[Cialug] securing wifi
lister at kulish.com
Sat Aug 18 15:19:22 CDT 2007
I used to use OpenVPN+IPCop to secure my wireless.
> On 8/17/07, Matthew Nuzum <newz at bearfruit.org> wrote:
>> A while back there was a conversation, maybe here, maybe somewhere
>> else, can't remember now...
>> It revolved around techniques for securing wifi without using wep or
>> wpa. Instead, wifi encryption was turned off and some other technique
>> was used.
> I've set up and am currently using a proof of concept configuration
> which looks a bit like the following:
> Open Access Point, no encryption
> POC Ubuntu Server firewall box
> *|*---Internal wired network
> Ubuntu Server OpenVPN/firewall/router box
> The Wild Wild InterWebs
> The access point allows anyone to connect and get an IP address from
> the POC box via DHCP. The POC firewall is set up "backwards" with the
> wireless side as the "inside" network and the wired side as the
> "outside" network. Inbound and outbound traffic on the POC firewall
> is completely locked down except for the OpenVPN port (1194). Any
> host on the wireless side is allowed to connect to any host on the
> wired side via that port -- including servers beyond my router.
> Therefore, in order to get any further than the POC box, one needs to
> connect to an OpenVPN server (or use port 1194 to connect via some
> other protocol). I already had OpenVPN running on my existing
> firewall/router, so I just utilized that. One could set up the
> OpenVPN server on the POC box itself.
> If I have guests over who just need Web access, or if I want to allow
> it for anyone on my access point, I can open up ports 80, 443 and 53
> on the POC firewall. This allows basic http and https Internet
> "surfing" to anyone who connects.
> The initial firewall configuration was created using Firestarter, so I
> didn't need to dig in to netfilter iptables commands to get it going.
> As I progress, however, I plan on testing various alternative
> configurations which will require either direct manipulation of
> iptables or a better front end.
> Specifically, I need to add rules that disallow access from the
> wireless side to hosts on the internal wired network via any open
> ports. I would also like to lock down the OpenVPN access so hosts can
> only connect to the OpenVPN server I specify. The way it is set up
> now, if I open up the ports for Web surfing that also opens access to
> hosts on the internal wired network via those ports. Also, someone
> could easily figure out that 1194 is open to hosts on the Internet and
> set up a proxy or ssh server of their own listening on that port, then
> use my access point to connect through to it.
> For a quick and dirty home setup, what I've done up to this point is
> probably adequate. If, however, one were to deploy this in a business
> environment, it would be better to lock down those annoying little
> chinks in the armor. It would also be nice to have an https
> management interface for opening/closing ports temporarily for guest
> The primary benefit of this configuration is that you are using VPN
> technology to secure your wireless traffic instead of relying on the
> dubious reputation of the various WEP/WPA protocols. Also, using a
> VPN adds modularity to the setup allowing you to upgrade the
> encryption without replacing all your radios. I wonder how many
> perfectly functioning access points have been tossed out because they
> had no encryption or cracked protocols on board?
> Hmm, I can probably give a presentation on this at some point, if I
> haven't already used up all my material here. . .
More information about the Cialug