[SATLUG] Questions about home server security

Brad Knowles brad at shub-internet.org
Sun Feb 10 14:13:16 CST 2013


On Feb 10, 2013, at 12:35 PM, Frank Huddleston <fhuddles at gmail.com> wrote:

>  So what can you tell me? I guess I really mean, what can I tell him? Is this relatively safe for his LAN? Is there something I should do to make it safer?

If I was going to be running a server on someone else's home network, the first thing I'd want to do is make sure it's set up for VPN-only access.  That way, no one can get into the machine except through the VPN, which is a secure encrypted connection that you control (assuming the VPN software doesn't have bugs or backdoors).

The second thing I'd want to do is make sure that their home network router/gateway is capable of having two separate networks, one of which they could use for their own purposes and one which you could use remotely.  These should be distinct local networks without any overlap.  The local network you use at their site could be a "DMZ" network, if that is what the router/gateway vendor wants to call it.  But whatever they call it, it should be separate and distinct from the other network -- different RFC1918 local network ranges and everything.

Of course, everything you put on that machine in a remote location should be using an encrypted filesystem, too.


Beyond that, you're trusting that if/when there is a dawn raid on the house, the police will indescriminately grab every single electronic device in the house, but when the technicians put everything back together in their lab they should discover that there was a "chinese wall" between the two networks, and at least one set of those computers can be clearly identified as having no connection to the other set, and whomever owns those computers should be able to get them back in relatively short order -- maybe just a few months, as opposed to being held as evidence for years or decades.


At least, that is the way I would want to approach the situation.

--
Brad Knowles <brad at shub-internet.org>
LinkedIn Profile: <http://tinyurl.com/y8kpxu>



More information about the SATLUG mailing list