Sunday, August 11, 2019

Using a MikroTik cAP as a Home Wireless Access Point

My people have no tradition of proofreading.  —Ken White

Beware: if you follow these instructions and then expose your device to the Internet, it will be hacked immediately. The instructions that follow are for installing the cAP inside an already firewalled network.  You have been warned!

The MikroTik cAP

The MikroTik cAP is a very cool device.  It's about the size and shape of a smoke detector and can be easily ceiling-mounted in any location that you can reach with an Ethernet cable.  It's a PoE device, so the wall wart that powers it can be in a network closet, or, in my case, in the garage, where there's a UPS.  The trouble is, it's a router, running the full RouterOS product.  It's designed to be plugged directly into the ISP's interface device and be the only source of Internet where it's installed.  I wanted to use it as a wireless access point in a mostly-wired network, and there was the rub!

Initial Access

 You will need a wireless device with a reasonable screen and keyboard, like a laptop.  Out of the box, the cAP's configurator is accessible only through the wireless interface.  That makes sense if the Ethernet interface is exposed to the wilds of the Internet, but it makes initial access hard.  The setup guide says you can associate with the cAP and it'll give you an compatible address via DHCP.  That didn't work for me.  Neither did MikroTik's Winbox software.

So, set your wireless device with a fixed address of 192.168.88.88, a gateway of 192.168.88.1, and no DNS.  Fire up the cAP and cause the laptop to associate with it.  Now you can open 192.168.88.1 with a web browser and you will get the web interface.  If you make a configuration mistake, you can get back to this state by holding the reset switch of the cAP while powering on and for five seconds afterward, until the LED starts to flash.

Gather Information

I suggest assigning a fixed internal address to the cAP, so you'll need an IPv4 address that's not in your DHCP pool. You will also need your IPv4 netmask, the address of your default gateway, and the addresses of your DNS server(s).

If, at this point, these instructions "seem complicated" you have overextended yourself.  The cAP is not really a consumer device.  Return it and get a consumer AP.

Configuration

Everything I read warned me not to mix changes to the Webfig interface with changes to the Quick Set interface.  I wasn't able to accomplish everything that way.  Here are the steps.

Set DNS: Click Webfig (top right) then, in the menu at the left, IP and then DNS.  Add the addresses of your DNS servers.  Click the down-triangle to add more addresses.  Click the "Apply" button.

Delete the firewall rules:  Still in Webfig and IP, click Firewall.  Delete all the rules except "drop invalid" and "special dummy rule to show fasttrack counters" by clicking the tiny minus-sign button before each rule.  This will allow future configuration through the Ethernet interface.  If you expose the Ethernet interface to the Internet, it will also enable hacking of your AP. 

Click the images to enlarge.


Return to Quick Set by clicking the button at the top right.  Leave the pull-down at the top right set to "WISP AP," the default.  Set each of the following:

Network name:  This is the service set identifier (SSID) that the cAP will broadcast.

Set network security:  Check "wpa2" and "aes ccm" unless you have very old devices that need WPA or TKIP, in which case check those, too, and plan to replace the old devices!  In "WiFi password" put the preshared key.  It should be long but easy to type.  Four Dicewords will give almost 52 bits of entropy.  (Note that hacking this key requires physical proximity to the cAP.)

You can later set up a MAC access control list from the "Wireless" selection of Webfig if you like.

Set network parameters and admin password: Under "Configuration" select "bridge."

Under "Bridge" choose "Static" and fill in the IP address the router is to have, the netmask, and the default gateway.  DNS servers were set earlier.

Fill in the router administrative password twice.  (Make this a good one; an adversary who gets past the preshared key can then try to brute-force the administrative password.)  The two password fields will be replaced by a "Password" button after the password has been set and the configuration applied.

Apply the configuration: Click the "Apply configuration" button.  You will lose your connection to the router because its IPv4 address has been changed.  You can now remove the fixed address from your laptop and browse to the IP address you just set from a wired or wireless connection to your network.

Update the RouterOS Software

Return to the router, log in, and on the Quick Set screen, press the "Check for Updates" button.   If an update is offered, apply it by clicking the "Download&Upgrade" button.

Optimize WiFi Performance

Author 'gryzli' has written a guide for optimizing RouterOS WiFi performance.  He's absolutely right about the WiFi Analyzer app for your Android phone.

It is unfortunate that RouterOS uses frequencies rather than channel assignments.  Wikipedia has a list of channels and frequencies.


Copyright © 2019 by
Creative Commons License
Using a MikroTik cAP as a Home Wireless Access Point by Bob Brown is licensed under a
Creative Commons Attribution-ShareAlike 3.0 Unported License.

Sunday, July 28, 2019

Thoughts About Cloud Storage

There is no cloud, only a bunch of computers you don't own, run by people you don't know.  Anonymous
My people have no tradition of proofreading.  —Ken White

 
TL;DR:  Cloud storage might be suitable for storing backups provided one can afford the storage space and bandwidth needed.  It is not suitable for storing the only copy of anything.  Data stored with a cloud service must be encrypted using strong encryption to protect it from disclosure.  Cloud resources must never be set up as an "always on" mapped drive.

