Many people talk of wireless security in terms of the strength of encryption. However, many access attempts into wireless resources are simply users looking for a free Internet connection. In this model of access aquisition, the intruder will often forgo even weakly secured networks for lower hanging fruit. This article explores the pursuit of wireless security by offering a more enticing target to the prospective rogue client.
Even though unsecured wireless access is highly available in populated areas, it is still pretty sparse in my corner of the States. So, to remove the temptation from the locals looking for a free ride on my production data network, I've set up a public access point for them. The following document offers my tips for a successful diversionary AP and how to ensure you aren't providing a casual hacker a backdoor into your network.
Intent
This is intended for a home setup or maybe a small business that doesn't pass sensitive data on their wireless network, but doesn't want prying eyes watching their traffic or using their AP as a SPAM relay. This is security through appeasement. To make it work, the freely available network must be more attractive than the protected wireless network. Larger businesses or those handling sensitive data should implement more robust protection for their wireless networks.
Public Access Network
AP Selection
To ensure the public network is the most succulent plum, you may want to invest in an AP that is compatible with external antennae. This would allow you to extend the coverage of the public network through the use of high-gain antennaes now available at consumer electronics stores. Having a greater coverage area, the would-be freeloader will strike the public network possibly before they are even aware of your data network. However, for this simple example, any consumer-grade access point will do.
Infrastructure Setup
The public access infrastructure will require an AP and another routing control device (read "firewall"). If you have a spare box with three NICs, look at Smoothwall (http://www.smoothwall.org) for an easy out-of-the-box solution. Some modifications to the /etc/rc.d/rc.firewallup script will be necessary to grant the outgoing access to the ORANGE ("Public access" or "DMZ") interface.
The goal here is to allow the most common forms of access without presenting major exposure. This setup will allow common web and email client access, but not email relaying, so a spammer would not be able to abuse the net and get you into trouble. This is not to say that a user wouldn't do something illegal over an approved protocol, like posting kiddie porn to a website using your network. If you are worried about these things, look at an in-line transparent proxy, like SQUID (http://www.squid-cache.org/), that can let you review where users are going and possibly limit activity you deem inappropriate.
The firewall should limit the egress (outgoing) access of the public network to only necessary protocols. Most users want some basic access to the web, their email and maybe some other apps, like instant messaging. For this example, users of the public net will be limited to web functions (HTTP - TCP 80, HTTPS - TCP 443), email (POP - TCP 110), necessities to make these two work (DNS - UDP 53), and one infrastructure service to get the correct time (NTP - UDP 123). No ingress (incoming) access should be allowed except for the requisite DNS and NTP access as they come in over UDP. Most firewalls can take care of the incoming traffic automatically as it is very common.
Connect the public AP and open the configuration interface. This is commonly a web page on the device. Set the DNS servers to those provided by your ISP. Set the DHCP service on the AP to accept a reasonable number of connections. I allow for 50 users. Set the WAN to a static IP address to the same IP subnet as your firewall interface. Set the firewall interface as the gateway. Save the settings and backup the configuration if possible. Reboot the AP. Test connecting to the AP and make sure the DNS and gateways are set correctly. Try browsing some web pages.
In this example, I've also added a "public" hub between the AP and the firewall so I can easily connect a spare box for traffic analysis with Snort (http://www.snort.org), data capture of interesting packets (tcpdump), and putting up a honeypot to see if the public net is being abused (Honeyd, LaBrea Tarpit, netcat, or whatever). These allow me to monitor and determine if the public network is being abused and may need to be taken down for a time or improvements made. This 100Mb/s half-duplex hub won't impact performance as wireless is a half-duplex communication technology that's theoretical maximum throughput (802.11g = 54Mb/s) is about half of the hub's.
Packet Snooping and Legality
Is it legal to snoop your public access network? Well, you are providing the network with no guarantees of privacy or security. Users of the network have an implicit agreement to whatever terms you impose since they did not seek prior agreement to use the net. How do you know who is using your network or what they did should your ISP accuse you of something?
This can be a very tricky subject, so snoop at your own risk. You may also want to add an in-line transparent proxy that displays a disclaimer notice on the user's first web access.
SSID & Frequency Selection
802.11b/g only has three non-overlaping channels: 1,6, and 11. The higher channels have higher frequencies, which are more susceptible to interference and attenuation with common household objects. To make your public access net attractive, you want it to have the maximum covage available so users can see it before your protected wireless net. Set the public AP to channel 1.
To ensure scanning users searching for a network understand the intent of this AP, set the SSID to "PUBLIC". This sends a clear message to passerby that this network is provided for their use and further searching/hacking is unnecessary.
Protected Data Network
AP Selection
For the private side, use an AP that provides security features appropriate for the sensitivity of the data. Linksys wireless routers provide a good mix of consumer standard protection (old WEP, WPA, WPA-PSK) as well as an outsourced RADIUS authentication scheme for more demanding environments.
Infrastructure Setup
This is up to you. You may want to monitor the network for intrusions to make sure the security scheme in place is working. However, for a home environment this is probably overkill. Just make sure that every node (computer) using the wireless network has a firewall installed and operating. See the CentralSyslog project for more on how to centrally collect logs to monitor firewall and login intrusions. Also see the SnortDocumentation project to set up a freely-available intrusion detection system for your network.
SSID & Frequency Selection
As noted for the public AP, lower frequencies carry farther than higher frequencies. This network should be size-limited to just the coverage area needed. It should also use a channel that will not interfere with the public network in such close proxmity. Since 802.11b/g networks only offer three non-overlapping channels (1,6,11) and public is using channel 1, the data network should use either channel 11 or 6. I recommend channel 11 as it has the weakest area penetration, but I've also found it is more susceptible to microwave oven interference. If your environment is susceptible to these types of interference, channel 6 may work better for you.
When setting your SSID, make it something cryptic that has meaning to you, but doesn't reveal anything about the data or owner of the AP. An example would be 5TIMdN2, for "This is my data network's second access point". The less scanning passerby know about the network, the better.
Security Options
Almost all consumer access points have basic wireless security options, like MAC filtering and basic encryption. Enable MAC filtering at the very least, identifying all of the legitimate NICs that require access to the protected network. Encryption is HIGHLY recommended as it sends a clear signal to common passerby that some effort will be needed to gain access to the network. Select a level of encryption appropriate for your data stream. I recommend WPA-PSK for typical home use as it's relatively more difficult to break than WEP, meaning more work and your public access network becomes that much more attractive. Disabling the SSID Broadcast may hide your AP from scanners for a time, but it can also cause association problems for legitimate clients using Wireless Zero Config.
Final Notes
Remember, this is security through diversion and is not designed to thwart the determined hacker. The most pertinent points I can reinforce about this strategy are make the public access point as open and attractive as possible, and make the production data network as hard to penetrate as is reasonable for your environment.
Feedback
Questions and comments can be sent to pinowudi@yahoo.com