Free Internet Access at new Apartment complex, security concerns

[TSM]

I'm wondering if anyone has experience with something like this.  

 

I have serious concerns about whether or not my data is safe in my current living space.  I apologize for the long post, but I wanted to give some background information before asking the primary question.  

 

I just moved into an apartment complex that has free high speed 300 megabits per second internet access.  Great huh?  It was a selling point for me when I didn't know too much about how it worked.  I don't know the exact right terms to describe it, it's not like an internet connection you might get to a house, it seems more like a wifi connection you might get at a hotel, in that you have to login to it, with a userid and password provided by the apartment complex management, via a web page.  You only have to login once per device, and then the device seems to stay authenticated.  There's a very simple web page you can open up, where it seems like they track device mac addresses, and here you can also manually add a mac address if you have a device that can't open the webpage to authenticate,  like a printer or gaming console.  You can have 10 mac addresses authenticated, and then if you need something else to connect you gotta get rid of one of the 10.  There's the wifi, which is supposedly just for my apartment,  and there is also an ethernet port wall outlet, that both work this way and are on the same "network".  There is network segregation between apartments but I'm fairly certain it only happens because my neighbors have a different userid and password.   I don't know this for a fact, but I'd bet that if I had one of my neighbor's userids and passwords, I could connect up to their apartment's "network".  

 

Initially I tried to connect my broadband router to the ethernet wall port, and then connect my computer and unraid to it, but I could never get the router to get an external ip address.  Even if I manually added it's mac address to the website list.  I called Spectrum (The cable company), and was told that they didn't support devices like this because they cause interference.  The guy I spoke to recommended getting an unmanaged switch if I wanted to use multiple devices with the wall port.  I just so happened to  have one of those little netgear switches, still in the box, that I bought a while back for my wife's shop, but ended up not using.  

 

I hooked the switch to the wall outlet, and my pc to it,  and everything worked great.  The switch is completely passive, almost like it's not there.  I'm still very much on their network though.  Then I hooked the unraid server to the switch, and initially it was very difficult to get an ip address.  I usually use my server headless, and connect to the embedded web page for management, but in this situation, I  had to boot to the gui to get anything accomplished.  (used to think the gui was a curiosity feature that was only valuable to certain niche type people, now I think it's the best feature ever).  Anyway, I could never get Firefox in the gui to bring up the web page for authentication.  I'm thinking there is something missing in the unraid build that makes this type of authentication possible.  I even added the server's mac address to the cable company's website list.  I had had the server with a static ip at my previous home, but set it for dhcp in this instance.  Kept getting a 169 ip address.  Futzed around with it for well over an hour, but it was late and I went to bed. 

 

When I woke up the next day, it had gotten a valid ip address.  HOORAY!!!!  I could connect to it from my computer as normal, local firefox could browse the internet.  Then I stopped and got gravely concerned.  This whole time I had just been worried about connectivity.  Connectivity was finally working, and as a matter of fact communication between my Windows PC and the Unraid seems to be about 50% faster, which is fascinating.  But now, what about security?  Is my server secure?  Is my pc secure?  I simply don't know.  In the cable company's documentation, they make claims to the whole setup being secure, and that others can't "see" your devices.  But I'm sure the cable company can see what I'm doing.  The Unraid server and my pc at this point both individually have a valid ip addresses on a network that the cable company, not me, manage.  

 

I'm moderately confident that the firewall software I have on my pc might be protecting it.  But what's protecting the Unraid?  The baseline security features baked into the OS?  I have no way of knowing?  And are they doing any kind of analysis of data flowing between devices?  Probably not, but they could be?  And what if someone did get the userid and password for my slice of the network?  What would they see?  What might they be able to do?  Maybe nothing, maybe something horrible?  I really have no way of knowing.  

 

Any advice on what do do???  I know that even having a broadband router on a normal internet setup isn't 100% secure, but it sure seems a lot more secure than this.  

[a7x88]

Without having a proper look it sounds like they are using VLANs to segregate the traffic.

 

Your ethernet outlet in your apartment will be on an access only port on a managed switch in VLAN X. When you login to the AP with your credentials it will also assign you to VLAN X. Now your wireless and LAN devices can talk while your neighbours who may well be connected tot he same hardware (WiFi access point and managed switch) will have their traffic assigned to VLAN Y etc.

 

Fundamentally it's pretty secure. VLANs have been around for many many years and are widely used across most enterprise and campus networks. 

 

I'm guessing they have a centralised firewall for the complex which should keep everyone relatively secure at the expense of you not being able to port forward etc easily.

 

Without looking though this is just a guess

[Frank1940]

Does your WiFi  have a unique SSID that is just for your apartment?  Do you have a unique password/passphase to log onto that SSID?    How long is that password and what encryption protocol being used?  Can you change the password to make it more secure?  What are the IP Addresses assigned to your server and to your computer?   

 

If you don't know (or can't find out)  the answers to these simple security questions, I know that I would be trying to get a router to work on the RJ45 jack that you have have on the wall.  (The Spectrum people will always blow you off when you talk about using your own equipment!)  Be sure that it is setup to use DHCP to get an address.  (Sometimes  the MAC address is  plainly stated on the router and other times you might have to google on how to find it.)   I would also want my own wireless access point if you go with your own router.  

 

You might also want to run Gibson Research's  Shields Up! test  (Google "shields up') on the raw connection and see how well you are being protected.  

[TSM]

The SSID and WPA2 passphrase are very generic.  For example, SSID = Apartment_Complex_Resident  Passphrase = Apartmentcomplexresident.  That's not what they actually are, but you get the idea, It's the userid and password that are unique.  

 

The ip address is in the 172 range that should be for private use, but given the subnet mask and gateway, I doubt me and my neighbors are on separate vlans?  No?  

