lewmur
Posts: 368
Joined: Sun Dec 25, 2011 3:20 pm
Contact: Website

Pi and the anti-cloud

Fri Jan 13, 2017 4:44 pm

It seems that everyday there is more and more push for small businesses to "adopt the cloud". And yet, at the same time we are warned that "the only safe internet connection is none at all."

I do computer consulting for a Real Estate Appraisal firm with about ten people in the office. More and more, mortgage co.s and banks, want the appraisals delivered to their websites via the internet. And most of the research tools needed also depend on it. My solution? Each person in the office has a Pi, which connects to their computer via Bluetooth. The computers themselves, and the server, have NO INTERNET CONNECTION. Only the Pi's connect to the net. As a matter of course, each Pi has a fresh copy Raspian re-installed on a regular basis. But even if one is compromised, little damage can be done because only temp data from current research is on one at any given time.

Of course, this is NOT a full disclosure of the system, but I think it is enough to give you the idea of how the Pi can be used to isolate PC's from malicious attacks.

ejolson
Posts: 3424
Joined: Tue Mar 18, 2014 11:47 am

Re: Pi and the anti-cloud

Fri Jan 13, 2017 5:42 pm

lewmur wrote:It seems that everyday there is more and more push for small businesses to "adopt the cloud". And yet, at the same time we are warned that "the only safe internet connection is none at all."

I do computer consulting for a Real Estate Appraisal firm with about ten people in the office. More and more, mortgage co.s and banks, want the appraisals delivered to their websites via the internet. And most of the research tools needed also depend on it. My solution? Each person in the office has a Pi, which connects to their computer via Bluetooth. The computers themselves, and the server, have NO INTERNET CONNECTION. Only the Pi's connect to the net. As a matter of course, each Pi has a fresh copy Raspian re-installed on a regular basis. But even if one is compromised, little damage can be done because only temp data from current research is on one at any given time.

Of course, this is NOT a full disclosure of the system, but I think it is enough to give you the idea of how the Pi can be used to isolate PC's from malicious attacks.
The fact that you used Bluetooth to connect the Pi to the PC's is interesting. Do you mind me asking why did you use Bluetooth and how fast is it? Also, if the PC's don't have Internet connections, how do you install security patches on them and updates? If they are running Windows 10, will that OS stop working after a month of not connecting to the Internet?

mattmiller
Posts: 2102
Joined: Thu Feb 05, 2015 11:25 pm

Re: Pi and the anti-cloud

Fri Jan 13, 2017 5:50 pm

So you are using VNC to control a Pi over Bluetooth and then just use that Pi to browse/email/upload/download stuff to T'Internet?

And presumably, some method of file sharing between the PC and the Pi?

lewmur
Posts: 368
Joined: Sun Dec 25, 2011 3:20 pm
Contact: Website

Re: Pi and the anti-cloud

Sat Jan 14, 2017 3:25 pm

ejolson wrote:
lewmur wrote:It seems that everyday there is more and more push for small businesses to "adopt the cloud". And yet, at the same time we are warned that "the only safe internet connection is none at all."

I do computer consulting for a Real Estate Appraisal firm with about ten people in the office. More and more, mortgage co.s and banks, want the appraisals delivered to their websites via the internet. And most of the research tools needed also depend on it. My solution? Each person in the office has a Pi, which connects to their computer via Bluetooth. The computers themselves, and the server, have NO INTERNET CONNECTION. Only the Pi's connect to the net. As a matter of course, each Pi has a fresh copy Raspian re-installed on a regular basis. But even if one is compromised, little damage can be done because only temp data from current research is on one at any given time.

