Advertisements

Four Bad Ideas That Seemed Good at the Time

window-550648_640Way back, a long time ago, in the Golden Age of Movies, a group of kids could overcome almost any obstacle with the following incantation, “Let’s Put On A Show!” Today, the IT equivalent is “I have a great idea. Why don’t we _________?” Some new ideas are fantastic. They change the world. Others, not so much, even if they seemed like good ideas at the time.

A really bad ‘good idea’ has certain characteristics.

  • It takes a little know-how to understand and more to implement.
  • It seems like it solves a big problem and / or opens the door for more solutions that piggy-back on to the initial effort.
  • It takes a fair amount of effort to complete.
  • Afterward, you discover it creates more problems that it solves, and the problems can’t be painted over. If you’re lucky you can be like Thomas Edison and try the next variation. If you’re like almost everyone else, you have to toss out the whole mess and walk away. (If you’re a giant corporation with a lot of market power, you might be able to force your bad idea down your customer’s throats, but only one or two companies are big enough for that. The rest that try become ex-companies.)

Some not-so-great ideas are big. Others may look insignificant but they share the same characteristics as big bad ideas. You waste time, effort, and possibly money.

A Short List of Good Examples – Some of Which Are Much Worse Than The Others

  • Double NAT, aka Cascading Routers
  • Universal Plug and Play (UPnP) on a router
  • Build a main firewall / router and place it in a virtual machine
  • Use Windows Server (any version) as a desktop OS

How do I know about these things? Guess.

Double NAT, aka Cascading Routers

valve-164969_640This one comes up a lot. It’s especially confusing to figure out because if you Google ‘Double NAT’ the replies universally say ‘bad idea’ but usually without an explanation. If you Google ‘Cascading Routers’ the replies often say ‘Great Idea’ and sometimes explain why. Double NAT and Cascading Routers are the same thing.

NAT (network address translation) is a firewall feature built into all home routers. It takes the IP address your ISP gives you and splits it into a large number of internal addresses on your home network. The router uses port numbers to keep track of each internal address as it communicates with the internet or internally. When you ask for a web page, the router may see your device as 192.168.1.10 and associate port 12345 with that page request. This is written as 192.168.1.10:12345. Then the router swaps that IP address with the ISP provided one and sends the page request off to the internet. When the web site replies, your router sees that port 12345 should get the reply and swaps the ISP IP address back to 192.168.1.10:12345.

one-way-438122_640Double NAT involved putting a 2nd router on your network, creating an outside network and an inside network. The inside network would be given a slightly different IP address, such as 192.168.2.x, as opposed to the outside network’s 192.168.1.x. This places them on different subnets for most home networks. The advantage of doing this is that each network should be invisible to the other unless special steps are taken.

At least, invisible in theory. Some routers will isolate the subnets well. Others, such as those using DD-WRT, will require some expert level work with iptables to finish the job. Some will only hide devices such as printers while happily exposing file servers if you know the local ip address on the other subnet. Asking the internet for help may or may not yield useful advice.

But, assuming things work as theory suggests ….

One way to get them to ‘talk’ is to make entries in a routing table that tells each router how to send packets to the other network. Most home network administrators have never heard of a routing table and fewer know how to make entries to one. I don’t. Cisco level CCNA or CCNP network professionals do this routinely on large enterprise networks. Home administrators never play with routing tables.

Alternately, the outside network can be made to ‘see’ the inside network if complicated port forwards are made on the inside network and the outside network goes through hoops to access them. The outside network would be invisible to the inside network in this case.

The outside network is like an ISP to the inside network.

The inside network can get out to the internet if a LAN port on the outside network router is connected to the WAN port on the inside network router. This is a home version of how all home networks connect to their ISP. This means all normal page requests that originate on the inside network can flow through the outside network, to the internet, and back again all automatically.

Thus, Cascading Routers can be a great idea if they promote security and don’t impede normal internet traffic. I have a spare AC class router on an inside network set aside for some Internet of Things, IoT, devices. Unfortunately, some IoT devices must be on the main network, otherwise there would have been no point to installing them. Good examples of practical uses would be some security systems, some smart thermostats, some smart house devices, and all nosy relatives who spend the night and need network access.  In fact, most large businesses use multiple routers – at least 1 is a firewall and the rest carry traffic for the rest of the business. These companies also have network staffs with years of training to make the routers connect properly.

