|
Securing a LAN against wireless attacks
I have a small home based LAN that I recently enabled wireless access to. I have done all of the security procedures that my wireless router allows. i.e. Disabled ssid broadcast, enabled wep encryption, etcetera.
I have some concerns about the security of the two Debian boxes that are on my LAN. Chiefly, I am concerned that some hooligan (I like that word) will somehow manage to connect to my LAN via my wireless router. It's a long shot I expect, but I don't want to take chances. On both Debian boxes I am using TCP Wrappers to control access to services like sshd and ftpd. My /etc/hosts.deny files on both machines are configured as follows: ALL: ALL : deny My /etc/hosts.allow files on both machines are configured to allow only the other Linux box to connect to services. So they're configured something like this: ALL: 127.0.0.1 ALL: 192.168.3.37 ALL: 192.168.3.49 ALL EXCEPT in.ftpd: 192.168.3.137 As a little extra security with sshd, I have decided to use the AllowUsers keyword in my /etc/ssh/sshd_config file. It's configured like this: AllowUsers user1@linuxbox1.mylan.net user2@linuxbox1.mylan.net All services that are not needed have been shutdown in /etc/inetd.conf or just plain uninstalled. I don't really want the bother of installing a firewall on each machine, especially since the entire LAN is already behind a firewall. So I'm not really interested in delving into iptables and NAT. I am wondering, however, if there are any further measures I should take on my two Debian boxes in order to preempt any potential attack which may come in the form of an unwanted wireless connection? All thanks offered for any and all suggestions and/or ideas. |
Quote:
Quote:
|
Yes WEP is like Microsoft top line of Security. WPA2 with EAP and CCMP is the better choice but still crackable these days. Best thing is run a firewall on each machine allowing only as needed. Best is just ssh only and then portforwarding additional services over ssh. Use passphrase for ssh connection and no passwords. Also set the sshd to not allow root login as well.
Only other help is radius attentication may help some but this would require a cisco unit or linux box with a wireless nic setup as an access point mode. Brian |
Quote:
Quote:
|
Quote:
Code:
apt-get install tripwire |
Thanks. I've taken a quick look at Tripwire, and AIDE looks interesting too. I'll do some more research on these two and choose one.
|
I'm not familiar with your setup but I have just done this myself and, trust me, I'm a lot more paranoid about wireless than most people (and I do understand the technology - I'm a Maths & Computing graduate with more than a keen interest in cryptology). I bought my first WAP less than two months ago. What I did was not take any chances.
I have one Linux machine that has a network card for each interface (1 for LAN, 1 for wireless, 1 for Internet). You can do it one of three ways - you can have a wireless access point plugged into an Ethernet card in the gateway machine, or you can have a wireless card direct in the gateway and run hostapd (or master mode) on it so it becomes an AP in it's own right, or you can have a wireless card in the gateway which connects wirelessly to an AP which IS NOT connected to the LAN (and therefore just passes traffic between it's wireless clients). I do the last way because as a nice bonus it extends my wireless range without me having to run any network cabling at all outside of my usual LAN. I don't believe in just plonking a wireless access point direct into a trusted LAN structure with an Ethernet cable, though. So I've got ONE gateway onto or out of the network - this PC. Otherwise, with multiple entry points, there's just too much to secure. The gateway PC sees each network as a distinct network interface with it's own set of IP's. It runs an (heavily audited) iptables firewall to ensure that NOTHING comes in over the wireless or Internet LAN's that isn't allowed (in my case, that leaves just SSH). So connecting over wireless gets you no further than if you were connecting to me over the Internet - and because of the way it's set up you can't connect directly to the Internet from wireless or vice-versa (so I don't get used as an anonymous proxy by the neighbours). Then, because I REALLY don't trust wireless networks, the only way "into" the actual real LAN is to use SSH (version 2, of course) into this gateway machine - which means you're running SSH layered over the default wireless encryption. Using that, you can set up port-forwards-over-SSH to allow just about anything you want securely (browsing, email etc.). The only other technology that I'm trusting to run over wireless/Internet (which I ALWAYS treat identically as they are both, in my opinion, untrusted networks) is OpenVPN (an SSL-VPN). I only really use that when I need, e.g. Samba or something on my laptop. On remote PC's, I have one icon for SSH and one for OpenVPN (which are both set up to automatically hunt for and use my USB key for the private key, so I just click the icon, enter my