Of course, this is NOT a full disclosure of the system, but I think it is enough to give you the idea of how the Pi can be used to isolate PC's from malicious attacks.
The fact that you used Bluetooth to connect the Pi to the PC's is interesting. Do you mind me asking why did you use Bluetooth and how fast is it? Also, if the PC's don't have Internet connections, how do you install security patches on them and updates? If they are running Windows 10, will that OS stop working after a month of not connecting to the Internet?
I download updates to my laptop and then copy them to the server. But if you are not connected to the internet, security updates are not really that important. And no, they won't stop working.

lewmur
Posts: 368
Joined: Sun Dec 25, 2011 3:20 pm
Contact: Website

Re: Pi and the anti-cloud

Sat Jan 14, 2017 3:33 pm

mattmiller wrote:So you are using VNC to control a Pi over Bluetooth and then just use that Pi to browse/email/upload/download stuff to T'Internet?

And presumably, some method of file sharing between the PC and the Pi?
When you connect two PCs via Bluetooth, filesharing is built in. But if greater speed than that permitted by Bluetooth 4 is needed, you could instead use Wifi Direct.

ejolson
Posts: 3424
Joined: Tue Mar 18, 2014 11:47 am

Re: Pi and the anti-cloud

Sun Jan 15, 2017 7:18 am

lewmur wrote:I download updates to my laptop and then copy them to the server. But if you are not connected to the internet, security updates are not really that important. And no, they won't stop working.
It's good to know Windows 10 continues to work indefinitely when not connected to the internet. Have you tried setting the clock forward a decade to see if anything strange happens?

Given the novelty, it seems likely that existing malware could infect the Pi but not know how to leverage the Bluetooth pairing to further infect the PC. On the other hand, since all Pi 3 devices have built-in bluetooth, it is conceivable that a compromised Pi might listen for Bluetooth pairings in a way similar to malware running on a mobile phone. In either case, assuming an Internet-connected Pi is more secure than Windows, the resulting security would still be better. It's definitely an interesting setup. Is it in response to a recent or attempted security breach in the past?

lewmur
Posts: 368
Joined: Sun Dec 25, 2011 3:20 pm
Contact: Website

Re: Pi and the anti-cloud

Sun Jan 15, 2017 2:36 pm

ejolson wrote:
lewmur wrote:I download updates to my laptop and then copy them to the server. But if you are not connected to the internet, security updates are not really that important. And no, they won't stop working.
It's good to know Windows 10 continues to work indefinitely when not connected to the internet. Have you tried setting the clock forward a decade to see if anything strange happens?

Given the novelty, it seems likely that existing malware could infect the Pi but not know how to leverage the Bluetooth pairing to further infect the PC. On the other hand, since all Pi 3 devices have built-in bluetooth, it is conceivable that a compromised Pi might listen for Bluetooth pairings in a way similar to malware running on a mobile phone. In either case, assuming an Internet-connected Pi is more secure than Windows, the resulting security would still be better. It's definitely an interesting setup. Is it in response to a recent or attempted security breach in the past?
There hasn't been a ransomware attack on the system, but I got tired of having to "cleanup" the malware mess that the users would get on their individual computers. But, of course, all of the news about ransomware attacks was also a large motivating factor. And I have had users who have received the "Microsoft Support" malware.

broe23
Posts: 903
Joined: Thu Jan 28, 2016 9:35 pm
Location: Central IL
Contact: Website

Re: Pi and the anti-cloud

Sun Jan 15, 2017 10:40 pm

The "Cloud" is just a fancy name for off site storage outside the Enterprise, NAS or SANS on the LAN. That is all that it is. There are not that many businesses that are anti-cloud, except for those ran by someone who does not understand that it is LAN or Offsite secured storage. Most like myself will mirror documents offsite and on the NAS on my LAN. It is more convenient that way while on the go, since my Upload Speed runs about 5.5mbps.

Using a Pi with Bluetooth is not needed, because you are just adding more work to yourself. If the network is secured and the email as they have always been sent is sent to the correct fax or email address, there is no need for the Pi. Reinstalling the OS on a schedule on a Pi is going to just cause you headaches in the long run.

Do a offsite storage solution like Box.com for Business and a Fax service like Myfax.com, which you can scan documents on a Networked printer like the Brother Series, the upload it to the Myfax.com app on the phone and send it on its way. You can also email them.