 

PC IP Info

ip address = 172.20.7.112

 

Unraid IP Info

ip address = 172.20.7.141

 

iphone ip info (connected to wifi)

172.20.7.80

 

Subnet Mask and Gateway on all 3 are

255.255.0.0

172.20.1.1

Edited August 19, 2018 by TSM

[Frank1940]

I am not a real network security guy but there have been 28 other addresses assigned in the 172.20.7.X  range since your PC was assigned and when the unRAID server was assigned.  And I am not sure where the router began assigning addresses so there could be another 100+ devices assigned on that segment.  

 

I personally would be setting up my own router with a WiFi access point for your apartment  network using the RJ45 connection unless one of the Networking security Gurus jumps in and says you are safe.  If you have the router setup to use DCHP to get an IP address, it should do just as easily as your PC.  I would be setting the base address for your router to something like 192.168.x.1

[ken-ji]

One quick way to say its safe or not is to grab wireshark on a PC/Laptop and plug it into the jack. If you see any traffic from any other device other than the router/gateway, then you are not isolated.

But yeah running double NAT might be a safer thing for the most part. skipping the annoyances you'll encounter due to being unable to port forward...

[BillClinton]

This is not a solution to the problem itself, you could check out Zerotier. Admittedly you’ll have to get your server up and running properly first.

 

https://lime-technology.com/forums/topic/72030-support-spikhalskiy-zerotier/

 

Might be something to check out.

 

 

 

[pwm]

I'm pretty sure it's safe. But would recommend you do as @ken-ji recommends and listen on the network traffic.

However, I always feel best if I know that I'm the boss of the security layer. So I would use my own equipment to firewall. This also means I can monitor incomming/outgoing traffic - for example see what connections my phone wants to make. And I can add my own blacklists for servers I don't want anything to be able to connect to.

[ken-ji]

2 hours ago, BillClinton said:

This is not a solution to the problem itself, you could check out Zerotier. Admittedly you’ll have to get your server up and running properly first.

 

https://lime-technology.com/forums/topic/72030-support-spikhalskiy-zerotier/

 

Might be something to check out.

 

 

 

I don't think it solves the security problem. maybe give him secure access remotely, but i'd make sure the LAN was secure before trying anything.

[Frank1940]

12 hours ago, TSM said:

The SSID and WPA2 passphrase are very generic.  For example, SSID = Apartment_Complex_Resident  Passphrase = Apartmentcomplexresident.  That's not what they actually are, but you get the idea, It's the userid and password that are unique.  

 

 

And I would assume that everyone in the Complex uses the same SSID and PassPhase.  That means that everyone in the Complex can access your unRAID server shares using whatever security settings you have on those shares.  If they are public. they can browse, read and write and write (and delete) the files.  How well do you know and trust your neighbors?   You can test this by looking for other SSID's in the Complex using a portable device.  If you only find one, you can be sure that this is the case. For you to be truly secure there should be one for each Apartment...

 

And I not even considered, the person sitting in a car outside of the Complex who has (somehow) learned/discovered the PassPhase.  It is far more profitable to have this Passphase than to a normal Home router/WiFi setup because the increased number of users.  There is much more likelihood that someone has something really worth gaining access to.  

 

I have no doubt that you are protected by a NAT at the WAN level.  And granted many of your devices (including Laptops) are protected because the manufacturer assumed in many cases that you would using Internet access on 'Public' networks but this is not the case for your unRAID server.  It is low hanging fruit ready for plucking.  You really need protection on the Complex's  LAN level. 

Edited August 19, 2018 by Frank1940

[ken-ji]

I'm guessing they are using something that uses a common baselayer wifi - hence common SSID/WPA2 key - but still require a login, which probably (and hopefully) assigns you to the your account VLAN. That said, you should really get ready to have to deal with double NAT while using your own route and by extension, your own secured LAN. Running the wireshark test just lets you know if there is any danger of locating server's PC on the provider LAN (ie you can use it already if you don't have a spare router or the immediate resources to build out your "LAN"

 

[TSM]

Thank you very much to everyone who tried to assist me with this.  But the answer was obvious once I read back through what I had already done.  To get the unraid server to pickup an ip address on their system, I let it sit overnight.  Not sure how long it actually took to get the address, I just got tired, went to bed and had left everything hooked up.  I realized that maybe I had been too impatient when trying to hookup the broadband router.  Let the broadband router sit overnight, and success!!!  I got an ip address on their system, and everything seems to be working.  I've setup a private ip address on the unraid and on my pc, both can communicate with eachother and get to the internet as needed.  

[Frank1940]

You have to understand a bit about what is going on.  First, the router has to boot up and start to seek out an IP address from the network that you connect it to (I.e., the apartment one).  You can usually tell when this process has completed by looking at the lights on the router.  Then you can start 'connecting' any other devices to the router.  This can often require a either a reboot or a poweroff-poweron cycle depending on the device. 

 

If your router has WiFI built in, you now have a choice that you make with wireless devices. You can connect either to the router's wireless and have greater security compared or to the Apartment's WiFi with less security.  Many experts recommend attaching IOT (Internet of Things) devices to their own network.  They also recommend having a separate 'Guest' network so any guests that you have can not see (or access) what you have on your unRAID data network.  You might want to consider using the Apartment's WiFi to provide both IOT and Guest access and reserve your router's WiFi for those devices and people you really trust.   

[JonathanM]

9 minutes ago, Frank1940 said:

You might want to consider using the Apartment's WiFi to provide both IOT and Guest access and reserve your router's WiFi for those devices and people you really trust.

This could become important if there were some legal action about what was accessed. Anything that flows through your private WIFI is automatically going to be attributed to you, if it's on the general access apartment WIFI there is a layer of separation unless they used your sign on info.