Announcement

Collapse
No announcement yet.

Security for database manager working from an apartment complex

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Security for database manager working from an apartment complex

    Hi guys,
    I'm not quite sure where to direct this question because its not Kubuntu specific so maybe you can tell me another good forum to query instead. I work with a database on a LAMP server and the development environment that was set up for me is on a Kubuntu system so I've turned to this forum for help in the past. But basically I have this scenario: I'm managing a database on a server that is physically located in a different town where my job's office is, but I do all my work from home and I live in an apartment complex that pays for and provides me with a Comcast internet connection. Since this database has sensitive company information in it, I would like to take steps to make my internet connection secure.

    I was told that having an internally assigned ip address and connecting to the internet through a router is not very secure and I assume means I am some how vulnerable to any techy engineering students in my building? When I use any of those What's my IP Address websites I can see that my external ip address is different than the ip address my Mac tells me I have when I check under network settings. My Mac network settings tells me my ethernet connections ip address, the subnet mask, and the router address, and they are all different numbers.

    I have a VPN software running on my work laptop which I turn on anytime I'm doing work stuff.

    My questions are: (1) Does this VPN software provide me security so that when I login to the database or access the company server, I'm not exposing the company to undue risk?

    (2) Am I correct in my assessment that I am connecting to the internet through a router?

    (3) Are there other steps I should take to secure my internet connection and what are they?
    System Information<br />Distro: Ubuntu 11.04<br />KDE: Platform Version 4.6.2<br />Grub: 0.97-29ubuntu61.1 GRand Unified Bootloader (Legacy version)<br /><br />PC Hardware:<br />laptop HP Pavilion dv6<br />CPU: AMD Turion(tm) II P520 Dual-Core Processor<br />GPU: ATI Technologies Inc M880G [Mobility Radeon HD 4200]

    #2
    Re: Security for database manager working from an apartment complex

    What is it exactly you imagine is going to happen to you via your connection? Does you company have state secrets or nuclear launch codes on their server?

    1. Generally VPN connections are very secure. That's why companies use them. As long as you have possession of your laptop, it's safe.

    2. Virtually everyone these days connects to the internet through a router. Usually, cable or dsl providers have a modem built into a router (often with wireless built-in) and that's how we connect. The ISP assigns an IP address to your modem, your router allows you to share your internet connection among several devices. The router assigns IP addresses to the devices that connect to it. I don't know what you mean by "internally" assigned IP addresses - I don't know of any other way to get an IP address. You can manually assign static IP's, but it's still internal.

    Most, if not all, modern routers have a built-in firewall that when properly configured, prevents the above-average attack and if you really lock it down tight, almost any attack.

    3. Yes - narrow your router settings to the minimum connections. Disable any services you don't need. Use WPA2 password and MAC filter for your wifi. Don't open files sent to you from unsolicited sources and don't give out your passwords. Call your company and ask if they're OK with your set-up: It is after all, their worry - not yours.

    Oh yeah, one more thing - stop listening to worry-wart fear mongers. You're not rich or famous enough (me neither ) to get targeted and the stuff your company has on their server is only of interest to them. Besides, you've already taken the greatest and best step toward internet safety: you switched to linux

    Please Read Me

    Comment


      #3
      Re: Security for database manager working from an apartment complex

      oshunluvr nailed it but I'll expand a little -

      Originally posted by erinsaurus87
      My questions are: (1) Does this VPN software provide me security so that when I login to the database or access the company server, I'm not exposing the company to undue risk?

      (2) Am I correct in my assessment that I am connecting to the internet through a router?

      (3) Are there other steps I should take to secure my internet connection and what are they?
      1. When you're connected to your work network through the VPN all traffic between your laptop and the office is encrypted. That's what VPNs do - encrypt traffic between network endpoints.

      2. Every internet connection goes through a router somewhere. Your home router *should* put you on a private network - if your IP address with the VPN not running starts with 10, 172.16 through 172.31 or 192.168 you're on a private network and machines behind the router can't be seen from the internet. If you're not on a private network you need to be on one

      Note that with a VPN client connected to your office all your network traffic routes through the VPN and you're dependent on *their* network security.

      3. I think the firewall feature set on most home routers is of questionable value since a private network can't be seen from the internet anyway. The best thing you can do is lock down any wireless access with WPA2 with a strong passphrase and if your router offers the option, increase the frequency with which the router and wireless devices exchange AES keys (most routers *don't* offer this function unless you use aftermarket router configurations like OpenWRT, DD-WRT or Tomato). Even with standard key rotation intervals there isn't enough computing horsepower available on the planet to crack WPA2 encryption before the key rotates. The most important thing is a strong (preferably random mixed case with special characters) passphrase at least seven characters long to protect against dictionary attacks.

