town)  (Read 4953 times)

purps

  • NEEDS to work for LinuxMCE
  • ***
  • Posts: 1402
  • If it ain't broke, tweak it
    • View Profile
Sorry to hijack the thread (hopefully cperk4's question has been answered), but how does this compare (security-wise) to connecting to your core using "https://<external_IP>" in a web browser and typing in your LMCE admin password?

How does it compare to ssh-ing in with your kubuntu password?

From the wiki page this VPN stuff looks really easy to do, but don't really understand where it fits in with the above, or what the advantages of using it are.

Cheers,
Matt.
1004 RC :: looking good :: upgraded 01/04/2013
my setup :: http://wiki.linuxmce.org/index.php/User:Purps

mkbrown69

  • Guru
  • ****
  • Posts: 213
    • View Profile
Matt,

It's a good and valid question.  Simply, it's about limiting the attack vectors.  The more services you expose directly to the Internet, the greater the possibility that one of those services can be exploited.  This isn't specifically about LMCE, but a general security practice.  One or two doors are easier to secure than ten or twenty doors.

IT security is like layers on an onion; you have to keep peeling them away to get to the centre.  You want to make it hard enough that 'they' move on to easier pickings.

Your LMCE login page doesn't currently track login attempts, and I'm willing to bet most people won't be looking through their Apache access logs to see if someone is running a dictionary attack.  There are other web-based products like MythWeb and MediaTomb; how about them?

SSH is even riskier, especially if your password isn't strong or you're not using two-factor authentication (username, password, and a pre-shared key, token, or certificates).  That's the first attack vector most will try; I regularly see port-scans against border devices, which are going after the SSH port (among others).

Yes, there are ways to secure all those services and make them more resistant to attacks, but that does require advanced IT knowledge.  LMCE's about making media and home automation "easier".  While most that are perusing these forums are more technically inclined, LMCE's target audience is those less technically inclined, who wouldn't be able to implement those safeguards.  Hence, the VPN makes it easier and safer.

In the case of Orbitors, I'm not sure if the traffic is SSL/TLS encrypted.  So, if you were to expose those ports over the Internet, and were sending your alarm system PIN code * in the clear *, someone on the same network segment (like in the case of cable modems) could sniff that traffic, figure out what it meant, and then use a replay attack to disarm your system.  Using the VPN means all that traffic is encrypted in the VPN tunnel, between your core and the end-device (the phone running QOrbiter).

Hope that explains things!  IT security is a complex issue, so I tried to keep it simple...

/Mike
« Last Edit: November 26, 2013, 04:23:49 am by mkbrown69 »

golgoj4

  • NEEDS to work for LinuxMCE
  • ***
  • Posts: 1193
  • hrumpf!
    • View Profile
    • Mah Website
Matt,

It's a good and valid question.  Simply, it's about limiting the attack vectors.  The more services you expose directly to the Internet, the greater the possibility that one of those services can be exploited.  This isn't specifically about LMCE, but a general security practice.  One or two doors are easier to secure than ten or twenty doors.

IT security is like layers on an onion; you have to keep peeling them away to get to the centre.  You want to make it hard enough that 'they' move on to easier pickings.

Your LMCE login page doesn't currently track login attempts, and I'm willing to bet most people won't be looking through their Apache access logs to see if someone is running a dictionary attack.  There are other web-based products like MythWeb and MediaTomb; how about them?

SSH is even riskier, especially if your password isn't strong or you're not using two-factor authentication (username, password, and a pre-shared key, token, or certificates).  That's the first attack vector most will try; I regularly see port-scans against border devices, which are going after the SSH port (among others).

Yes, there are ways to secure all those services and make them more resistant to attacks, but that does require advanced IT knowledge.  LMCE's about making media and home automation "easier".  While most that are perusing these forums are more technically inclined, LMCE's target audience is those less technically inclined, who wouldn't be able to implement those safeguards.  Hence, the VPN makes it easier and safer.

In the case of Orbitors, I'm not sure if the traffic is SSL/TLS encrypted.  So, if you were to expose those ports over the Internet, and were sending your alarm system PIN code * in the clear *, someone on the same network segment (like in the case of cable modems) could sniff that traffic, figure out what it meant, and then use a replay attack to disarm your system.  Using the VPN means all that traffic is encrypted in the VPN tunnel, between your core and the end-device (the phone running QOrbiter).

Hope that explains things!  IT security is a complex issue, so I tried to keep it simple...

/Mike

Thank you for this post!
Linuxmce - Where everyone is never wrong, but we are always behind xbmc in the media / ui department.

purps

  • NEEDS to work for LinuxMCE
  • ***
  • Posts: 1402
  • If it ain't broke, tweak it
    • View Profile
Thanks for the reply, what you are saying does make a lot of sense. I will certainly have a little read up and a play. It's not entirely clear to me what all this means in practice i.e what steps I would take to ssh in or use my orbiter remotely from my phone or work computer (VPN is simply an addition to those things is what I'm taking away from your explanation), but as I say I will have a play.

Thanks again.

Cheers,
Matt.
1004 RC :: looking good :: upgraded 01/04/2013
my setup :: http://wiki.linuxmce.org/index.php/User:Purps

mkbrown69

  • Guru
  • ****
  • Posts: 213
    • View Profile
@Langston:  no problem!  My pleasure!

@Matt,

How it works will depend a bit on what you're using as a "client".  The wiki page I linked describes LMCE's VPN implementation, which uses IPSEC or a Layer 2 Tunnelling protocol (L2TP).  Those are pretty common, and there are clients in, or available for, most mobile devices and computers.  The solution I use implements IPSEC, and uses certificates for two-factor authentication (something you have, the certificate, and something you know, the password).  It works on my iDevices, and I can install the VPN profile quite easily.  When I want to access the house, I click the VPN setting on, enter my password, and then I'm in.  I can then launch RoamingOrb or whatever app to access internal services.  I could make it easier using iOS7's new VPN on demand features, but I'd have to create some Mobile Device Management (MDM) profiles; right now, it'd be too much work in order to be lazy ;)

VPN's have other nice features, depending on the product.  Most give you seperate address spaces, so you can route, filter, and firewall to your hearts content.  Most enterprise Wi-Fi implementations require a VPN connection over Wi-Fi in order to access corporate services.  There are other fancier features, but you get the idea...

HTH!

/Mike

DOH!  Link in other thread, now here for reference: http://wiki.linuxmce.org/index.php/VPN
« Last Edit: November 27, 2013, 03:37:26 am by mkbrown69 »

tschak909

  • LinuxMCE God
  • ****
  • Posts: 5549
  • DOES work for LinuxMCE.
    • View Profile
We do need a thorough run through of the VPN implementation, to at least come up with a clear set of instructions for Windows, Linux, Mac, iOS, and Android devices, and to simplify said instructions.

VPN support is critical for remote access, and we need to make it make sense.

-Thom

Techstyle

  • Addicted
  • *
  • Posts: 674
    • View Profile
    • Techstyle UK Ltd.
I tried for a long time to get it working and then gave up: http://forum.linuxmce.org/index.php/topic,12928.0.html

After a couple of brute force attacks against the Asterisk server I installed Fail2ban per the wiki which seems to work against this sort of attack (and I have locked myself out a couple of times!): http://wiki.linuxmce.org/index.php/Fail2ban_-_A_tool_against_brute_force