And why did I highlight the word some above? Some smart devices just sit on the network and you control them from inside the house. For these, you use a SSID that puts you on their wireless network and then do whatever you need to do. They have no need to contact anyone outside. Others are accessed using the vendor’s central server via an app on your phone or laptop. These devices maintain constant contact with the vendor’s server and take advantage of SPI, or stateful packet inspection (this is built into all routers to prevent outsiders from breaking in). SPI makes sure that the only data that gets in to your network is in reply to something you sent out.  Indirectly, your home network is as secure as the vendor’s. You have to decide it that’s good or bad. These may or may not work on an inside network.

Double NAT Using a Commerial VPN Service For Privacy … Good Idea

One somewhat clever application of double NAT I have played with rather successfully is combining DD-WRT with a commercial VPN on the inside router. When successfully configured, everything connected to the inside router, wired and wireless, goes to the internet via the commercial OpenVPN tunnel. Your traffic on that subnet is (hopefully) hidden from your ISP. The subnet on main network is used for services such as Hulu and everything else that might not work on the inside network. StackSocial re-markets some incredible values on lifetime VPN subscriptions. Each vendor who supports OpenVPN router configurations provides instructions for their particular service. Not all support DD-WRT and some support several different routers. Each vendor offers a varied number of simultaneous connections so shop carefully. Google some reviews.

In summary, cascading routers can be a good idea if you work from a plan and keep it simple. The concept goes progressively downhill if you try to be clever and don’t have the training to get you through it.

Universal Plug and Play (UPnP) On a Router

led-open-signNetworks use ports. Think of a port as being like a TV channel, only there are over 65,000 of them.  There’s nothing magical about ports except some are used for certain functions, 80 and 443 being two obvious examples. 80 is used for normal internet pages. 443 is used for secure HTTP. A firewall feature build into all routers called SPI (Stateful Packet Inspection) makes sure the only connections that get into your router are ones that originated from your router, such as the cat video you requested. Nobody can send you a cat video unless you specifically asked for it (or clicked on an email link – please don’t).

Port forwarding allows you to get past SPI. For example, pretend you want to remote desktop into a particular PC from a hotel 1000 miles away. Remote Desktop commonly occurs over port 3389. If you try to connect without first telling your router about it, the connection will be refused. Typically, you fire up UPnP on your router so it opens the port for you when you grunge-skull-backgroundstart the remote desktop program and prepare for a remote connection. Or, you manually open port 3389 via a screen on your router and point the inbound traffic towards the PC you wish to remotely connect to.

Here’s the problem.

An open and forwarded port is a vulnerability, especially if UPnP controls the door. Assume a program that asks for an open port, which UPnP agrees too. That program turns out to be a security mess that a hacker trainee could breech. You lose.

But, you say, how do they know I’m here? They know. Some ‘Internet Scientists’ from the University of Michigan relentlessly scan the internet searching for vulnerabilities. Similar ‘scholars’ from other schools do the same thing. So do kiddies with nothing better to do, so do hackers from China and other countries, and so do your basic internet criminals.

‘Russian Hackers’ is a phrase of political convenience and public manipulation. Today, the politicians hate Russia and want you to feel the same way. Not long ago it was mighty North Korean hackers. Before that the Chinese were 100 foot tall boogeymen. Hammering on about powerful xxxxx hackers is a fantastic way to manipulate public opinion. (Newspapers report what they’re told to report, otherwise they will lose access  to powerful politicians and have to work harder. This raises costs. It’s cheaper and easier just to go along.)

In real life, everyone is looking at everyone. They all look the same from your end. Only some have bad intent. The others are ‘scholars’ who test your vulnerabilities out of ‘academic curiosity’. You have no way of knowing which are the really bad guys, so it’s best to assume all want to do you harm.

Your home router is scanned over a hundred of times per day. Don’t believe me? A package on my pfSense router called pfBlockerNG reports well over 200 scans from all over the world per hour, daily, on my home network. My router software tells me their IP addresses and country of origin. Most are not Russian. A free program called ZMap makes it trivial to accomplish these scans. Anyone can download it and, I suspect, thousands of ‘Security Researchers’ and hacker wannabes have. Other tools are available.

In the US, scanning is perfectly legal, too. 