      JMO but I think MAC filtering and hiding a wireless SSID bring a false sense of security since anyone savvy enough to hack a wireless network can pull an SSID or MAC address out of the air - WPA2 with a strong passphrase solves this problem. They certainly won't hurt anything, though
      we see things not as they are, but as we are.
      -- anais nin

      Comment


        #4
        Re: Security for database manager working from an apartment complex

        My apartment is sort of unusual I believe in that they provide internet as if I was living in a dorm. I can access the wifi or use an ethernet connection, but I dont have physical access to the router which I assume all the apartments in my building are being run through, and I can't access the configuration page via my browser when I input the ip address for the router (im using the router address that my network configuration info is giving me).

        My individual ip address and the ip address of the router both start 172.17 so this is a private network. When I use whatismyipaddress.com it shows me 107.0.114.21. Could you explain to me where they are getting this address from? Is it another router being used by comcast for our apartment complex's network?

        Originally posted by oshunluvr
        What is it exactly you imagine is going to happen to you via your connection? Does you company have state secrets or nuclear launch codes on their server?
        I work for my a small company that is basically a family business, so I have a vested interest in the company doing well and consequently take more responsibility for my tasks, such as ensuring that this database is secure. I doubt we have any information particularly valuable or interesting to anyone on this database, my concern is more that if someone could view my connection they could take the login information I use to connect to the server or for logging into the database, and use that login information to access either the database or the server and mess with things. Paranoid I know, but people can suck sometimes.

        Originally posted by oshunluvr
        I don't know what you mean by "internally" assigned IP addresses - I don't know of any other way to get an IP address. You can manually assign static IP's, but it's still internal.
        When I say external ip address I mean (based on my limited and possibly incorrect understanding), the ip address for the modem (or router?) which someone from out on the internet would see and use to connect to me, and the internal one being a different ip address that the router assigns to my device. Maybe the person that told me I'd rather have my own unique, non routed ip address meant that I'd want that because then I could access my own router settings and increase my security, while as right now I'm dependent on the apartment managers to do so?

        Is the wired ethernet connection more secure that using a wifi connection? Neither one right now requires me to use a password to get connected. To avoid using the open wifi network, I am using an Apple AirPort Express which takes our wired ethernet connection and gives my apartment its own private password protected wifi.
        System Information<br />Distro: Ubuntu 11.04<br />KDE: Platform Version 4.6.2<br />Grub: 0.97-29ubuntu61.1 GRand Unified Bootloader (Legacy version)<br /><br />PC Hardware:<br />laptop HP Pavilion dv6<br />CPU: AMD Turion(tm) II P520 Dual-Core Processor<br />GPU: ATI Technologies Inc M880G [Mobility Radeon HD 4200]

        Comment


          #5
          Re: Security for database manager working from an apartment complex

          Originally posted by wizard10000
          Note that with a VPN client connected to your office all your network traffic routes through the VPN and you're dependent on *their* network security.
          Depends on the VPN configuration and whether it allows split tunneling. The VPN server and client built into Windows default to disallowing split tunneling (which achieves the behavior you describe) and actually go out of their way to make it difficult to allow split tunneling. Other VPN products take a different approach; my employer uses Juniper SSL VPN purposefully configured with split tunneling so that they don't waste their own bandwidth backhauling Internet traffic.

          Originally posted by wizard10000
          I think the firewall feature set on most home routers is of questionable value since a private network can't be seen from the internet anyway.
          It's a bit old, but see the paper Security considerations of NAT to learn how NAT, by itself, is rather weak. The extra state protection on home routers has its place -- following TCP sequence numbers, TCP handshakes, and UDP progress timers helps protect the computers behind the router.

          Originally posted by wizard10000
          The best thing you can do is lock down any wireless access with WPA2 with a strong passphrase and if your router offers the option, increase the frequency with which the router and wireless devices exchange AES keys (most routers *don't* offer this function unless you use aftermarket router configurations like OpenWRT, DD-WRT or Tomato). Even with standard key rotation intervals there isn't enough computing horsepower available on the planet to crack WPA2 encryption before the key rotates. The most important thing is a strong (preferably random mixed case with special characters) passphrase at least seven characters long to protect against dictionary attacks.

          JMO but I think MAC filtering and hiding a wireless SSID bring a false sense of security since anyone savvy enough to hack a wireless network can pull an SSID or MAC address out of the air - WPA2 with a strong passphrase solves this problem. They certainly won't hurt anything, though
          Totally agree! Personal plug: I've written about this before. (Yes, once upon a time, I was a 'Softie.)

