So now we don’t just have to be worried about politics and financial issues… we have to be concerned that our toaster will want to take part in world domination and that our vacuum cleaners will spy on us in an attempt to provide better advertising.
So how do we control these wild little things on our network?
Well by introducing some basic security practices we can essentially lock down these crazy little security hazards. But first lets go over how they can connect.
What is a reverse shell?!
Lets say we are on a separate network and have to go over layer 3 (routers and L3 switches) to get to a different network. When we attempt to connect to that device it would be by its public IP and a port number. This is configured on their firewall.
So when we want to connect to 220.127.116.11 port 22, the firewall senses that and is configured to “forward the port” to the private IP address of example 10.10.10.10.
If however this is not configured… you cannot connect to the internal device. Plain and simple.
Reverse shell is essentially getting the machine behind the firewall to contact you instead. This makes use of the firewalls trusting nature. If port 22 outbound is open. The reverse client can call out to a remote host configured and waiting for it. Once connected it can use the return port (randomly designated by the router) to speak direct with the device and then take control of it that way. This… is a reverse shell.
This…. is also the fundamental principle behind drop boxes and all other devices which can “call home” such as smart phones, smart TVs and now your internet enabled web cams and smart devices for heating and electricity control.
Now we need to implement a few different mitigations. First we need to clarify what’s at risk.
- Your machines inside the network are at risk. Think of yourself as living with an unstable explosives expert.
- The internet is at risk from the devices being used in a DDoS fashion
- Your privacy is at risk from devices snooping and using reverse shells to tunnel “usage data” back to their owners.
Mitigating your machines from risk.
Quite simply by using VLANs we can segregate the risky assets from your home machines. By creating a different subnet, and even multiple SSIDs we can quarantine the devices into their own subnets and prevent and/or control their communication with your local machines.
Stopping devices calling home and attacking other networks
Inbound rules are great, outbound rules are overlooked. By locking down who can talk to what on the internet, you can stop devices sending their data to places you don’t want.
Work on the principle of least privilege. Do you really need port 22 open to the whole internet? or just a few servers? Why open 22 to every available address when you can add a rule to access those assets and lock down any other rebel machines attempting to make a reverse shell?
The only ports that spring to mind that ideally need to be open to everyone are 80 and 443 for website access but others can be somewhat toned down.
You don’t need DNS open to the whole world especially when you use your router as a DNS server…. so turn it off!!!
This is where we branch off and cover UTM devices. Granting the ability to essentially have an IDS looking at all traffic going through your router and making sure its kosher. These devices should be able to detect some slight of hand countermeasures such as DNS encapsulation. If set up correctly they can also sniff SSL tunnels by acting as a form of proxy. Note this requires configuration of certificates or else you get the nasty messages saying the certificates aren’t valid as they are likely going to be self signed.