Keep it simple and always remember that there are going to be people that will still insist on doing it the old way and see the Pi as more of an annoyance than what you may think is convenient.

I use a Synology NAS on my network and it allows you to use those options that I mentioned and you can also use it for a network Mail Server if you wish.
Last edited by broe23 on Mon Jan 16, 2017 7:40 am, edited 1 time in total.
Ren: Now listen, Cadet. I've got a job for you. See this button? Ren: Don't touch it! It's the History Eraser button, you fool! Stimpy: So what'll happen? Ren: That's just it. We don't know. Maybe something bad, maybe something good.

Heater
Posts: 13116
Joined: Tue Jul 17, 2012 3:02 pm

Re: Pi and the anti-cloud

Sun Jan 15, 2017 11:28 pm

broe23,
The "Cloud" is just a fancy name for off site storage outside the Enterprise, NAS or SANS on the LAN. That is all that it is.
What kind of nonsense is that?

The "cloud" can be many things. For example I keep my code in github.com. That is not just storage but a whole useful application. My company keeps it's code in bitbucket. Same kind of service.

There are many other examples of cloud services.

"cloud" is not just about storage. Cloud is often a service.
There are not that many businesses that are anti-cloud, expect for those ran by someone who does not understand that it is LAN or Offsite secured storage.
Hmm...Anyone who thinks any of this is secure is living under a rock.

User avatar
aTao
Posts: 1087
Joined: Wed Dec 12, 2012 10:41 am
Location: Howlin Eigg

Re: Pi and the anti-cloud

Sun Jan 15, 2017 11:40 pm

so, you are using multiple RPis as firewalls.....
Why not just one on the office network (with a nanny filter)

But you arent addressing a more common infection vector which is the dreaded pen drive.
>)))'><'(((<

ejolson
Posts: 3424
Joined: Tue Mar 18, 2014 11:47 am

Re: Pi and the anti-cloud

Mon Jan 16, 2017 1:03 am

aTao wrote:But you arent addressing a more common infection vector which is the dreaded pen drive.
Do you have a reference for that? I thought the web and email are more common sources of malware.

As far as I can tell, the Pi's in the anti-cloud are not functioning as firewalls but instead as physical sandboxes for each user's web browser. A similar effect might be obtained by running the browser inside a virtual machine and setting the firewall rules so the virtual machine owned the network device. For example, you could probably boot the x86 version of Raspbian PIXEL inside of VirtualBox, VMware or Hyper-V and run the browser there. At the same time, just as the nice thing about not actually having a webcamera on your computer is that malware can't secretly turn it on, if the Ethernet cable is not physically plugged in, there is no way for the malware to plug it in.

The phrase anti-cloud seems to refer to the idea of running software services locally on small bits of dedicated hardware like a Pi rather than virtualized on large remote servers. In my opinion the phrase is imaginative enough that the person who made the original post should consider trademarking it.

Heater
Posts: 13116
Joined: Tue Jul 17, 2012 3:02 pm

Re: Pi and the anti-cloud

Mon Jan 16, 2017 1:20 am

Yes, I love "Anticloud".

One might call it "umbrella". But that is kind of dull.

As for the "pen drive" problem. Do yo remember Stuxnet?

broe23
Posts: 903
Joined: Thu Jan 28, 2016 9:35 pm
Location: Central IL
Contact: Website

Re: Pi and the anti-cloud

Mon Jan 16, 2017 7:46 am

aTao wrote:so, you are using multiple RPis as firewalls.....
Why not just one on the office network (with a nanny filter)

But you arent addressing a more common infection vector which is the dreaded pen drive.
I think that they are wanting to run the Pi's as workstations running on some form of PI LInux distro, which is just going to be a headache for people. Especially if they are using either Mac's or Beige Box Laptop's. The Libreoffice tools are not 100% compatible with Microsoft Office or Office 365.

Really what the OP needs to do is run everyone through a Domain with Windows workstations and network malware scanning when people are gone. Also by locking Internet access down to that they can only go to the websites that they are required to do so, removes a risk at the workstations.