          Comment


            #6
            Re: Security for database manager working from an apartment complex

            Originally posted by erinsaurus87
            My individual ip address and the ip address of the router both start 172.17 so this is a private network. When I use whatismyipaddress.com it shows me 107.0.114.21. Could you explain to me where they are getting this address from? Is it another router being used by comcast for our apartment complex's network?
            Routers have (at least) two network interfaces, and therefore (at least) two IP addresses. One interface is connected to the Internet and has a public address. The other interface is connected to the private network and has a private address. When you look at your computer's IP configuration and note the address of the default gateway, that's the address of the private side of the router.

            I traced a route to 107.0.114.21. It's in an address block that's part of the addresses used by Comcast for business connections. So 107.0.114.21 is the address on the public interface of your building's router. Services on the Internet -- such as whatismyipaddress.com -- will only see the public address of your router, since (from the Internet's perspective) that's the origin of all traffic in your building.

            Originally posted by erinsaurus87
            I work for my a small company that is basically a family business, so I have a vested interest in the company doing well and consequently take more responsibility for my tasks, such as ensuring that this database is secure. I doubt we have any information particularly valuable or interesting to anyone on this database, my concern is more that if someone could view my connection they could take the login information I use to connect to the server or for logging into the database, and use that login information to access either the database or the server and mess with things. Paranoid I know, but people can suck sometimes.
            If all your work-related traffic passes through the VPN, you needn't worry about eavesdropping or interception of that traffic. It's encrypted and therefore useless to someone who happens to capture the datagrams. Even the initial login is protected.

            Originally posted by erinsaurus87
            When I say external ip address I mean (based on my limited and possibly incorrect understanding), the ip address for the modem (or router?) which someone from out on the internet would see and use to connect to me, and the internal one being a different ip address that the router assigns to my device. Maybe the person that told me I'd rather have my own unique, non routed ip address meant that I'd want that because then I could access my own router settings and increase my security, while as right now I'm dependent on the apartment managers to do so?
            The building's router is already providing you with a private IP address in the 172.17 block. What risk remains comes from other users behind the same router. Without knowing more about how your building's internal network is constructed, I'd suspect that your building provides little to no traffic filtering between computers connected to the router. So, conceivably, someone else in the building could eavesdrop on your connection. Encrypted traffic will still be useless because your VPN connection is to your individual computer; however, non-encrypted traffic will be visible. If you wish to further protect your own computers from people in the building, you could install your own router. Actually, it appears you've already done this, based on your statement about using an AirPort Express.

            Comment


              #7
              Re: Security for database manager working from an apartment complex

              Most of your assumptions are correct. The 107.0... address is the apartment routers IP, your computers IP is set by the apartments router.


              IMO, you would be less secure with a direct connection. You can activate another firewall on your desktop if you want too.

              Please Read Me

              Comment


                #8
                Re: Security for database manager working from an apartment complex

                Originally posted by steveriley
                What risk remains comes from other users behind the same router. Without knowing more about how your building's internal network is constructed, I'd suspect that your building provides little to no traffic filtering between computers connected to the router. So, conceivably, someone else in the building could eavesdrop on your connection. Encrypted traffic will still be useless because your VPN connection is to your individual computer; however, non-encrypted traffic will be visible. If you wish to further protect your own computers from people in the building, you could install your own router. Actually, it appears you've already done this, based on your statement about using an AirPort Express.
                Thanks that was helpful, the threat from people behind the same router was what I was concerned about, but it sounds like with the VPN and not using their unsecured wifi, i shouldnt worry.
                System Information<br />Distro: Ubuntu 11.04<br />KDE: Platform Version 4.6.2<br />Grub: 0.97-29ubuntu61.1 GRand Unified Bootloader (Legacy version)<br /><br />PC Hardware:<br />laptop HP Pavilion dv6<br />CPU: AMD Turion(tm) II P520 Dual-Core Processor<br />GPU: ATI Technologies Inc M880G [Mobility Radeon HD 4200]

                Comment


                  #9
                  Re: Security for database manager working from an apartment complex

                  Originally posted by erinsaurus87
                  Thanks that was helpful, the threat from people behind the same router was what I was concerned about, but it sounds like with the VPN and not using their unsecured wifi, i shouldnt worry.
                  Glad to be of help.

                  The wired network in your building still presents some risk from neighbors, since all wired connections are behind the building's router and (presumably) share the same private address space. Although addresses that start with 172.17 are technically considered "private," from your perspective you should consider your building as equivalent to the public Internet and design your security accordingly.

