Network infrastructure setup help

[nslay]

Do you think he would commute to work in a Ferrari?

If he wants to use any of the things you've listed, there's no reason he can't do that on his linksys router; enabling SSH is trivial on every model they've ever released (they do this intentionally). The only advantage to having a powerful machine instead of a dinky home router is the capacity of traffic that it can handle, and it is already unlikely that he will meet the limits of the dinky home router.

The difference between buying a cheap Linux WRT54G and an old PC or embedded board is that the latter two are expansible and you largely have control of whats under the hood.  What if you want to beef up your WRT54G with the newest Ethernet and or WiFi technology a couple years from now?  You're out of luck.  These home-grade routers are disposable.  You're also largely limited what you can run on WRT54G ... Linux and NetBSD.  At least with a board like Intel Atom, you not only get an x86 processor, you get a beefy 1.6GHz processor for about the same price as WRT54G!
I also think Linux is dangerous to use as a router unless you keep a sharp eye on Linux security community.  Security on home routers is a serious issue, I kid you not!  We're talking about risking your identity, your bank/credit card account numbers, and also bot nets (which can commit serious crimes in your name!).  ISPs like Comcast will also restrict your Internet usage if it finds your computer is compromised.  Comcast in particular will not help you diagnose and fix your problem.  Removing these limitations is also near impossible - for me, it took a complaint to the FCC to receive a call from a head network admin at Comcast to remove the SMTP port block!  You don't play games when it comes to security...using the disposable home-grade routers is dangerous because the hardware and software they use are often proprietary! You trust the manufacturer (which are NEVER Linksys, D-Link, Netgear!) to audit their products and to issue patches.  Linux is probably far worse and boy you are really asking for it when you opt to use a Linux distributions that is not designed to be hardened (e.g. You DO NOT use Ubuntu as a router!).
With regards to Linux, your only line of defense is to compile a kernel that disables loadable kernel modules.  That's it!  There are no mechanisms to combat rootkits, no mechanisms to make the system immutable (e.g. kernel denies access to /dev/mem, /dev/kmem, /dev/io and other sensitive devices, as well as protects crucial userland tools and libraries from modification), and no mechanisms to enforce immutability of firewall rules.  You are literally asking for it by using Linux!  Don't take my word for it, check Linux's security track record.  My department's Linux servers have been hacked many times in the past.  I mean, the fact that most Linux distributions don't even have a notion of a wheel group is already quite frightening. 

[nslay]

My Linux rant was totally pointless

[iago]

Especially because you can mitigate every risk you mentioned by setting the "INPUT" table to "DROP". If nobody has a local account and no ports are open, then it doesn't matter what it is, you're probably safe (unless there's a kernel-level vulnerability in iptables).

[MyndFyre]

I did something along the lines of what nslay is suggesting for my fraternity house - but only because it was seriously necessary: home-grade routers can't handle 40 users. MF doesn't have that many users, and he's already got the home-grade hardware, so it would be rather pointless to beef up something that isn't the weakest link.


On a side-note, learning iptables is fun. Gives you a much better understanding about how NAT actually works, behind the scenes.

Yeah but MF is a power user.  I'd think he would want a Ferrari instead of Pinto.  Not like he lacks the technical expertise to do it either.

While I appreciate the sentiment, unfortunately these days I've found that I have to pick the battles for which I'm a power user.  I don't see my home network cutting it - especially because eventually I'll have to sell the house and it's easy to explain to someone how to work a Linksys router.  Not so easy to explain iptables. ;)

[Camel]

unless there's a kernel-level vulnerability in iptables

They have unit tests that send random crap at it, and see if anything is able to get through. Obviously, it's not a leak-proof test, but it's good enough for me!

[edit] @nslay, I thought they were using a semi-hardened kernel on these embedded devices, anyways?

[nslay]

unless there's a kernel-level vulnerability in iptables

They have unit tests that send random crap at it, and see if anything is able to get through. Obviously, it's not a leak-proof test, but it's good enough for me!

[edit] @nslay, I thought they were using a semi-hardened kernel on these embedded devices, anyways?

The disposable routers' OS is almost always proprietary and it is not necessarily hardened.  My cable modem (I know its not a router, but its a similar situation), for example, uses VxWorks, an RT OS...which is scary as hell because RT OS' have no VM! It has a debug prompt and because there is no VM, I can jump to any address to do anything I want (and I have, I used it to get the cable operator password for the modem and to bypass menus that would ordinarily be disabled to a user!).  Not only do you rely on the manufacturer and vendor to audit and patch their own software, but many of these network devices also use [other] proprietary software.  My cable modem for example, runs a telnet daemon, an SNMP daemon, a webserver, and countless other pieces of software that might also be exploitable [none of which are made by the vendor].
In short, don't put proprietary network devices directly on the Internet.

