Hi,
I have a wired network made of two computers, a linux server configured with apache, sshd, samba and nfs, and a win xp client. My router acts as firewall on the internet side and is an ap too and I have two wireless connected laptop. The wlan is encrypted with wpa psk and mac address filter is enabled.
I know nfs and rpcbind are vulnerable.
Can someone suggest me a way to make my lan more secure in case someone try to bruteforce wpa? Should I implement ipsec or something else?


Thanks for your help!

-mario

Ideally you should treat the WLAN portion of the network as if it was an untrusted segment (aka treated the same way as if it were outside of your network). There are a number of possible ways to allow secure communications between the clients, including some type of full-blown VPN implementation like IPSec or an encrpyted tunnel (like ssl,ssh,or CIPE). It really depends on how many different protocols are shared between these systems. If there are more than a few, then creating tunnels for each one is a hassle and you should go with a full-blown VPN (which requires a little more effort to get working).

You may also want to consider putting an internal firewall between the WLAN and the wired network in order to protect against someone gaining access to the WLAN and freely attacking the wired network. Alternatively you can tighten the host-based firewalls on each of the clients.

Ok, thank you.
I think I'll try to implement a vpn and I will use very long password with wpa.
I can't put firewall between the wlan and the wired lan, because the router is switch and access point too, and it enables a firewall only on the external network.
So I can't add a computer between an ap and a switch.

I agree on this, for a secure architecture, if you're not sure of your wireless, put it in a DMZ.

You could also use 802.11i but you will need your hardware to support it and a Radius server to authenticate.. Also quite some efforts.


Exactly, if you want to defeat pure-bruteforce methods (used for WPA-psk), use completely random and very long passwords (30 chars). No effort

To put a firewall between my wlan and my wired lan
I think I should buy an external ap, because it's integrated
in my router/switch. Am I right?


my net (this is the best I can do to format this text):

internet

|

|(sshd forwarded on external port 2222)

|

router/switch/ap - - - -wlan 3clients 1linux 2winxp

|

linux server | winxp client
sshd
nfs
httpd
smbd

I'd buy a cheap beigebox in the 300Mhz range and use it as a firewall. Put 3 network cards in it. One will connect to the internet, the other 2 are internal interfaces. One NIC should connect to the WAN interface of the wireless AP. This is your 'DMZ'. The second internal interface will go to the wired LAN segment of your network. If you have more than one system in the wired LAN, put a switch between the firewall box and the wired LAN. All the firewalling will then be done on the beigebox. You can use iptables to restrict access between the wired LAN and the wireless network therefore creating the DMZ.

Looking at your network, if the Linux server on the wired LAN is publically accessible (it looks like SSH is forwarded to it), then you may want to restrict traffic in both directions. So basically you would only allow certain protocols to pass between the internal interfaces. Note that this would also be a good place to put an internal Snort sensor.

That's a good solution.
The problem is that an old computer with 3 nic, is not the only hardware i'll need to prepare this environment, I think.
This is the poor gateway I have: linksys wag54g
My network connection is 4mbit adsl.
Correct my if I'm wrong: I think that I will need a separate access point, a router to connect with the adsl line, and a switch (I can use the one I have now)
Maybe I can get a adsl cisco adsl router from a friend.

Yes I forwarded ssh on the port 2222 because I need to access to my network form my workplace and I detected a bruteforce attack when I used ssh on port 22. I forgot to mention that I enabled snmp on the router to the linux server to use it with mrtg (ok, snmp is not security friendly).
Never used snort as a sensor, it will be a good challange.
Thank you very much, It's a nice solution and I want to implement it. I just think I'll need more than a old box, am I right?

A beigebox running linux would be able to replace the ADSL/routing function of your Linksys router (in fact a large number of Linksys routers run on Linux). So technically you could just use a single beigebox as the perimeter firewall/router. Usually that would require configuring PPTP/PPPoE (depending on your ISP) so that the beigebox will be able to grab an IP from your DSL modem and DHCP if you want to use dynamic IPs in the LAN/WLAN (personally I'd just assign static IPs).

