Sunday, April 24, 2005

Linksys BEFW11S4

I've been using this unit since May 2000 and it's still going strong. There was a brief time in 2003 that the wireless failed to work (just failed to transmit), but it seems to have miraculously healed itself after a couple of resets and a while on the shelf. It is currently used as my "public" AP for granting limited access to guests and passerby to dissuade them from knocking on my "private" AP.

Product Page

http://www.linksys.com/support/support.asp?spid=68

Public Wireless Diversion

Many people talk of wireless security in terms of the strength of encryption. However, many access attempts into wireless resources are simply users looking for a free Internet connection. In this model of access aquisition, the intruder will often forgo even weakly secured networks for lower hanging fruit. This article explores the pursuit of wireless security by offering a more enticing target to the prospective rogue client.

Even though unsecured wireless access is highly available in populated areas, it is still pretty sparse in my corner of the States. So, to remove the temptation from the locals looking for a free ride on my production data network, I've set up a public access point for them. The following document offers my tips for a successful diversionary AP and how to ensure you aren't providing a casual hacker a backdoor into your network.

Intent

This is intended for a home setup or maybe a small business that doesn't pass sensitive data on their wireless network, but doesn't want prying eyes watching their traffic or using their AP as a SPAM relay. This is security through appeasement. To make it work, the freely available network must be more attractive than the protected wireless network. Larger businesses or those handling sensitive data should implement more robust protection for their wireless networks.

Public Access Network

AP Selection

To ensure the public network is the most succulent plum, you may want to invest in an AP that is compatible with external antennae. This would allow you to extend the coverage of the public network through the use of high-gain antennaes now available at consumer electronics stores. Having a greater coverage area, the would-be freeloader will strike the public network possibly before they are even aware of your data network. However, for this simple example, any consumer-grade access point will do.

Infrastructure Setup

The public access infrastructure will require an AP and another routing control device (read "firewall"). If you have a spare box with three NICs, look at Smoothwall (http://www.smoothwall.org) for an easy out-of-the-box solution. Some modifications to the /etc/rc.d/rc.firewallup script will be necessary to grant the outgoing access to the ORANGE ("Public access" or "DMZ") interface.

The goal here is to allow the most common forms of access without presenting major exposure. This setup will allow common web and email client access, but not email relaying, so a spammer would not be able to abuse the net and get you into trouble. This is not to say that a user wouldn't do something illegal over an approved protocol, like posting kiddie porn to a website using your network. If you are worried about these things, look at an in-line transparent proxy, like SQUID (http://www.squid-cache.org/), that can let you review where users are going and possibly limit activity you deem inappropriate.

The firewall should limit the egress (outgoing) access of the public network to only necessary protocols. Most users want some basic access to the web, their email and maybe some other apps, like instant messaging. For this example, users of the public net will be limited to web functions (HTTP - TCP 80, HTTPS - TCP 443), email (POP - TCP 110), necessities to make these two work (DNS - UDP 53), and one infrastructure service to get the correct time (NTP - UDP 123). No ingress (incoming) access should be allowed except for the requisite DNS and NTP access as they come in over UDP. Most firewalls can take care of the incoming traffic automatically as it is very common.

Connect the public AP and open the configuration interface. This is commonly a web page on the device. Set the DNS servers to those provided by your ISP. Set the DHCP service on the AP to accept a reasonable number of connections. I allow for 50 users. Set the WAN to a static IP address to the same IP subnet as your firewall interface. Set the firewall interface as the gateway. Save the settings and backup the configuration if possible. Reboot the AP. Test connecting to the AP and make sure the DNS and gateways are set correctly. Try browsing some web pages.

In this example, I've also added a "public" hub between the AP and the firewall so I can easily connect a spare box for traffic analysis with Snort (http://www.snort.org), data capture of interesting packets (tcpdump), and putting up a honeypot to see if the public net is being abused (Honeyd, LaBrea Tarpit, netcat, or whatever). These allow me to monitor and determine if the public network is being abused and may need to be taken down for a time or improvements made. This 100Mb/s half-duplex hub won't impact performance as wireless is a half-duplex communication technology that's theoretical maximum throughput (802.11g = 54Mb/s) is about half of the hub's.

Packet Snooping and Legality

Is it legal to snoop your public access network? Well, you are providing the network with no guarantees of privacy or security. Users of the network have an implicit agreement to whatever terms you impose since they did not seek prior agreement to use the net. How do you know who is using your network or what they did should your ISP accuse you of something?

This can be a very tricky subject, so snoop at your own risk. You may also want to add an in-line transparent proxy that displays a disclaimer notice on the user's first web access.

SSID & Frequency Selection

802.11b/g only has three non-overlaping channels: 1,6, and 11. The higher channels have higher frequencies, which are more susceptible to interference and attenuation with common household objects. To make your public access net attractive, you want it to have the maximum covage available so users can see it before your protected wireless net. Set the public AP to channel 1.

