Archive for November, 2008

Control your entire network from your iPhone!

Alternate title:  My Duh moment!

A month or so ago, Jaadu, a great VNC client for the iPhone that’s normally $24.99, went on sale. I believe it was $4.99 for a few short days. Even though I didn’t have an immediate need, I bought it anyhow, thinking it would come in handy soon enough.

Yesterday, I finally tried it out as a test of my WPA Enterprise connectivity on my Home wireless network. Now, I know just how good of a bargain I actually got! It works amazingly well, much better than the other iPhone VNC clients I had previously tried.  In all my use so far, it hasn’t crashed (unlike the competition), or locked up my phone (again, like the competition).  The only thing I’ve seen wrong so far was that I lost the cursor once.  I’m not sure if that was a bug, or my fault, honestly.  Simply reconnecting fixed it.

Anyhow, this got me to thinking how convenient it would be to control my home network from anywhere.  Since I work in the network field, I’m very security oriented, so I was hoping for some security built into Jaadu, but it is a fairly standard VNC client, so everything is sent unencrypted.  I read a bit about Jaadu Connect, which is their simple way to get a PC or Mac set up so that you can connect to it via Jaadu across the Internet.  It looks like it automatically configures your router to handle port forwarding, etc.  Jaadu Connect doesn’t add anything in the way of security, so if someone happens to connect to your VNC port and can guess your VNC password, they will be in complete control of the target machine.  It’s not that I think that’s extremely likely, but cyber-criminals do frequently scan the Internet for open ports, and if there is any way that they might be able to determine that a VNC client is running on the other end, they could potentially try a dictionary attack.  Yea, so I’m paranoid.  That’s probably why I’m good at my job.

Oddly enough while I was out eating dinner tonight, it struck me.  Duh!  The iPhone supports VPN!  This is one of those features that I read about, thought “That’s nice – it could be useful”, and never bothered trying.  Here I am trying to think of “outside the box” ways to secure VNC, when it’s built right into the iPhone!  I’m so used to things being difficult, I overlooked the obvious!

So, when I got back home this evening, I enabled the L2TP server on my Safe@Office, gave it a strong passphrase (generated via 1Password’s great password generator), added the VPN permission to my iPhone’s user account, and added a rule to let VPN users do stuff on my network.  After that, it was a simple matter of setting it up on the iPhone, and BAM!  I can now connect over AT&T’s 3G network securely back to my Home network, and remote control my machines via my phone from anywhere within the AT&T coverage area.

I did have to lower the color setting to “Hundreds” instead of the “Thousands” I was getting over WiFi, but with that setting in place, it performs at an acceptable speed.

November 23, 2008 at 1:00 am 1 comment

Sofaware’s 8.0.35x is here! WPA Enterprise here we come!

Sofaware is the company behind the CheckPoint Safe@Home, Safe@Office, and the ZoneAlarm appliances. Anyone who happens to have a current license and has their appliances set to auto-upgrade will have had a surprise sometime Thursday. The latest version of firmware has gone GA, as in Generally Available.

This version adds a number of nice new features, but none of them were more important to me than the built-in WPA Authenticator. What does that mean? Assuming you have the appliance with built-in wireless capability, you can now run WPA Enterprise level encryption. Previously, you could have done it as well, provided you had a Radius server laying around and some serious time on your hands to configure it. With the new firmware, it’s all in one nice little low-power-consuming package: The best protection currently available for wireless networks right in the same box with the wireless hardware (not to mention a great little firewall).

Now, I’ve dealt with WPA Enterprise before, many times. My old friend ZeroShell is what I recommend to anyone looking to secure a small office or home wireless network, if they are serious about security. With that said, I’ve not had a great need for wireless access in my home, and I’ve since taken down the ZeroShell box to put that hardware to other use (yes, it was running in a VM, but that whole box is now engaged in other activity).

Anyhow, Installing WPA Enterprise is not a trivial task normally. The docs they give you make it a very streamlined process, though. Here’s a quick run down of what the docs tell you to do:

1. Configure the wireless network for “802.1” or “WPA-Enterprise” with the Authentication Server field set to “Internal User Database” (not RADIUS).
2. Make sure there is a cert installed on the VPN -> Certificate page. (Generate a new certificate here if you aren’t sure, because if old certs exist, these docs say it won’t work.)
*** 3. Export the CA certificate via the Export function ***
4. Add each user into the local user database
5. Configure the wireless clients (which includes installing the CA cert you exported above)
6. Finally, connect.

Sounds easy, right? Well, step 3 was a doozie. While I successfully exported the cert many times, I’ve yet found anything you can do with that cert. The iPhone Configuration Utility didn’t recognize it as a CA cert. In fact, it thinks there is a password on it. Elsewhere in the docs, it states that there isn’t a password, so I was a bit unsure of what to do next. I even tried some openssl commands to try to convert it from one format to another, but ended up with “Bus Errors” of all things after the “Enter Import Password” prompt, no matter when I put in as the password.

After spending an hour or so and failing miserably, I remembered one interesting difference between Windows and Mac machines that I previously discovered when working with WPA Enterprise. XP machines need the CA cert installed before you can even think about connecting to a WPA Enterprise network, but Macs kindly download the CA cert and ask you if you want to trust it. After thinking about this a bit, I thought that perhaps I could use that CA cert instead of the useless one I exported via the web interface of my Safe@Office. So, I connected via my Mac. It presented me with a certificate, which I trusted. Afterward, I loaded the “Keychain Access” application and found it in my Certificates category. I then exported it from there to .cer format and added the resulting file to the iPhone Configuration Utility. It was finally recognized as a CA cert. I saved off that configuration, sent it to my iPhone, and within moments I was connected via WiFi.

I’m not sure if there is a problem with the way it exports the certificate, or just what, but I’m very happy that there was an alternate way to get it via my Mac. (Who knows, perhaps Vista works this way too, but since I only run Vista on a dev machine at work, I don’t know.)

Aside from this big addition, the new firmware also has a built-in DNS server, which is something I’ve wanted ever since I got this device. It has some new AntiSpam features, support for BGP, and a new dashboard screen, which shows you details on the processor and memory utilization, among other things. There are a number of other enhancements, but that covers the highlights. Overall, I’d say it’s a worthwhile upgrade. Keep it up Sofaware!

November 22, 2008 at 1:03 am Leave a comment

Red Alert! WPA Hacked!

Don’t delay!  Switch to WPA2 today!

For those of you unaware, WPA has been hacked.  As I understand it, it’s not exactly a great hack yet, but a pretty big flaw in TKIP has been uncovered.  It only takes about 12-15 minutes for this hack to work, too, unlike the dictionary attacks that are out there.  By the way, the WPA hack code is already incorporated into a few programs that are widely available on the Internet.  While this hack doesn’t exactly blow your WPA network wide open yet, you should still take notice.  The key word in that last sentence is “YET”.  It’s probably only a matter of time until this hack will make WPA protected networks as easy to hack into as WEP protected networks are today.

Wait a second, you say – What the heck is a TKIP and how did I get one?  TKIP is an acronym for Temporal Key Integrity Protocol.  Think of it as the default encryption mechanism that WPA uses.  WPA can also be configured to use AES, a much stonger technology, instead of TKIP.  Chances are good that if all of your wireless devices support WPA/AES, they also support WPA2.  So, if you are going to change anything at all because of this hack (which I highly recommend), you should simply change to WPA2, which only allows the use of AES.

If you want a very technical discussion on exactly what is currently known about this hack, this article on Ars-Technica goes into great detail.

November 8, 2008 at 10:51 am Leave a comment


November 2008

Posts by Month

Posts by Category