Once someone finds an open port, you next need to hope they are either curious, innocent souls or they can’t do anything about it. (For a few days this week, September, 2015, My pfSense router was banged 1000’s of times a day by what I think was a UDP ddos attack over the TOR network. Some special security software called pfBlockerNG and SNORT were like Superman and bullets to them. Why me? I don’t know. To them, I’m just another anonymous Comcast account. I use DDNS for OpenVPN and nobody knows the URL name. UPnP is off. Most likely, NAT and SPI would be enough to protect anyone with no open ports and a router with no unpatched vulnerabilities.)

Any time you have an open and forwarded / listening port, you need to know about it and accept the risk, mitigating it as best you can. Sometimes it’s just keeping the software behind the open port updated, such as OpenVPN server if a vulnerability is discovered. Some ports are PROBABLY OK if open, such as those normally associated with a slingbox. I have two and never see attacks on those ports. I’m guessing the linux heritage of the slingbox, a probable security certificate, and the lack of anything valuable to steal makes them low on the hacker hit-list. If port 22 is open (it isn’t) and you have no certificate covering SSH access, you are facing uncertainty. That being said, there’s no law that says, someday, your smart internet connected thermostat or my slingbox won’t be altered anonymously from across the world to become a zombie attack computer someday.

I have no hacker skills. This makes me even more cautious about risks, since hackers are all both public nuisances and 100 foot tall boogymen to me. I’m even more concerned about the risks yet to be discovered than the ones reported today and in the past.

if UPnP opens a port on your router because a friendly program on your PC asked it to, then you need to hope the program was not written by a thieving hacker, was not written poorly, is updated if a vulnerability is discovered, and is even needed by you. A successful hack can take your property or turn your computer into a zombie without you even knowing.

Finally, UPnP might give the world front door access to, for example, your network file server login page. More than once I Googled something and was presented with a list of addresses, one of which brought me to a login page. In one case I saw a QNAP login that looked identical to mine, which, BTW, is not accessible from the internet. Port forwarding combined with a very helpful Google search engine was the likely culprit for this incident.

The moral: Try not to use UPnP on your router. It may work fine for a while, but no good will ultimately come from it.

So how does one get to network resources from beyond the four walls of home? I use an OpenVPN server that’s built into my pfSense router. Top end Netgear and Asus routers and most software based routers you build at home also support OpenVPN. It gets me to the local lan, from where I can get to anything just as easily as if I were sitting in my living room. My pfSense OpenVPN server is protected by encryption certificates, a user id that must match the common name on the certificate, the user id has been obfuscated by changing some stuff in the OpenVPN config folder, and multiple passwords. Each device has different certificates.

Some programs you use that phone home use devices on your network that maintain access with vendor servers. This bypasses SPI and UPnP. You go through the vendor to get inside your  network to their product. On one hand, that’s potentially safe. On the other, your home network is no safer than their servers and their front door to your network. Food for thought.

This is one I didn’t need experience to learn from. There’s lots of good advice on the internet warning about UPnP.

Build a Main Firewall / Router and Place It In a Virtual Machine

cat-eyesBackground: A few months ago I built a home router and loaded pfSense. I used a small fanless PC motherboard (Supermicro with an Intel J1900 processor and twin Intel NICS), a 120GB SSD, 8GB ram, and a mini ITX case. A less powerful configuration would have cost only a little less and this one was powerful enough to be put to a different use if needed. It works great. A Netgear R6400 is the wireless access point and an Asus TM-AC1900 serves as a wireless client bridge.  A refurbished Netgear R6300V1 performs as an occasional base for a simple inside network (as of 1-1-2017). I wired my home with cat6 and  put the home-made router in the basement. My elaborate wireless network is no more.

pfSense generally uses less than 5% of the processor capacity of my home built router. I thought it would be great to put pfSense in a virtual machine, load a version of Windows in another VM, possibly add third VM for a home brew NAS, and create a super firewall / router / media server / NAS all in one box.

To me, this seemed like a great idea. There are a lot of people on the internet who warned of ‘security issues’ by putting a firewall in a VM, but none could provide details. It was just a bad idea and I should accept it at that. Normally, I never accept it at that. Sometimes Bad Idea means Bad Idea. Most of the time it means Go away. I don’t know and will never admit it to you. It’s a bad idea because I said so. Stop bothering me.

