Security & Remote / Wireless access
When I first acquired some WiFi equipment I started to worry about how to secure data on the network, and prevent unauthorised access to it. There is also the problem of people on the internet breaking into my home network.
The Data
I have a Wiki based information system on my server that contains all my notes, diary, photos etc. This has built up since 1999 into a large set of documents (around 2,500 pages of text, and 50,000 photos) which document my life. It also automatically logs all the phone calls I make, keeps copies of all SMS texts I send or receive and archives all my ansaphone messages. All edits are versioned using CVS, so I can roll back any data, and perform a complete history audit on any information in it. The wiki allows automatic cross-referencing, indexing and searching. Oh, and it has a UK gazetteer with mapping software too. This is incredibly useful for me, but I definitely do not want other people to gain access to it.
However, as I am a contract software developer, I often have to work away from home for long periods. It is important to have access to my notes. I use a NAT router and firewall to protect my home network, but do not normally leave ports open, preventing access to my network.
Controlling the firewall
However, as my server has a mobile phone connected to it, I can send a text message to my server instructing it to open a port on my firewall. This is easy to achieve using my PySMS software. I simply set up a command handler that accepts commands allowing me to control my firewall. I check that the text came from my phone (a simple white list does this), and the server acknowledges the messages, so it would be difficult for someone to spoof this. If they did, I would be alerted to the fact. I open up port 22 to allow access to the ssh server.
Logging on
The next part of the process is the creation of a one-time password / username combination. In response to the message from my mobile phone, the random password / user is generated, with login rights, and sent to my handset. I can then login to my ssh server, over the internet. The act of logging in scrambles the account's password, preventing anyone who might have snooped from using this temporary information. If you do not log in within 5 minutes, the account is removed and the port closed down again. The one-time password prevents keyboard loggers, or over-the-shoulder snooping from disclosing a password.
SSH is an incredibly useful tool. It was only when I started looking into this security issue that I realised that ssh had already solved most of my problems.
I know from personal experience that much of the traffic that travels round an office network is unencrypted. I regularly use packet sniffers like ethereal for my work, and have often watched people's pop3 passwords fly by. Tools like the excellent kismet provide the same thing for wireless networks. Using ssh fixes some of the holes that these tools reveal.
Port Forwarding
Being able to log into my network remotely is one thing. But I need access to my intranet. Ssh to the rescue. By using port forwarding, I can use ssh to proxy all the remote port 80 accesses on the local machine - in this case my laptop.
ssh -L 8080:localhost:80 user@internet.address -N
I can now use my browser to connect to http://localhost:8080, and I am connected to my home wiki server (on port 80). The connection is tunnelled over the encrypted ssh channel, preventing anyone from snooping on the data. This technique also works well with WiFi equipment, allowing over-the-air communications to be encrypted. This gets around some of the security problems in WEP. The security that WEP provides is an illusion. See Rob Flickenger's excellent book Wireless Hacks for details.
Using the same trick I can also forward my email connections. This allows me to use the terribly insecure pop3 protocol (it sends passwords in clear text), over the ssh tunnel. The pop3 transmissions will still be sent over the internet in the clear, but they will not be seen on the connection my laptop is connected to - just on the link between my home server and my email account provider.
While I was at it, another problem I have to deal with is setting up the smtp server details in my email client. Every time you move office, or connect from a temporary location, you have to worry about reaching an smtp server. Many ISPs block port 25 (smtp) outgoing traffic to other ISPs, and only allow you to connect to their server if you are connected using their network. They do this by filtering out any ip address not in their allocation. It is to prevent spammers, but it also prevents you from connecting easily while on the road.
But ssh port-forwarding also solves this problem. You simply send your email via your home network. I have a smtp server running on my server, so I just connect to that over the ssh tunnel.
So you simply combine all these together into a single command:
ssh user@internet.address -L 8080:localhost:80 # http -L 8025:home.isps.smtp.server:25 # smtp -L 8110:my.pop3.server:110 # pop3 -N
Note :- on Windows machines you can use the Cygwin tools to allow you to run ssh.
Email privacy
This all has the interesting side-effect of preventing your employer (if you are using their office network) from reading your emails. This practice is increasingly common. In Europe there are rights protecting individuals' privacy, but in the land of the free, companies can snoop as much as they like on their employees. Companies even contract out the activity of reading people's emails, so you might find that your personal communications end up being read by an offshore firm, working in a country that has no data protection legislation at all. Worth bearing in mind when you send off that personal email.
Note: this does not stop the government or your ISP from reading your email. It just prevents people connected to the local network from doing so. If this is your office network, this prevents your employer and colleagues from reading your email traffic. It will not help with internal email, or email routed through the office server.
Web proxy
There is one further technique that ssh makes possible to hide your web browsing habits from the local network. It will also allow you to by-pass any web blocking that a company might implement, eg. by adding access controls to a web proxy like Squid. You need to set up a web proxy on your home server, port- forward it on your local machine, and then configure your web browser to use the proxy. This will hide any web accesses you make from any prying eyes on the office network and allow you to by-pass any port blocking.
I found this simple Python web proxy
Upload this to your home server, and run it. Then use ssh to port forward the web proxy across a tunnel. You then simply set your web browser proxy to the forwarded port on your local machine, eg. localhost:8000, and you will be able to access the web over an encrypted link, and without being blocked by an office proxy.
Summary
I realise that all this does not prevent someone from breaking into my network. I need additional protection in place. And sending out passwords unencrypted over SMS is not secure. But it does raise the barrier. Governments do have the resources to monitor the traffic and then break into my network. But they can also kick my front door down any time they want.
In the UK we now have the RIP act 2000, which allows the government to snoop on our electronic communications and share it with 'interested parties' like the local Council and the bin men. People would be very upset if all their post was opened by the Royal Mail, so I'm not sure why there hasn't been an outcry about this. It also shows that in the UK we didn't need to wait to use 911 as an excuse to erode personal freedom, we were already doing so with abandon. One of the provisions of the act is that if you use encrypted communications you must make the private key available to the government on demand, and can be sent to prison if you do not. The good thing about ssh is that it uses session keys which are ephemeral, so you can't give them the key, because you don't have it.
What I have attempted to provide here is not a total solution to security, simply a cheap system for authorisation and authentication, and a brief guide to providing communications that are secured in a possibly hostile environment (and believe me, I've worked in some pretty hostile offices). When you are working on a client's or customer's site, you really should think about securing your communications. And it is great to have remote access to all my notes.
Tip: Don't lose your phone.