[qubes-users] Re: Installing VPN in Qubes Versus VPN on a Router

2016-11-21 Thread Me
amadaus:
> amad...@riseup.net:
>> We see much correspondence in these forums about installing a VPN within
>> Qubes. Surely, the most secure place for VPN is to install on a Router?
>> I say these things after reading the following paper [
>> https://cryptome.org/2013/12/Full-Disclosure.pdf ] in which a group of
>> hackers demonstrate that the majority of routers (in-particular those
>> provided by ISP's] have backdoors to government agencies. These
>> adversary's are able attack our LAN and its devices; including the
>> ability to intercept VPN and Tor traffic.
>> The solution they say is to isolate these rogue routers in the
>> Militarized Zone by creating a DMZ [demilitarized zone]. Achieved by
>> installing a 2nd router [flashed with open source firmware such as
>> OPenWRT]. It is here, on the router, that we should enable and run OpenVPN.
>> Thoughts on this paper and it's conclusions are welcomed
>>
> Thanks everyone for your contributions.
> Implicit in most of your replies is a distinct distrust of the
> modems/routers provided to us.
> If anyone is interested, the solution we adopted to securing our LAN is
> copied from this blog;
> https://tokyobreeze.wordpress.com/2015/02/01/create-a-nsa-and-hacker-proof-home-network-that-you-control/
> This guy uses a couple of cheap routers loaded with OpenWRT which sit
> behind his infected Modem. His 2nd routed utilises OpenVPN Client and is
> configured to protect "high value" devices.
> We've successfully copied this configuration and it seems!! to work. -
> unless you know better??
> 
The Blogger is correct, the best place to install OpenVPN is to use it
within OpenWRT on a Router.  As well as helping protect incoming and
outgoing traffic to your Qubes device, it can help protect smart phones,
tablets & IoT devices from being attacked and employed for Denial of
Service purposes


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/32bb2ecc-7e3f-3a88-c3da-834a5500b585%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Installing VPN in Qubes Versus VPN on a Router

2016-11-15 Thread amadaus
amad...@riseup.net:
> We see much correspondence in these forums about installing a VPN within
> Qubes. Surely, the most secure place for VPN is to install on a Router?
> I say these things after reading the following paper [
> https://cryptome.org/2013/12/Full-Disclosure.pdf ] in which a group of
> hackers demonstrate that the majority of routers (in-particular those
> provided by ISP's] have backdoors to government agencies. These
> adversary's are able attack our LAN and its devices; including the
> ability to intercept VPN and Tor traffic.
> The solution they say is to isolate these rogue routers in the
> Militarized Zone by creating a DMZ [demilitarized zone]. Achieved by
> installing a 2nd router [flashed with open source firmware such as
> OPenWRT]. It is here, on the router, that we should enable and run OpenVPN.
> Thoughts on this paper and it's conclusions are welcomed
> 
Thanks everyone for your contributions.
Implicit in most of your replies is a distinct distrust of the
modems/routers provided to us.
If anyone is interested, the solution we adopted to securing our LAN is
copied from this blog;
https://tokyobreeze.wordpress.com/2015/02/01/create-a-nsa-and-hacker-proof-home-network-that-you-control/
This guy uses a couple of cheap routers loaded with OpenWRT which sit
behind his infected Modem. His 2nd routed utilises OpenVPN Client and is
configured to protect "high value" devices.
We've successfully copied this configuration and it seems!! to work. -
unless you know better??

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/015a80f8-3cf1-1efc-54fb-e42a3ef3d47e%40riseup.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Installing VPN in Qubes Versus VPN on a Router

2016-11-13 Thread Chris Laprise

On 11/13/2016 04:38 AM, Sec Tester wrote:

I guess the main benefit to having VPN on router is it takes that overhead off the 
PCs CPU & memory.

But the paper is right, a lot of network hardware is backdoored. Especially the 
cisco stuff. And im suspicious of the Chinese stuff too.

We should endeavor to run open source routers. But im not aware of any open 
source modems? Im actually surprised someone hasnt cracked the proprietary DSL 
code and leaked an open source modem.

I bet we would not like what we found in their proprietary code :/

Having a VPN-Proxy-VM offers the flexibility to chose what VMs directly connect 
to the internet, and which VMs are routed through the VPN which is nice.

I've set my VPN-Proxy-VM using a minimal template, to future reduce the attack 
surface.

You can also run the whonix-gw over the vpn, or vise versa.

I imagine since snowden said to the world he uses Qubes OS, the NSA have had 
their team looking for ways in. I think qubes can be hardened much more than it 
currently is.



Its not just backdoors... IIRC the NSA and probably other groups greatly 
prefer to attack routers for some reason. I think the reason is they are 
generally neglected and insecure.


Quite frankly, there is all too much insecurity to go around... and I 
don't even think software is the worst culprit anymore. We're all using 
souped-up ancient architectures that expose us to things like 'DRAMA' 
and it seems there is little-to-no innovation with respect to more 
secure hardware architecture. Qubes tries to propose new architecture in 
software, but I worry even it may not be enough.


Router vs laptop: If we regard a well-maintained OpenWRT router as more 
secure than Qubes on a laptop, then we've given up on link encryption in 
our applications (HTTPS, ZRTP, etc.) by implication. Then the only way 
to have reliable link encryption is to have everyone we communicate with 
sitting at home connecting to a single VPN server... each from their 
router-bound VPN clients... tethered by an ethernet cable between router 
and PC. Egads.


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5947e135-73bc-8dcc-b248-a0d97bb47d94%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Installing VPN in Qubes Versus VPN on a Router

2016-11-13 Thread Sec Tester
I guess the main benefit to having VPN on router is it takes that overhead off 
the PCs CPU & memory.

But the paper is right, a lot of network hardware is backdoored. Especially the 
cisco stuff. And im suspicious of the Chinese stuff too.

We should endeavor to run open source routers. But im not aware of any open 
source modems? Im actually surprised someone hasnt cracked the proprietary DSL 
code and leaked an open source modem. 

I bet we would not like what we found in their proprietary code :/

Having a VPN-Proxy-VM offers the flexibility to chose what VMs directly connect 
to the internet, and which VMs are routed through the VPN which is nice.

I've set my VPN-Proxy-VM using a minimal template, to future reduce the attack 
surface.

You can also run the whonix-gw over the vpn, or vise versa.

I imagine since snowden said to the world he uses Qubes OS, the NSA have had 
their team looking for ways in. I think qubes can be hardened much more than it 
currently is.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/43b6362b-0fd1-4105-b865-ccf0415cc8ce%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.