If you don't feel comfortable with that or if it sounds like too much work, then you could get a cheap non-wireless router like another Linksys or DLINK/Netgear/etc and throw that upstream of the beigebox/firewall and let it handle all the negotiation with the DSL modem. But a cheap beigebox would absolutely be able to replace it and would actually give you alot more flexibility. With the Linksys-type routers you're really limited in terms of what features you can employ and things like logging or intrusion detection are very rudimentary or non-existent.

Yes, I think I'll get a modem and let the beigebox handle all the traffic, I don't use dhcp neither, because is not very secure in a wlan.

I was talking about the router just because I can get something better than a linksys: a cisco soho 77, from a friend.
Do you suggest to use a particular dedicated distro for the beigebox or configuring a slackware won't be hard?
(Can you tell me what does exactly 'beigebox' mean, because I'm Italian :^) )

Again thank you!

If you can get it for a reasonable price, then that would work well.

There are specialized distros designed to be firewalls/routers like Smoothwall, IPCop, etc. Personally though, I'd recommend a distro that you are comfortable with maintaining and securing. Some of the distros like Redhat/FC/Mandriva/SuSe are a little bloatish and require removing some software. Slackware is a fine choice if that is what you are familiar.

Sorry. Beigebox refers to any inexpensive desktop computer. The term comes from the clones of IBM PCs that were beige in color and cost significantly less. Now the term really refers to any cheap computer (which usually still have beige cases).

Congratulations on the win yesterday.

I'd just like to say (I didn't read all the posts), WEP (and I believe WPA too), give a false sense of security. For those who don't understand IP packets: Every IP packet starts with a Starting delimeter and an ending delimeter. These will all ways be the same. The problem with WEP is that it encodes the entire packet, meaning that if someone is smart enough to know the starting and ending delimeters, they can get the primmer to decode the entire packet. A Chinese company did this back when Cisco was the only name in the game. Besides, Linux, to my knowledge, is not very hackable.

Good luck,
-Peter

The OPs question wasn't really about whether WEP/WPA are secure or not. In fact that's why he's asking about other measures to secure his LAN (like VPN encryption). Technically most of your post is factually incorrect, so let's try to keep this on topic please.

Well, maybe I gave this thread wrong tile, I was worried for my lan just because I made some wardriving around my town and saw a lot of open networks, then I tried to crack my own wep. It was easy with all the tools available for linux. WPA, as far as I know, is vulnerable to dos attak and to offline bruteforce. So I think that WPA with a long password is enought for me now, implementing radius with WPA would be certainly better.

Ok Capt Caveman, I'll gather all the things I need and I will set up the network as you suggested, slackware will be my choice since I'm comfortable with it, even if I tried once smoothwall as a content filter for web traffic and it was really easy to configure.
Just a last thing, a friend always tells me that firewalls on local clients are not critical when you have a router/fw filtering all the internet traffic, what do you think about this?

Thanks, even if I'm not a soccer fan I enjoyed match.

it depends... if you're the only host on the LAN, then a host-based firewall is a very low priority... but if you have more than one host on your LAN, then it's a good idea to have a host-based firewall... whether it's "critical" or not is a matter of opinion, but i'd say that if you can do it, then do it... it's a second layer of defense - nothing wrong with that...

PS: if you're talking about a *wireless* LAN, then i'd say that yeah - IMHO you should *definitely* have a host-based firewall on your laptop or whatever...

Two things: First, on my network, I use a plain old MAC filter. It's good enough, unless you have someone who know's your MAC address, or know's how to hack routers better than I do (The latter is far more likely, considering I know nothing). Second, (I know it's a little off topic, but I think it's important for forum on-lookers to know, if not, please tell me), what was I wrong about? That's what my network routing and switching teacher at school told me, anyway.

Thanks,
-Peter