Securing your network traffic

If you want to start some exciting discussion in a security forum, just say you use telnet: you’ll find that every admin knows that telnet is insecure, that one should use OpenSSH or similar to encrypt the traffic, and that telnet should be banned from the server environment entirely.

However, telnet is not the only server that transmits its passwords in the clear. There are a lot of others. Here’s a list I came up with:

  • FTP
  • HTTP
  • IMAP
  • IPP
  • LDAP
  • LPD
  • NFS
  • POP3
  • rsync
  • SMTP
  • SNMP
  • syslog
  • VNC
  • X11

I won’t cover all of these here (more about these items can be found in my book) but I do want to cover just a few.

Consider, for example, the mail protocols: SMTP, POP3, and IMAP. SSL encryption is available with all three – but do you use it? And what about your logins to your mailbox at your ISP? Every time you login, your password to your mailbox goes across the wire in the clear.

What about NFS – particularly NFS home directories? If you have unencrypted secrets in your home directory, then these items will be transmitted across the network in the clear as well. What about private SSH keys? Unfortunately, there is no way to encrypt NFS traffic.

VNC is another one to watch for: if you type passwords for your root logins over VNC – even if you are using SSH in your VNC session – the passwords are in the clear. The only way to secure VNC entirely is to use an SSH tunnel to encrypt it.

X11 is insecure in the same way, but presents special problems. However, OpenSSH handles X transparently through the use of special tunnels just for X.

syslog is another unencrypted service; do you have passwords put into the system logs? What about secret doings of your servers? How much information leakage can you handle? Unfortunately, syslog is another service that cannot be secured unless you use something such as syslog-ng which permits you to use TCP (and thus, an OpenSSH tunnel).

Small (Tiny!) and Quiet PCs

Using a tiny, quiet, fanless personal computer has many benefits. My use scenario goes something like this:

Bring in the computer, plug into the network – turn on the computer and access the network. This necessitates Power over Ethernet (PoE) but we’re dreaming, right? It also doesn’t say anything about a keyboard and monitor and mouse – but hey, those are already taken care of, right?

This computer would be small enough to slide in a desk drawer, or under a desk, or hide in a bookcase. From this point, we can perform security analysis and penetration testing.

An alternate scenario might go like this:

Same computer but with wireless and battery operation: but now it is in our hands, in the data center. With a simple USB key attachment to a server, we are now accessing the server console over a wireless network link, with full access to the server and network.

There isn’t such a device yet – though some of the large PDAs like the Nokia 770 (and its successors, the Nokia N80o and the Nokia N810), the Sharp Zaurus, and others come close. However, PDAs are “embedded” devices which typically means: small size, battery power, limited memory, low power, limited secondary storage, and low speed CPU.

Small non-PDA computers tend to have massive “expansion” capabilities (that is, massive amounts of ports such as USB, Ethernet, Firewire, SVGA, and so forth). These computers tend to use the Mini-ITX form factor (Jeff Atwood has an excellent description of the various small to pico-sized form factors, including a relative size graph). Such a computer still tends to be less powerful than its desktop counterparts (especially if designed for a fanless environment), but remains much more powerful than the PDA-class machines currently available.

You can buy such machines premade, though they are not from the mainstream manufacturers normally:

  • CappuccinoPC makes many, but may be best known for its Cappuccino PC (about the size of a CD player). However, they have a vast array of others as well.
  • LinuTop sells a computer designed to run from a USB key (presumably, Linux-based)
  • The Kuro Box is a cheap computer (under $200) without hard drive, and is closer to the embedded system than the others – and is non-Intel based (either ARM or PowerPC currently). TheKuro Box is actually made by Buffalo but is sold in the United States by Revogear.
  • The fitPC is a low-power low cost computer in a book-sized unit.
  • The retailer Directron seems to have a lot of micro-sized computer equipment.
  • Stealth Computer Corporation has a wide range of tiny computers they call Little PCs.

Of special note is the site which includes news about the Mini-ITX platform, a gallery of projects, a Mini-ITX FAQ, and a store to boot. The projects give you just a tiny idea of what can be done with such a small platform: you could embed it into a biscuit tin, or into an antique typewriter (an Underwood No. 5 – with working “keys”!), or into a teddy bear, or into a case made of Legos, or even into a Macintosh SE/30 case. There are dozens more – or you can create your own.

Of course, none of these tiny computers have monitors or keyboards or mice – all of which are big and require lots of space. There are a few alternatives:

  • Use a wireless connection from the tiny computer to a small handheld computer (like the Nokia and Sharp models listed above)
  • Use VNC on startup with a connection to a remote, listening, VNC client. This requires an advanced (or recent) server and client to use this special mode (connections are usually made from client to server, not the reverse).
  • Use a reverse shell connection, connection a shell on the tiny computer to a listening port on a remote computer. This requires special handling: methods of creating a reverse shell are explained nicely in this article by Julius Plenz.
  • Use a serial or wireless connection from the tiny computer to a laptop (but then you could use the laptop alone – or perhaps the laptop is older and slower…)

These are only some ideas; I’m sure that you can come up with your own. What could you do with a tiny but powerful computer with lots of ports and expansion?