WPA2 bugz - One Man's Quick & Dirty Response

John-Mark Gurney jmg at funkthat.com
Mon Oct 16 23:19:41 UTC 2017 

Ronald F. Guilmette wrote this message on Mon, Oct 16, 2017 at 15:13 -0700:
> Just like everybody else on this list, I guess, I'm rather less than
> happy about the WPA2 story that has emerged within the past 24 hours.
> 
> Due to the announcement that WPA2 is, apparently, badly broken, I'm
> trying now to figure out how to lock down my home network a little
> better... as, I suspect, are many others all over the world... at
> least until the equipment vendors get around to issuing firmware patches.
> 
> Up untill last night, when I read the WPA2 news, I just blindly trusted
> everything on my local network, with the result being that I've got
> and /etc/exports file, and also its Samba equivalent, that are making
> each of the several top-level directories that hold most of the stuff
> on my central FreeBSD "file server" machine available, without restriction,
> to the local subnet as follows:
> 
> #/etc/exports
> /home/mini-me -alldirs -network 192.168.1.0 -mask 255.255.255.0
> /one -alldirs -network 192.168.1.0 -mask 255.255.255.0
> /two -alldirs -network 192.168.1.0 -mask 255.255.255.0
> /three -alldirs -network 192.168.1.0 -mask 255.255.255.0
> 
> (There's basically equivalent stuff also in my Samba config files.)
> 
> In light of the recent WPA2 disclosures, it has occured to me that
> as of today it may be a Bad Idea for me to be exporting all of this
> stuff, read/write, to all of 192.168.1.0/24.

Doesn't matter, if your network is compromized, only strong encryption
and authentication will save you..  For this you need NFSv4+kerberos,
SMBv3 (which I have no clue how to ensure things are auth/enc'd) or
WebDAV over https for file sharing.

Restricting what hosts doesn't solve the problem.

Also, w/ your config, you have to make sure your router does ingress
filtering, as many times you can spoof packets between subnets too...

> Of course, none of this is optimal... not like having real working
> WiFi security would be.  But in my specific case, if somebody manages
> to get in and fiddle, in arbitrary ways, with the communications between
> my WiFi devices... which mostly consist of just "home theater" type
> stuff in the living room... then it will be no biggie, just as long as
> whoever is doing it will, at worst, just have read-only access to my
> content files.

Best way to assume is that the network is always compromized, and that
it's up to the nodes to protect the data...

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."

More information about the freebsd-security mailing list