0

I'm planning to set up a local server (Minecraft) accessible by only one other person connecting from a static IP. It's on a dedicated machine that I can easily wipe (Raspberry Pi).

I'm looking to expose only one port, keep the OS up to date, run everything via a limited user, etc... but for the purpose of discussion, let's assume that it's a given that it gets hacked.

I'm not a security expert, up until now my policy has been "it's easier to guard a house without doors." I basically don't open up my network at all - I even force friends to use guest wifi. So my ideal setup here would still allow me to shut down most access to my network.

Preferably, I'd like to have the server on a completely separate network (and maybe the answer is just "sign up for a Digital Ocean droplet"). DMZ is what I'm seeing people recommend, but there's just as much talk saying that consumer-grade routers rarely get it right, and that a bad implementation can be even more risky than port forwarding.

  • How can I tell if my router implements DMZ correctly?
  • If it is implemented correctly, is it something I can trust to keep my home network completely isolated from a compromised device?
  • Am I over-rating the dangers of exposing a single port? Are there better ways of allowing remote access from a single remote IP?
danShumway
  • 103
  • 2

1 Answers1

0

Security is a function of alertness (also = paranoia at some level) - so it's nice that you practice security all the time even when it's your home network.

How can I tell if my router implements DMZ correctly?

Options:

  1. Audit the router in question. It usually needs so much effort that might put this in "disproportionate effort (to benefit)" category. Works nicely if your day job involves auditing network devices, coz you're already half-way there on TTPs.
  2. Setup an IDS with good exception analysis and hope to catch it if/when the router screws up; and then investigate to find out where/how it failed. Needs more resources (esp., time & patience) - but it'd be my choice coz it's more practical. We need the detection capabilities anyway.
If it is implemented correctly, is it something I can trust to keep my home network completely isolated from a compromised device?

Within reason - subject to your confidence in "if implemented correctly", yes. I'd still say trust but verify (healthy skepticism?) - so setup some level of detection capability if you can.

Am I over-rating the dangers of exposing a single port? Are there better ways of allowing remote access from a single remote IP?

Short answers - Yes (over-rating dangers) and May be Not (whitelisting an IP address is usually good enough).

Let's think like an adversary who might target you. When reasonable steps are taken at the network level, it is much simpler to try to compromise you / your server through other methods than try to hack through the infra.

So in this setup, I'd say your risks are more likely to be (than not):

  • human compromise (phishing + keylogger on whitelisted endpoint)
  • higher / app layer vulnerabilities (in the gaming stack) that your whitelisting should still protect against, unless the vector involves your whitelisted remote endpoint.
  • a zero-day on your router + higher layer vuln + ... It's not unusual that big hacks need multiple exploits chained together... so that's what you're looking at.

It's a good situation to be in - that an adversary needs multiple exploit chains and maybe burn a zero-day or two to get at you. Even better - when after all that, you detect the adversary quickly and react to thwart any impact. This is where your strong detection/response kung-fu serves well.

Sas3
  • 2,648
  • 9
  • 20
  • To be honest, I don't trust myself to audit a device or detect intrusions. It would be a lot of fun to do it in a sandbox setting, but I wouldn't trust my findings enough to rely on them. My paranoia is less an assumption that someone specific is out to get me, and more "I don't have enough experience here to understand what's stupid and what's not." – danShumway Jun 21 '17 at 03:22
  • I guess there's no harm in trying to set up an IDS in addition to the other stuff. It's not going to make me more vulnerable than I otherwise would be. Your point about multiple layers is also really helpful. I guess it's more a question of "how many things in a row need to go wrong?" not "how secure can I make this one specific thing?" – danShumway Jun 21 '17 at 03:26