[ previous ] [ next ] [ threads ]
 
 From:  Henning Wangerin <mailinglists dash after dash 041101 underscore reply dash not dash possible at hpc dot dk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Webcam and captive portal.
 Date:  Thu, 03 Mar 2005 11:41:54 +0100
On Thu, 2005-03-03 at 07:38, Chris Buechler wrote:
> You can't.  Embedded devices of that nature tend to lack a resiliant
> TCP/IP stack, or have OS or other issues that make them fall down
> under abuse pretty easily.  On some of them, a simple port scan will
> knock them off the network, at which point an attacker can assume its
> MAC and IP address.  

Well haven't thought of that situation ;-)

My idea is to ....

1) set the can up on a fixed IP via the dhcp-server, bound to the
mac-address

2) as the cam cannot authenticate to the captive portal I have to allow
it access by
2a) setting it up with mac-passthru
2b) setting Allowed IP addresses to allow connection from the server to
the cam (in practical live that would be the entire WLAN-segment)

3) pull the images from the cam, and check if it's actual an image and
if it's the correct size (to minimize the risk of hijacking)


As of 2a) if a hijacker spoofed his mac, he could have full access to
the internet/services without going thru the captive portal.

As of 2b) it's unclear to me if I can connect into the WLAN/CP using
that option

> IIRC you're using FTP, so they need not even go
> that far to pick up the credentials.  WEP or not, that's easy enough
> on a wireless network.

No, but it's not any better.

I need access from my server to the cam, to pull images by http by and
unpriviledged user. And by being forced to use http goodbye password
security ;-)

> I think you're overly concerned about it, really.  If you have good
> reason to be *that* concerned about security, a wireless camera isn't
> the way to go.

My primary goal of this discussion is to clarify the potential
security-holes so I'm aware of what can happen _if_ it's compromized.

My legit connection from laptop to LAN will be via a VPN connection to
the monowall, so that should be beyond the security scope of this
discussion. 

I'm basicly looking for the best way to peek thru the monowall without
making the hole larger thn it has to be.

Thanx for your patience and help.

-- 
Henning Wangerin <mailinglists dash after dash 041101 underscore reply dash not dash possible at hpc dot dk>