It is going to come down to the users are going to never use the Pi's and just keep using their laptops, because it is too much work and what is the sense of having a network setup that is not connected to the outside world, unless it is for government highly top secret work.

There are plenty of Linux distro's out there that mimic Active Directory, Sharepoint, Microsoft email and Domain controller. The pi is fine in an office for a LCD screen that is updated with latest market info. Real Estate and Finance is not going to work with today's society, because the Realtor boards and finance companies require a certain set of tools to only be used on computers and also they do not want to have people jump through multiple hurdles when there is a deadline.
Ren: Now listen, Cadet. I've got a job for you. See this button? Ren: Don't touch it! It's the History Eraser button, you fool! Stimpy: So what'll happen? Ren: That's just it. We don't know. Maybe something bad, maybe something good.

broe23
Posts: 903
Joined: Thu Jan 28, 2016 9:35 pm
Location: Central IL
Contact: Website

Re: Pi and the anti-cloud

Mon Jan 16, 2017 7:55 am

Heater wrote:As for the "pen drive" problem. Do you remember Stuxnet?
You do realize that Stuxnet was specifically created to target Iran's Nuclear program. It has nothing to do with the Pi or any type of Linux OS.
Ren: Now listen, Cadet. I've got a job for you. See this button? Ren: Don't touch it! It's the History Eraser button, you fool! Stimpy: So what'll happen? Ren: That's just it. We don't know. Maybe something bad, maybe something good.

Heater
Posts: 13116
Joined: Tue Jul 17, 2012 3:02 pm

Re: Pi and the anti-cloud

Mon Jan 16, 2017 11:15 am

Yes, I know the Stuxnet story. Yes, Stuxnet is nothing to do with Pi and Linux as such.

Our OP seems to have gone to some trouble to isolate the PC's in an office, presumably running Windows, from the internet using Pi as a "firewall" of sorts.

The Stuxnet/pen drive thing is just a reminder that, even after having done all that, bad things can still get into those PCs via the USB socket. Or other paths.

Presumably the people in that office will want to get files onto their machines via the Pi firewall. That of course is another hazzard unless precautions are taken

ejolson
Posts: 3424
Joined: Tue Mar 18, 2014 11:47 am

Re: Pi and the anti-cloud

Mon Jan 16, 2017 6:23 pm

broe23 wrote:The Libreoffice tools are not 100% compatible with Microsoft Office or Office 365.
I think that is why the Pi's are used only for web browsing and the Windows computers for everything else. It is probably not so difficult to convince a person to use a separate computer for the Internet after that person has had their main work machine compromised by malware.

I'm wondering, are the Pi's set up with their own monitors, keyboards and mice in the anti-cloud configuration?

Heater
Posts: 13116
Joined: Tue Jul 17, 2012 3:02 pm

Re: Pi and the anti-cloud

Mon Jan 16, 2017 7:49 pm

Yes, I was wondering what goes on in the Pi part of the anticloud system.

If they have web browsers then aren't we back to square one, subject to all the vulnerabilities they have?

ejolson
Posts: 3424
Joined: Tue Mar 18, 2014 11:47 am

Re: Pi and the anti-cloud

Mon Jan 16, 2017 8:28 pm

Heater wrote:If they have web browsers then aren't we back to square one, subject to all the vulnerabilities they have?
Yes, except having a single Pi infected may be easier to clean up than the entire office network. In this way the Pi functions as a sandbox for safely browsing the web. Of course this assumes any malware which compromises the Pi doesn't immediately jump through Bluetooth to the Windows PC. Given the novelty of the configuration, my guess is that unless the malware was specifically targeted (as in your previous example), it will not make the jump.
Last edited by ejolson on Mon Jan 16, 2017 8:35 pm, edited 1 time in total.