passphrase and I'm in) - I use the SSH icon all the time and occasionally use the OpenVPN icon when it's necessary. Seeing as I connect from inside school networks of Windows machines over the Internet and from my own Linux laptop over wireless, it's remarkably simple to just carry the USB key with me which has versions for all machines (even Mac's) should I need them. And for the ultra-paranoid, in my network not only is SSH set up be non-root only and large public-keys only, but when you come over wireless it's also layered over WPA2, which also includes MAC restrictions. OpenVPN is set up as large public-keys only - a different set of keys and different passphrases of course. And then we get into silly things like the SSH port is only open to the wireless/Internet from certain selected IP's/MAC's. So you have to basically BE me in order to get on my network. Or my wife. Who has a different set of keys and passphrases. And who took approximately two minutes to get the hang of the system and who uses it (lots) every single day. I've had the system in place for years but only recently have I actually used it much - for a while I had an ad-hoc wireless network as a toy and did all this work then but only recently have I actually had a WAP and a reason to use wireless - and only recently has wireless brought itself up to a level where I can almost trust it as a fairly-secure entry point. It took me a little while to get it all set up (most of which was generating and converting keys to different formats and playing with config files etc.) but now it's in place, I have two icons on my desktop (no matter what OS) that allow me to do absolutely anything over wireless or remotely without having any sort of security problems. Considering that my laptop is an ancient 233MHz thing and I use the same system when I'm working too (from some of the slowest Windows machines you'll ever see over a massively-oversubscribed business broadband line), there is virtually no performance overhead. I happily tunnel into my network from work in order to browse websites that are otherwise unavailable and quite often I've left it connected for the rest of the day because the two-seconds it takes to change it back weren't worth the effort. What this all means to me, though, is that say a WPA2 flaw is found tomorrow? So what. I've got all the time in the world to patch it. Say my SSH public key (and key passphrase, and probably sudo password too for anything "interesting") is leaked (god forbid)... you've still got to be able to connect to my WPA2 network in order to use it, or be able to connect (with that same information) from one of my whitelist IP addresses (which is much harder than it sounds - I have a crypted portknock for the really paranoid stuff!). So you have: Internet | Crypted portknock | SSH / OpenVPN only from whitelist of IP's (and other pitfalls) | Gateway Machine (and therefore LAN) | SSH / OpenVPN only from whitelist of IP's (and other pitfalls) | Crypted portknock | Wireless with WPA2, MAC filtering, etc. Absolutely MASSIVE overkill, yes, but I don't want people wandering on my private network, even by accident or if they wanted to. Once inside, I don't encrypt my files, the internal LAN has pretty much unfettered access to any ports/files on any wired machine, I have nothing worth knowing but I don't want people in my private space. So, anyway, my recommendation would be: - If you haven't already, make sure that any external access comes through only one secure chokepoint (the gateway) - Check that you have an entire interface for each network and route between them rather than just lumping everything together (by plugging a WAP into an Ethernet socket on your LAN) - Check that all external access is authenticated and encrypted in AT LEAST one way (SSH, OpenVPN or WPA or preferably one over the other!) - And check that stray packets from your computers aren't going ANYWHERE except over your secure channels (this took a while to ensure on my system because it's so complex but basically you have to make sure that computers are USING the secure channels/interface that you give them rather than just picking one - e.g. in tests I found that the default Windows firewall/routing had a habit of sometimes allowing traffic "openly" over the wireless interface that should have been routed over OpenVPN via wireless - a rejigging of IP address allocations and a better software firewall on the machine prevented that.). Windows really is terrible for this unless you have an outbound software firewall (i.e. anything but Windows firewall) - the stuff it leaks over a wireless connection is hideous. I'm probably one of the few people in the world that runs a 10.0.0.0/8, a 172.16.0.0/12 and a 192.168.0.0/16 all in the same building. My DHCP and iptables configs are fantastic. :-) But the fact is that it all works, it's all fast, it's zero maintenance (unless SSH or WPA get cracked, but even then I have time and safety barriers), it's simple to use and it's very, very secure. |
| All times are GMT -5. The time now is 02:24 PM. |