[Cialug] securing wifi

kristau kristau at gmail.com
Sat Aug 18 11:41:01 CDT 2007 

On 8/17/07, Matthew Nuzum <newz at bearfruit.org> wrote:
> A while back there was a conversation, maybe here, maybe somewhere
> else, can't remember now...
>
> It revolved around techniques for securing wifi without using wep or
> wpa. Instead, wifi encryption was turned off and some other technique
> was used.

I've set up and am currently using a proof of concept configuration
which looks a bit like the following:

           Open Access Point, no encryption
                               |
           POC Ubuntu Server firewall box
                             *|*---Internal wired network
           Ubuntu Server OpenVPN/firewall/router box
                               |
            The Wild Wild InterWebs

The access point allows anyone to connect and get an IP address from
the POC box via DHCP.  The POC firewall is set up "backwards" with the
wireless side as the "inside" network and the wired side as the
"outside" network.  Inbound and outbound traffic on the POC firewall
is completely locked down except for the OpenVPN port (1194).  Any
host on the wireless side is allowed to connect to any host on the
wired side via that port -- including servers beyond my router.

Therefore, in order to get any further than the POC box, one needs to
connect to an OpenVPN server (or use port 1194 to connect via some
other protocol).  I already had OpenVPN running on my existing
firewall/router, so I just utilized that.  One could set up the
OpenVPN server on the POC box itself.

If I have guests over who just need Web access, or if I want to allow
it for anyone on my access point, I can open up ports 80, 443 and 53
on the POC firewall.  This allows basic http and https Internet
"surfing" to anyone who connects.

The initial firewall configuration was created using Firestarter, so I
didn't need to dig in to netfilter iptables commands to get it going.
As I progress, however, I plan on testing various alternative
configurations which will require either direct manipulation of
iptables or a better front end.

Specifically, I need to add rules that disallow access from the
wireless side to hosts on the internal wired network via any open
ports.  I would also like to lock down the OpenVPN access so hosts can
only connect to the OpenVPN server I specify.  The way it is set up
now, if I open up the ports for Web surfing that also opens access to
hosts on the internal wired network via those ports.  Also, someone
could easily figure out that 1194 is open to hosts on the Internet and
set up a proxy or ssh server of their own listening on that port, then
use my access point to connect through to it.

For a quick and dirty home setup, what I've done up to this point is
probably adequate.  If, however, one were to deploy this in a business
environment, it would be better to lock down those annoying little
chinks in the armor.  It would also be nice to have an https
management interface for opening/closing ports temporarily for guest
access.

The primary benefit of this configuration is that you are using VPN
technology to secure your wireless traffic instead of relying on the
dubious reputation of the various WEP/WPA protocols.  Also, using a
VPN adds modularity to the setup allowing you to upgrade the
encryption without replacing all your radios.  I wonder how many
perfectly functioning access points have been tossed out because they
had no encryption or cracked protocols on board?

Hmm, I can probably give a presentation on this at some point, if I
haven't already used up all my material here. . .

-- 
Tired programmer
Coding late into the night
The core dump follows

My GNUPG public key is available at http://www.kristau.net/public_key.asc

More information about the Cialug mailing list