User avatar
HawaiianPi
Posts: 4534
Joined: Mon Apr 08, 2013 4:53 am
Location: Aloha, Oregon USA

Re: Pi and the anti-cloud

Mon Jan 16, 2017 8:35 pm

aTao wrote:But you arent addressing a more common infection vector which is the dreaded pen drive.
ejolson wrote:Do you have a reference for that? I thought the web and email are more common sources of malware...
Yes, for computers actually connected to the Internet. When you take those computers offline then the users bring USB flash drives to work loaded with all the stuff you cut off their access to, and, well...

Because the biggest threat to security is, and always has been... the user.
My mind is like a browser. 27 tabs are open, 9 aren't responding,
lots of pop-ups...and where is that annoying music coming from?

Heater
Posts: 13116
Joined: Tue Jul 17, 2012 3:02 pm

Re: Pi and the anti-cloud

Mon Jan 16, 2017 8:41 pm

But I'm not sure, in the anticloud setup, how files are being moved from the workers PC, to the Pi and importantly to the final destination on the internet.

Sure you can move files from PC to Pi over bluetooth.

Then what happens?

Do they need to then post the files to the destination using a browser on the Pi?

If so, we now have users with browsers on the Pi and all the problems that entails.

I was not so much worried about the Pi getting compromised, or bad stuff getting through it to the PC.

Just the regular browser problems.

ejolson
Posts: 3424
Joined: Tue Mar 18, 2014 11:47 am

Re: Pi and the anti-cloud

Mon Jan 16, 2017 8:51 pm

HawaiianPi wrote:When you take those computers offline then the users bring USB flash drives to work loaded with all the stuff you cut off their access to, and, well...
That's a good point. Sharing USB drives between office computers and the PC at home used by the kids is likely to change the security-threat picture dramatically. Presumably employees having access to an Internet connected Raspberry Pi sharing files through Bluetooth with the PC eliminates the temptation to share USB drives. Getting a Pi for the kids at home might save the family PC as well. At the same time, sharing files through Bluetooth is not without risks. As viruses have been known to embed in word and pdf documents, scanning those files might help. It will be interesting to hear how the anti-cloud works out in practice.

broe23
Posts: 903
Joined: Thu Jan 28, 2016 9:35 pm
Location: Central IL
Contact: Website

Re: Pi and the anti-cloud

Mon Jan 16, 2017 10:34 pm

ejolson wrote:
Heater wrote:If they have web browsers then aren't we back to square one, subject to all the vulnerabilities they have?
Yes, except having a single Pi infected may be easier to clean up than the entire office network. In this way the Pi functions as a sandbox for safely browsing the web. Of course this assumes any malware which compromises the Pi doesn't immediately jump through Bluetooth to the Windows PC. Given the novelty of the configuration, my guess is that unless the malware was specifically targeted (as in your previous example), it will not make the jump.
Linux is very hard to get infected. If anything was uploaded to it, it would be more for attacking Windows. What the OP is wanting to do is make each workstation basically a "Dumb Terminal". That means that they cannot connect to the Internet with their own laptop, can only have information as the OP wants it to be is through Bluetooth, which does not always work.

Basically the OP is going to find out that he will end up wasting his time on this project in thinking that forcing Realtors and Brokers to work at a station that is only for Word Processing, Spreadsheets, that are not compatible with Microsoft Office or Office 365. The users will just end up using their laptops and the OP has basically wasted his money and time on this project of their's.
Last edited by broe23 on Mon Jan 16, 2017 10:49 pm, edited 1 time in total.
Ren: Now listen, Cadet. I've got a job for you. See this button? Ren: Don't touch it! It's the History Eraser button, you fool! Stimpy: So what'll happen? Ren: That's just it. We don't know. Maybe something bad, maybe something good.

broe23
Posts: 903
Joined: Thu Jan 28, 2016 9:35 pm
Location: Central IL
Contact: Website

Re: Pi and the anti-cloud

Mon Jan 16, 2017 10:39 pm

HawaiianPi wrote:
aTao wrote:But you arent addressing a more common infection vector which is the dreaded pen drive.
ejolson wrote:Do you have a reference for that? I thought the web and email are more common sources of malware...
Yes, for computers actually connected to the Internet. When you take those computers offline then the users bring USB flash drives to work loaded with all the stuff you cut off their access to, and, well...

