[Cialug] securing wifi

[Chris K.]

I used to use OpenVPN+IPCop to secure my wireless.

kristau wrote:
> On 8/17/07, Matthew Nuzum <newz at bearfruit.org> wrote:
>   
>> A while back there was a conversation, maybe here, maybe somewhere
>> else, can't remember now...
>>
>> It revolved around techniques for securing wifi without using wep or
>> wpa. Instead, wifi encryption was turned off and some other technique
>> was used.
>>     
>
> I've set up and am currently using a proof of concept configuration
> which looks a bit like the following:
>
>            Open Access Point, no encryption
>                                |
>            POC Ubuntu Server firewall box
>                              *|*---Internal wired network
>            Ubuntu Server OpenVPN/firewall/router box
>                                |
>             The Wild Wild InterWebs
>
> The access point allows anyone to connect and get an IP address from
> the POC box via DHCP.  The POC firewall is set up "backwards" with the
> wireless side as the "inside" network and the wired side as the
> "outside" network.  Inbound and outbound traffic on the POC firewall
> is completely locked down except for the OpenVPN port (1194).  Any
> host on the wireless side is allowed to connect to any host on the
> wired side via that port -- including servers beyond my router.
>
> Therefore, in order to get any further than the POC box, one needs to
> connect to an OpenVPN server (or use port 1194 to connect via some
> other protocol).  I already had OpenVPN running on my existing
> firewall/router, so I just utilized that.  One could set up the
> OpenVPN server on the POC box itself.
>
> If I have guests over who just need Web access, or if I want to allow
> it for anyone on my access point, I can open up ports 80, 443 and 53
> on the POC firewall.  This allows basic http and https Internet
> "surfing" to anyone who connects.
>
> The initial firewall configuration was created using Firestarter, so I
> didn't need to dig in to netfilter iptables commands to get it going.
> As I progress, however, I plan on testing various alternative
> configurations which will require either direct manipulation of
> iptables or a better front end.
>
> Specifically, I need to add rules that disallow access from the
> wireless side to hosts on the internal wired network via any open
> ports.  I would also like to lock down the OpenVPN access so hosts can
> only connect to the OpenVPN server I specify.  The way it is set up
> now, if I open up the ports for Web surfing that also opens access to
> hosts on the internal wired network via those ports.  Also, someone
> could easily figure out that 1194 is open to hosts on the Internet and
> set up a proxy or ssh server of their own listening on that port, then
> use my access point to connect through to it.
>
> For a quick and dirty home setup, what I've done up to this point is
> probably adequate.  If, however, one were to deploy this in a business
> environment, it would be better to lock down those annoying little
> chinks in the armor.  It would also be nice to have an https
> management interface for opening/closing ports temporarily for guest
> access.
>
> The primary benefit of this configuration is that you are using VPN
> technology to secure your wireless traffic instead of relying on the
> dubious reputation of the various WEP/WPA protocols.  Also, using a
> VPN adds modularity to the setup allowing you to upgrade the
> encryption without replacing all your radios.  I wonder how many
> perfectly functioning access points have been tossed out because they
> had no encryption or cracked protocols on board?
>
> Hmm, I can probably give a presentation on this at some point, if I
> haven't already used up all my material here. . .
>
>