To ensure scanning users searching for a network understand the intent of this AP, set the SSID to "PUBLIC". This sends a clear message to passerby that this network is provided for their use and further searching/hacking is unnecessary.

Protected Data Network

AP Selection

For the private side, use an AP that provides security features appropriate for the sensitivity of the data. Linksys wireless routers provide a good mix of consumer standard protection (old WEP, WPA, WPA-PSK) as well as an outsourced RADIUS authentication scheme for more demanding environments.

Infrastructure Setup

This is up to you. You may want to monitor the network for intrusions to make sure the security scheme in place is working. However, for a home environment this is probably overkill. Just make sure that every node (computer) using the wireless network has a firewall installed and operating. See the CentralSyslog project for more on how to centrally collect logs to monitor firewall and login intrusions. Also see the SnortDocumentation project to set up a freely-available intrusion detection system for your network.

SSID & Frequency Selection

As noted for the public AP, lower frequencies carry farther than higher frequencies. This network should be size-limited to just the coverage area needed. It should also use a channel that will not interfere with the public network in such close proxmity. Since 802.11b/g networks only offer three non-overlapping channels (1,6,11) and public is using channel 1, the data network should use either channel 11 or 6. I recommend channel 11 as it has the weakest area penetration, but I've also found it is more susceptible to microwave oven interference. If your environment is susceptible to these types of interference, channel 6 may work better for you.

When setting your SSID, make it something cryptic that has meaning to you, but doesn't reveal anything about the data or owner of the AP. An example would be 5TIMdN2, for "This is my data network's second access point". The less scanning passerby know about the network, the better.

Security Options

Almost all consumer access points have basic wireless security options, like MAC filtering and basic encryption. Enable MAC filtering at the very least, identifying all of the legitimate NICs that require access to the protected network. Encryption is HIGHLY recommended as it sends a clear signal to common passerby that some effort will be needed to gain access to the network. Select a level of encryption appropriate for your data stream. I recommend WPA-PSK for typical home use as it's relatively more difficult to break than WEP, meaning more work and your public access network becomes that much more attractive. Disabling the SSID Broadcast may hide your AP from scanners for a time, but it can also cause association problems for legitimate clients using Wireless Zero Config.

Final Notes

Remember, this is security through diversion and is not designed to thwart the determined hacker. The most pertinent points I can reinforce about this strategy are make the public access point as open and attractive as possible, and make the production data network as hard to penetrate as is reasonable for your environment.

Feedback

Questions and comments can be sent to pinowudi@yahoo.com

Netgear WSG11v1 54Mbs 802.11g PCMCIA Wireless Adapter

Tested with Windows XP SP2 and Fedora Core 2

This is the only wireless adapter I've owned that doesn't work in either Windows or Linux. The Linux part I can understand since it uses the wlan-ng driver set and it's mostly due to my lack of knowledge of these drivers. Windows is beyond me since it's advertised as being supported for all current versions.

The original driver loaded and worked for a few hours under the Windows Zero Configuration drivers until the laptop hibernated. On resume, the laptop froze in a blue screen of death indicating the WSG11 as the culprit. This was consistent, happening every time without fail.

Searching the Netgear http://www.netgear.com support site revealed a compatibility problem with XP SP2 and provided a beta driver (2.9.??). I downloaded it and reinstalled. The driver interface is much improved, now providing its own driver setup utility, so no more Windows Zero Config. It worked through the first hibernate, but has since caused three blue screens. It's still not production material.

SMC 2835 802.11b PCMCIA Client Adapter

Tested with Windows XP and Fedora Core 2

Windows

Reception and range are excellent. Simple drivers use the integrated Windows Zero Config for configuration. No vendor-supplied interface. Works well and is simple to install.

Linux

Unfortunately, the chipset does not have a viable LINUX driver.

Intel Centrino 802.11b mini-PCI Client Adapter

Tested with Windows XP on a Dell Inspiron m600

The Centrino works well on startup, but does not survive hibernation and refuses to reactivate without a reboot. Switching from Wireless Zero Config to the Intel configuration tool remedied the blue screen crashing on standby wake. The Intel tool is very well designed, with configuration for every feature of the card and WLAN discovery tools.

Cisco 340 802.11b PCMCIA Client Adapter

Tested with Windows XP and Fedora Core 2

Windows

Works well with Windows when using the Cisco drivers. Ultimately configurable with respect to transmission power and power use settings.

Linux

The LINUX kernels > 2.3 have the airo_cs module precompiled, making most distributions compatible by default. This supports basic use, but is very hard to configure in any non-standard setup. I was never able to get it working with WEP encryption. I also had difficulty getting the unit to work with Kismet in rfmon mode.

Linksys WRT54G

This is one of the best consumer-grade products I've seen. It has a good mix of features for security and setup with a easy-to-use web-based configuration tool. Excellent coverage and speed. Cisco also offers a buy-back program for Cisco AP upgrades which is very attractive.

Product Information

http://www.linksys.com/products/product.asp?grid=33&scid=35&prid=601