Because the biggest threat to security is, and always has been... the user.
The only problem is that if they have Spreadsheets with Pivot Tables, VB Script in the background, they will not work on the Pi. Same as Word Documents that may use Macro's to pull information from Outlook. Let's also not forget that they may have PDF's that have been created in Adobe and have fillable areas that will not work in any type of editor in Linux.

As for the USB key, if the OP is going to replace the SD cards on a whim, why would they even bother wasting their time in saving documents to the PI's that are connected to the Internet, but they are making it very difficult for users to use their own personal laptops, since not all may work properly with BT. The OP is basically disciplining the Realtors and Brokers for something that he should have looked at on his behalf if he wants to maintain the network properly. Stuff like this is why you see a lot of employees at no matter what office they work at finding other jobs.

The only time that I would use a offline computer that is not connected in any form to my network and Bluetooth is disabled, along with USB. Would be if it contained Top Security Documents, which the military has terminals set up like that and they are kept in a locked room. They get updated through a person with the proper clearance to update any documents and files on them.
Ren: Now listen, Cadet. I've got a job for you. See this button? Ren: Don't touch it! It's the History Eraser button, you fool! Stimpy: So what'll happen? Ren: That's just it. We don't know. Maybe something bad, maybe something good.

Heater
Posts: 13116
Joined: Tue Jul 17, 2012 3:02 pm

Re: Pi and the anti-cloud

Mon Jan 16, 2017 11:02 pm

As far as I understand the OP the idea is:

1) Have the PC's (presumably Windows) disconnected from the internet for maximum security.

2) But be able to exchange files with others via the internet.

3) Ergo, use bluetooth to get the files from PC to Pi to internet.

So far so good.

But I'm sure that sometimes files have to come back the other way. Oops, you are now subject to all the old vulnerabilities of PDF's, Word docs, etc that have been famous over the years.

And, as I said, presumably the files are moved from Pi to net using a browser. Oops, you are now subject to all the browser vulnerabilities.

The only upside I see in this is preventing Windows doing it's auto-update thing. That at least keeps MS from sticking it's fingers into your organization.

lewmur
Posts: 368
Joined: Sun Dec 25, 2011 3:20 pm
Contact: Website

Re: Pi and the anti-cloud

Tue Jan 17, 2017 3:50 pm

broe23 wrote:The "Cloud" is just a fancy name for off site storage outside the Enterprise, NAS or SANS on the LAN. That is all that it is. There are not that many businesses that are anti-cloud, except for those ran by someone who does not understand that it is LAN or Offsite secured storage. Most like myself will mirror documents offsite and on the NAS on my LAN. It is more convenient that way while on the go, since my Upload Speed runs about 5.5mbps.

Using a Pi with Bluetooth is not needed, because you are just adding more work to yourself. If the network is secured and the email as they have always been sent is sent to the correct fax or email address, there is no need for the Pi. Reinstalling the OS on a schedule on a Pi is going to just cause you headaches in the long run.

Do a offsite storage solution like Box.com for Business and a Fax service like Myfax.com, which you can scan documents on a Networked printer like the Brother Series, the upload it to the Myfax.com app on the phone and send it on its way. You can also email them.

Keep it simple and always remember that there are going to be people that will still insist on doing it the old way and see the Pi as more of an annoyance than what you may think is convenient.

I use a Synology NAS on my network and it allows you to use those options that I mentioned and you can also use it for a network Mail Server if you wish.
I disagree. I think the accepted meaning of the term "cloud" is offsite storage accessed via the internet. A LAN or NAS, not connected to the internet, is not part of the "cloud" that MS is pushing for Office. Or that what most small businesses use. If you had read my post carefully you should have noticed that I mentioned the use of a "server". And the computer all connect to it via a LAN. There is just no connection to a WAN. And, of course, a NAS is just another form of LAN so long as it has no connection to a WAN.

Return to “General discussion”