Security within LB network.

[Sully]

I don't know how many LB users there are, but I thought it might be interesting to see how people are planning on securing their computers when in an LB network. Since LB uses true reserved LAN subnets, and the router plays no significant role, the possibilities are more open to compromise.

I have been thinking more on this topic, and have yet to come to any hard conclusions, only that if you cannot trust others in the LB network, something needs to be done to mitigate the possible threats.

Any ideas?

Sul.

[mamu]

I don't know how many LB users there are, but I thought it might be interesting to see how people are planning on securing their computers when in an LB network. Since LB uses true reserved LAN subnets, and the router plays no significant role, the possibilities are more open to compromise.

I have been thinking more on this topic, and have yet to come to any hard conclusions, only that if you cannot trust others in the LB network, something needs to be done to mitigate the possible threats.

Any ideas?

Sul.

This is a very important topic and your point is quite serious-- right now, LAN Bridger offers no extra security beyond keeping out people who don't have the pub_profile and proper password. If a malicious user gets a hold of these credentials, they can join the network and potentially cause problems. If you are joining a network with unknown users, you likely want to treat the network as untrusted, much as you would a direct connection to the internet.

As we begin moving LAN Bridger in the direction of more open and larger networks, we plan on adding some very simple network security features to LAN Bridger. We'll possibly be including: a very simple user-configurable firewall (allowed and disallowed ports), the ability to kick and ban malicious users, and access control based more than just a password.

It's important to realize, however, that any security features we add will not act as full-blown substitutes to running a more sophisticated software firewall, and on larger LAN Bridger networks, a bit of caution should always be employed.

We'd love to hear which firewalls and other precautions LAN Bridger users are taking if and when they host or join large/unknown networks.

[amishmonster]

I haven't been using any extra security measures for LAN Bridger, but then again I've only used it with friends so far. That doesn't entirely eliminate the issue, but it does help!

I hadn't considered that it removes the protection from your router - that's definitely something to be addressed in the future.

[Sully]

I take a pretty basic approach to it. I always set my SERVER service to manual, and that way I don't have it to worry about being open (file sharing). I also shut down all other un-needed services which hold ports open. Some programs hold ports open as well, and if they don't need to be running all the time, they are not allowed to 'autostart'. This drastically reduces the amount of surface area that is open to compromise.

When you think of how you could be compromised within LB, it will be via a LAN borne malicious attack. If another computer has a virus etc, and it is designed to seek out other computers within the subnet, you could have a problem. I don't know of a definitive guide that says only programs X,Y and Z are immune. I have always considered the OS to be the weak link, and taken matters to close what is open that is not needed.

At some point I am going to start the SERVER service if we are file sharing. At that point I am available for compromise. I don't personally use an AV anymore. It is the LAN side that is the most scary for me (if you call it that), as the WAN side of things I have pretty well under control.

I think if you are paranoid, an application control firewall will off the logical step. Putting HIPS programs on can certainly add more than that, but the real question is are you ready for that level of committment? I am not, not anymore.

If you are LUA or User, you have some definate advantages in this respect, as you must have a service/program running that already has root (typically) for there to be any compromise.

It is something to think about, certainly. I am just undecided as to what really can be done that is not totally overkill.

Sul.