[Camel]

Or do your research before buying a shitty box? The 300N's OS is open-source and is Linux.

Given enough time, Solar flares are going to hack in to your beefy hardened kernel. You're being paranoid.

[nslay]

Or do your research before buying a shitty box? The 300N's OS is open-source and is Linux.

Given enough time, Solar flares are going to hack in to your beefy hardened kernel. You're being paranoid.

Like I said, when you expose a system to the Internet, you are risking a lot more than you think.  That's why I exclaimed that even security on a home LAN is no push over.
Solar flares don't steal information that can ruin your life, or commit serious crimes on your box that can potentially land you in prison. You may think I am paranoid, but look around at many of your battle.net peers, whom as teenagers, single handedly reverse engineered the battle.net binary protocols, including the encryption for CD keys and recognizing Battle.net's broken SHA1 implementation - this is harmless.  There are some very smart people just like said battle.net peers who hack, crack and reverse engineer with malicious intent and they are more common than you may realize.  Hell, you came across these guys on a gaming network!

[topaz~]

You may think I am paranoid, but look around at many of your battle.net peers, whom as teenagers, single handedly reverse engineered the battle.net binary protocols, including the encryption for CD keys and recognizing Battle.net's broken SHA1 implementation - this is harmless.  There are some very smart people just like said battle.net peers who hack, crack and reverse engineer with malicious intent and they are more common than you may realize.  Hell, you came across these guys on a gaming network!

There are only two people I can think of that could manage that as teenagers, and Skywing and iago weren't teenagers when they did it. The vast majority of reverse engineering was done by a small group of intelligent and capable people, and mediocre (and less than average) programmers merely took advantage of their work.

[iago]

You may think I am paranoid, but look around at many of your battle.net peers, whom as teenagers, single handedly reverse engineered the battle.net binary protocols, including the encryption for CD keys and recognizing Battle.net's broken SHA1 implementation - this is harmless.  There are some very smart people just like said battle.net peers who hack, crack and reverse engineer with malicious intent and they are more common than you may realize.  Hell, you came across these guys on a gaming network!

There are only two people I can think of that could manage that as teenagers, and Skywing and iago weren't teenagers when they did it. The vast majority of reverse engineering was done by a small group of intelligent and capable people, and mediocre (and less than average) programmers merely took advantage of their work.

I didn't start till I was 19 or so, but Skywing was doing it when he was much younger than that.

[Rule]

Adron, Yoni, Arta, TechWarrior, Azure, ...
I could list about 20 others.

[nslay]

You may think I am paranoid, but look around at many of your battle.net peers, whom as teenagers, single handedly reverse engineered the battle.net binary protocols, including the encryption for CD keys and recognizing Battle.net's broken SHA1 implementation - this is harmless.  There are some very smart people just like said battle.net peers who hack, crack and reverse engineer with malicious intent and they are more common than you may realize.  Hell, you came across these guys on a gaming network!

There are only two people I can think of that could manage that as teenagers, and Skywing and iago weren't teenagers when they did it. The vast majority of reverse engineering was done by a small group of intelligent and capable people, and mediocre (and less than average) programmers merely took advantage of their work.

What about Adron and a handful of those really old WoLF` guys like Azure?  How about all those ]I[nfinite Deaths guys and friends like Flameboy?  
Let me give you a time frame when all these guys were around: before vL existed and when WoLF` unveiled the very first binary bots, WoLF`C`Bot was just released (Winters bot either didn't exist, or was a very early version, let alone anything most of you have even heard of).  Topaz Chat and Battle Chat were the shit.  All the regional battle.net servers were still linked, and the "magic" servers sometimes unsplit (they were almost always split) and landed you ops in even channels like Dark and dk187.  You could still dupe people offline with Diablo Shareware.  You could still load 8 CHAT bots, each continually trying to connect until each luckily logged onto a split server (Or you could use Illuminator, which logged 10 bots on very quickly!... but was utterly useless).  Massbot! was popular.  Way before /beep was temporarily a feature of telnet connections, a byproduct of a failed attempt at Interbot communication between Winters and Ultimatebot.  Way before /rejoin was disabled for everyone but channel operators.  Way way before telnet connections were restricted to Public Chat channels.  Way way way before telnet connections were disabled.

Battle.net in those days was essentially a cock-fighting arena, except people did it with bots in nerd gangs (called clans for some reason).  It became less so as Blizzard fixed problems and disabled features.  Ah well, it was fun while it lasted, and a motivation to learn to program.