Cloud Storage and How it is Used

Cloud computing, or cloud storage, isn't really just a bunch of computers you don't own.  It isn't just "on the Internet," either.  It's a lot of computers and some very clever software that, together, have six important characteristics:
  1. Self service:  When you establish a "cloud" account, there's no human intervention at the other end.  That's convenient because there's no waiting to set up an account, add storage, etc.  It's also crucial to keeping the cost down.
  2. Excellent network access:  A cloud provider might serve millions of subscribers and must provide and must provide sufficient speed and responsiveness to make the customer's connection be the bottleneck.
  3. Elastic scalability:  People can make new accounts, or decide to add hundreds of gigabytes to their storage allocation, and the infrastructure must deal with that.  (But, note that paying for 100 GB of storage doesn't mean 100 GB is immediately allocated to you; that doesn't happen until you use it.)
  4. Resource pooling: The necessary scalability is achieved by sharing massive resources among many subscribers.  For the big cloud providers, "many" means millions or tens of millions.  The principle of multi-tenancy means your data will share disk space and CPU cycles with that of many others.  It's up to that clever software to keep things separate.
  5. Redundancy:  The cloud provider will keep multiple copies of customers' data on different servers; failure of a single server, or even of several, will not compromise the data.  The really big cloud storage providers keep redundant copies across multiple data centers.
  6. Measured service:  This implements the principle of paying for what one uses.  Google will provide 15 GB free; beyond that, there's a charge.  For cloud storage, generally what's measured is storage used.  Other cloud services might also measure CPU seconds, transfer bandwidth used, or other resources.
 With all of that, cloud storage might seem to be the perfect answer to limited storage and disk failures for consumers.  Not so fast.  We need to consider the way we use cloud storage, the properties of a secure system, and the causes, probabilities, and consequences of failure.

There are two ways one could use cloud storage: as primary storage and as backup storage.  When cloud storage is used for primary storage, the only copies of data are those "in the cloud." Failure of the cloud storage means irretrievably lost data.  If cloud storage is used for backup, the operational copy of data is stored elsewhere, usually on local drives.  Both the local storage and the cloud storage would have to fail to cause loss of data.

Cloud storage can also be used for file sharing.  Shared files are still either primary or backup, depending on whether another copy exists.

Security and Threats

The security of a system can be measured by three properties:
  1. Confidentiality is the condition that data have not been revealed to unauthorized people.
  2. Integrity means data has not been altered or destroyed.
  3. Availability means data can be used by authorized people when needed and with suitable response time.
To analyze the security of any system, we need to analyze the threats to the confidentiality, integrity, and availability of its data.  Broadly, those threats are disclosure, alteration, and denial.



I rate the risk of disclosure as high.  All major cloud storage providers scan uploaded files for contraband, specifically for child pornography.  Dropbox, and possibly others, scan shared files for material protected by copyright.  Even if you are absolutely certain you have no electronic contraband, a false positive could lead to law enforcement action.  Resource pooling and multi-tenancy mean one subscriber's data could be accessible to others in the event of a software error.  Poorly protected accounts, e.g. by weak passwords, could make data accessible to malicious outsiders.  Finally, a configuration error by the subscriber could share data not intended to be shared.

The risk of alteration is low; the nature of cloud storage protects the integrity of data.  An exception might be a configuration or software error that erroneously makes data shared and writable by others, or a malicious attack on a poorly protected account.

The risk of denial is medium.  Although redundancy and good network access mean that data will likely be available from the cloud provider, access also requires that the customer network be functioning.  Failure of the cloud provider's business could make data unavailable.  That need not be a financial failure; provider Megaupload was shuttered by United States law enforcement authorities and the stored data became permanently inaccessible.  Some cloud providers assert the right to remove files that violate their terms of service.  Finally, if a cloud drive is "mapped," that is set up to be viewed by the customer's operating system as a local resource, malicious software known as ransom-ware could render the contents inaccessible by encrypting the data.

Using cloud storage effectively

The consequences of disclosure, alteration, or denial could result in irrecoverable loss of data if cloud storage is used as primary storage.  Cloud storage must never be used for primary storage.

If cloud storage is used for backup, the consequences of alteration or denial are less severe; one is without backup until the situation is corrected.  However, denial caused by ransom-ware could make both primary storage and backup inaccessible.

For backup data, the consequences of disclosure are severe.  Even if disclosure does not lead to investigation by law enforcement, information in primary storage will be disclosed.  That could include financial user IDs, account numbers, and passwords, medical information, and other confidential data.  That leads to two conclusions:
  1. Cloud storage used for backup must never be "mapped" as a disk drive accessible to the operating system in order to protect it from malicious software.
  2.  Backup data on cloud storage must be be protected by strong encryption to protect against inadvertent disclosure and scanning by the cloud provider.

Other considerations

Encryption:  The only safe encryption is that for which you generated and hold the encryption key.  If the cloud provider holds the encryption key, you are trusting them not to unlock your data.  A strong encryption algorithm is needed; I recommend AES with a 128-bit key.  Suggestion: keep copies of the crypto key on two separate USB drives stored in different buildings; do not keep a copy on the system being backed up.

Storage size and cost: A 500 GB laptop drive will need at least 2 TB of backup space to do progressive backups.  That would be $50-75 if paid annually.

Bandwidth:  A 500 GB drive that's 60% full will take nearly a week to upload at DSL speeds and over 24 hours at 10 Mb.  A 15 GB progressive backup will take nearly 25 hours to upload at DSL speeds and almost four hours even with a 10 Mb connection.  To use cloud storage effectively for backups, you'll likely need a 50 Mb or faster Internet connection.

Account security: Use a strong password to protect your cloud account.  Choose a provider that offers two-factor authentication.  If possible, use a physical token like a YubiKey or an app that generates one-time passcodes; pass codes sent by text message are not secure because of SIM-swapping attacks.



Copyright © 2019 by Bob Brown

Creative Commons License
Thoughts About Cloud Storage by Bob Brown is licensed under a Creative Commons Attribution-ShareAlike 4.0 Unported License