At first, I didn’t see the problem. The router controls the interface to the internet. If the router was down, the internet couldn’t connect so the network was safe. The host PC got its IP address from the router in the VM, so the router appeared to be in control of the network. The host PC was just along for the ride. The tail really was wagging the dog. Even ‘experts’ who replied to questions from others on various sites said it was probably safe and OK. None of the worry warts could explain why it was a bad idea.

I missed the elephant in the room.

Sometime that night, the obvious occurred to me. While the router may control the network when it is working, the cable modem, with its direct connection to the internet, will control the host PC if the router VM is out of service or the hypervisor is shut down. A PC with a direct connection to the internet and no firewall of any kind other than basic internet security software is a really bad idea. It’s like a house full of valuables without a lock on the front door. Showing prudence, I decided to assume the worst. The router was left as it was.

There is one big exception. Providing you have an independent hardware firewall facing the outside world, there is no issue if you decide to build a virtual router on an inside network. It can make perfect sense in a lot of cases, save money, and serve as an excellent hobby project.

Use Windows Server (Any Version) As a Desktop OS

fireworks-1758_640A couple of years ago I decided to load Windows Server 2012 as my main operating system on a laptop PC. It had 8GB of RAM and a nicely powered third generation i5 processor. I thought it would be the best everyday operating system ever invented. This belief changed after a few months. Windows Server 2012 was removed and the Windows 7 Pro software that came with the laptop was reinstalled.

There’s no reason why a motivated and curious person shouldn’t try it, too. Just don’t expect it to be the best everyday OS you ever used. Servers are servers for a reason. They run programs most people never use, know about, or care about on a daily basis. They perform services the typical home user either never needs or can implement with less effort in other ways. The education required to make Windows Server work is extensive. The boot time is lengthy. They are designed to run 24/7 for a reason.

Loading the OS was difficult because the Windows desktop serial number was in the bios and Windows Server 2012 is not an approved OS as far as HP is concerned. It wouldn’t install like a normal OS, halting a couple of minutes in.  I had to copy the DVD to a folder on my hard road-sign-798175_640drive, add the serial number to a particular file in a particular folder, then rebuild a bootable Windows Server 2012 DVD before beginning the install. Normal people don’t automatically know how to do this. I spent several hours diagnosing and solving the problem.

Domain servers don’t like to have basic users playing solitaire or browsing the internet on them. In fact, you will find it difficult to create a user like a basic desktop user. This assumes you found out how to turn on the basic desk top features. Or turn off the security features that make Internet Explorer useless as an internet browser. Or turn on the audio. Or turn on the wireless.

You need special print drivers just to connect a basic printer. At one time there were few print drivers available for Windows Server 2012. There are probably more available now, but check to be sure once you decide on a new printer. There’s a fair chance your current printer won’t work with it.

Good luck finding an economical or free antivirus. Most that load easily on a normal PC won’t install on a server. I found one, but had issues reloading it later. AV designed for servers is very expensive. Server backups require a different approach and different software, although chalkboard-801266_640simple automated file backups aren’t too hard to figure out.

So far, I’m only describing issues at the workgroup level. If you decide to create a domain server, your adventure has only begun. Good luck, Indiana Jones.

Hint: Classic Shell works wonderfully and gives you a nice Windows desktop interface, even on Windows Server 2012. At least it worked for me. Server Manager is an impressive, well, server manager. It’s not designed to help you operate the server as a desktop PC. You’ll need a good desktop interface unless you really like to use the tiles and charms.

OK, you don’t mind the long, long boot times and you trust the other users as Administrators. You solved all the everyday issues and turned Windows Server into a credible desktop replacement. Now, how do you deal with the family when it continually whines about how long it takes to start the PC? Just because you don’t mind doesn’t absolve you of what the rest of the family thinks.

Best Wishes.

Hint: If you really want to play with Windows Server 2012 at home and implement advanced features to your heart’s content, put it in a VM. It will install nicely. In that way, you won’t bother anybody, or bother them a lot, and you can play all day. You can even add it to the home network by using the right kind of network connection on your VM. A DreamSpark download or a trial license will help you decide how badly you need this without cost.

____________________

One last thought. It doesn’t matter if the Good Idea turns out to be Really Great or Stinks So Bad You Can Smell It From Outer Space. All new ideas introduce problems you never thought of before. All change, good or bad, is an implementation of the Chinese greeting May you live in interesting times.

Advertisements