What is the best way to secure a 802.11b wireless access point??

My current setup involves an Internet connection (with a single static IP address), a linux box with three NIC's (eth0, eth1, and eth2) serving as a router/firewall running ipchains, a LAN segment off eth1 using the 10.0.0.x address space (HUB A), and an additional LAN segment off of eth2 using the 10.0.1.x address space (HUB B). eth0 is used for the Internet connection.

I hung the 802.11b wireless access point off of HUB B (see diagram below), and have the rest of my wired lan tied to HUB A.


I then set up ipchains to masquerade from 10.0.0.x (eth1) to eth0, from 10.0.1.x (eth2) to eth0, but not from 10.0.0.x (eth0) to 10.0.1.x (eth1). This allows both LAN segments to use the Internet connection, and prohibts any of the wireless devices from seeing any of my wired PC's. I have WEP enabled on the access point and use a MAC address control list. I know both WEP and the MAC address control list can be easily circumvented so this is why I've physically seperated the wired lan from the wireless access point.

What I need now is some way to authenticate the wireless users to access the PC's on the wired network. Would RADIUS work for this (if so, how?), or is there something else I should use??

Thanks in advance.

Well I think I'm on the right track. I found this website

http://www.nas.nasa.gov/Groups/Netwo...ess/index.html

describing a method NASA uses to secure their wireless access points. This is exactly what I wanted, but unfortunately it doesn't go into much detail

The article mentions that NASA was using a firewall with three NIC's like I have set up, but here's the interesting part (of which I would like more in depth explenation on how to set this up)

Can anyone out there help me out with this, or at least direct me to some scripts that will perform these functions??

Thanks again.

Ive been following the 802.11 insecurity / security discussion for more than half a year now. But w/o practical expertise (haven't got a WAP to play with, nor Netstumbler & a laptop w. antennae) Id rather quote from a few articles: NETS Wireless AQ at http://www.scd.ucar.edu/nets/projects/wireless/FAQ.html and 80211b.weblogger's "Wireless insecurity" at http://80211b.weblogger.com/weak.defense.html who both point to VPN solution as a feasable solution securing AP communications.

Then there's a few checklists out there, explaining what stuff you *really* need to customize working with WAP and clients. One of them is at http://www.extremetech.com/article/0...D13880,00.asp, go to "Tips for securing your Wireless Network." You will also want to look into "802.11 Security Vulnerabilities" at http://www.cs.umd.edu/~waa/wireless.html, glancing at your setup you covered the separation thingie already.

Anyway, HTH somehow.

NETS:
"Use Layer 3 security. The limitations of WEP security are most effectively overcome by using a IPSec or VPN gateway.

An easy way of setting up this type of environment is to turn off all 802.11 security. The wireless subnet is then configured without a normal router. Rather, all users are required to log in to the IPSec or VPN gateway to get access to the rest of the network. This provides all of the additional security features that WEP does not provide.

Individual accountability and severability.
Since each user logs into the gateway with their own username and password, it is possible to trace any malicious activity back to a specific login. In addition, individual logins can be disabled without affecting other users.

Protection from sniffing.
Since each user has their own encrypted session with the gateway, it is not possible for the users to sniff each others traffic.

No severe protocol holes.
Current VPN and IPSec protocols do not suffer from the large design flaws present in WEP."

80211b.Weblogger:
"Existing solutions: 1. Use secure protocols for all communication. SSH (secure shell) has been expanded for use beyond telnet-like terminal sessions; like SSL (secure sockets layer) isn't just for Web transactions. Eudora, Outlook, sendmail, Exchange, and other software support SSH or SSL for encrypted transactions. 2. Locate all access points outside firewalls and require VPN (virtual private networks). Virtually (no joke intended) all access points support passing the PPTP and IPSec secure protocols. By locating the access points outside a company or personal firewall, you ensure that a cracker will still have to pass that barrier, even if they access your hub. The VPN encrypts all traffic between the source and destination network, keeping any plain text traffic from ever leaving your machine."

Thank you for response and useful links! Looks like I've got some reading in front of me.

I have a lan with 30+ users. It is currently on one end of a wireless network device.

The linux box on the other end is connected to an adsl line and is providing nat and firewall to the internet. as well as dhcp to the boxes on the lan.

I do not want to allow wireless hackers to access my lan, or snoop the traffic going to the internet or coming back.


I have the resources to add another linux box on the lan side of the wireless.

What do I need to use for the connection?

I am thinking ssh and only allow the linux box on the lan side to access the linux box on the internet side.

Can I encrypt all data using ssh.


Does this seem possible.

Ok,

I have the other box in. It is now a firewall for the lan and the internet router is no longer a samba server, or a dhcp server.

I think I still need some encription of traffic. Should I use vpn?

David, I have a pet project I'm going to run in the next few weeks, for the neighbours of my flat I've just bought, using 802.11b

These are my plans.
I'm installing a 2mbit ADSL line, then upgrading to SDSL in 2002
Buy a Nokia wireless route "The best at performance for wep"

To improve security I'm going to do the following.
Run my own POP, so it's on a LAN not over WEP.
Run my own DNS, " "
Then a Linux 7.1 box with Firewall and 3 NIC's
1 for my Home lan systems
1 for DSL link to router
1 for Lan and wireless NAT addresses.

Then I'll firewall off all the correct addresses.
All connections from my home Linux internal systems will have VPN link to my research labs at work using IPSEC with RH7.1

So the only traffic that can be sniffed "easily" is WEP 128bit encrypted packets between the NAT PC's and the Nokia Router.
There are security issues with WEP but 98% of hackers would not have the abilities to read anything from the encrypted stream.

All Cat5 based connection will have rules on the firewall to stop sniffing and switches with mac flood protection to make it harder for internal people to do it.
--------------
For what your looking to do I suggest using SSH to admin any Linux boxes, but all connections between trusted system, link together with a VPN using IPSEC on a 2.4 kernal.

/Raz

This sounds like what I want.

We have vpn on our win2000 boxes to connect to a company network, I have setup the adsl to work with vpn I believe. To test it I have to get a digital certificate from the company, which I am waiting for it now. Then I will be trying to use vpn masq if I can get it working.


I am going to look into the vpn for linux now. I saw something on a server / client solution for linux but I did not figure out what I need just yet.


Right now I still have the DNS server on the adsl side, should I put it on the lan side?



Thanks,

David

I would put a cached DNS "Bind" server on the CAT5 LAN.

Then you'll get a small improvement in performance + a more secure network as only 1 system will be requesting it's UDP lookups to the named uncast root DNS internet addresses.

Just remember to allow incoming UDP source port 53 from SYN ACK flagged TCP/IP packets not SYN flag requests.
Not forgetting tcp_syncookies protection on the firewall for the server.

If your going to run a Primary authoritative DNS then there are lots of different security issues you'll have to beware of.

some info for ya.
http://www.quintillion.com/fdis/moat/ipsec+routing/
http://www.morbitzer.de/home/jomo/ipsec-linux.html
I find this one particularly helpful from Redhat
http://europe.redhat.com/documentati...g-HOWTO-6.php3
This one is v-good but server is currently down.
http://www.cert.dfn.de/eng/team/ue/fw/ipv6fw/node5.html


/Raz