                  For greatest security, I'd recommend that you keep all your computers behind your AirPort Express. Of course, that will require you to use only wireless connections on all your computers, since the AirPort doesn't have its own local wired connections. If you want to use wired connections, you'll need to swap out your AirPort for a wireless router that also has some Ethernet ports.

                  If I were in your situation, here's how I'd construct my network:

                  Code:
                  building's
                  wired connection
                      |
                      |
                  wireless router
                  with LAN ports
                  and your own WPA2 key
                   |  |  |
                   |  |  |
                  PC  PC  wireless stuff
                  Allow the router to self-configure to your building's Internet connection -- it will obtain a 172.17 address for its public side. Most home routers default to using a 192.168.0 subnet for the private side; this is perfectly fine. Don't forget to set a password on the router's administration interface! This should be covered in the router's documentation. Also, be sure to configure only WPA2 for your router's wireless security protocol, and use a pre-shared key (sometimes called a pass phrase) about 20 characters long. A simple sentence will do. There's no need for g00fy ch4r4c+er rep14cemen+s here: length is always better than complexity for improving the strength of secrets against brute force attacks. Connect your wireless devices only to your own router and not to the building's wireless.

                  This procedure allows you to create an isolated network for yourself yet make full use of your building's Internet connection. Treat your building as if it were part of the Internet, and isolate your network from the rest of it.

                  Comment


                    #10
                    Re: Security for database manager working from an apartment complex

                    Originally posted by steveriley
                    Depends on the VPN configuration and whether it allows split tunneling. The VPN server and client built into Windows default to disallowing split tunneling (which achieves the behavior you describe) and actually go out of their way to make it difficult to allow split tunneling. Other VPN products take a different approach; my employer uses Juniper SSL VPN purposefully configured with split tunneling so that they don't waste their own bandwidth backhauling Internet traffic.
                    Really? IMO whoever's doing IT security for your employer needs to be fired, then

                    I didn't know anyone allowed split tunneling - it creates a bridge between trusted and untrusted networks for each VPN connection.

                    I missed the part about Comcast being provided by her apartment building - yeah, she needs her own router.

                    edit: You used to work for MS? Cool - I was an MVP for a few years (desktop systems).

                    cheers -
                    we see things not as they are, but as we are.
                    -- anais nin

                    Comment


                      #11
                      Re: Security for database manager working from an apartment complex

                      Originally posted by wizard10000
                      Really? IMO whoever's doing IT security for your employer needs to be fired, then

                      I didn't know anyone allowed split tunneling - it creates a bridge between trusted and untrusted networks for each VPN connection.
                      I used to think the same thing, but over time I've concluded differently.

                      Whenever an organization allows even a single computer to operate outside the confines of its corpnet, that computer poses potential risk when it returns. Imagine that you've attached your computer to the hotel LAN at, say, a computer security conference. Most unprotected machines would probably get infected with something. Modern malware is much stealthier than viruses of old, and usually does its work by initiating outbound connections to some evil remote-controller and then awaiting instructions, often over well-known ports and protocols. Such attacks routinely bypass corporate firewalls. So regardless of whether your VPN permits or prohibits split tunneling, you've already lost the battle: as soon as that device connects to the VPN, it becomes a tool of the attacker. Mobile devices that come and go from the corpnet must be strongly, resiliently configured.

                      There are also practical issues to consider when determining your VPN policy. My employer's user base can broadly be classified into two groups: those who use computers as tools for just getting work done, and hardcore developers/testers/geeks who are fully aware of risks and mitigations. Most users in the first group receive Windows machines that are domain joined, have user accounts that aren't admins, are locked down with group policy, are protected by anti-malware and a host firewall, and are kept up-to-date -- IOW, built the way they should be, so that they are useless to attackers. A few prefer Macs, and they're also managed. Users in the second group typically run Linux, along with some Macs, as you might imagine, and are generally trusted to keep their machines secure.

                      Less than half of our users work from a central office; the majority work from home or on customer sites. So split tunneling makes a lot of sense for us. We can still manage the machines remotely, and our users can connect to their home or their customers' networks and our network at the same time (often required for them to do their jobs). In the wider realm of worrying about which attack vectors really matter, split tunneling looks to be less of a problem than once thought.

                      Originally posted by wizard10000
                      edit: You used to work for MS? Cool - I was an MVP for a few years (desktop systems).
                      Yup. I was in the telecommunications practice of Microsoft Consulting Services for three years, then part of the Trustworthy Computing Group for eight.

                      Comment

                      Working...
                      X