psxndc
August 8th, 2002, 16:47
Here's my setup: I have an OBSD box with 2 nics currently in it serving as my firewall/gateway for my wired network, no encryption among boxes. I have an Apple iBook that I will be getting an Airport card for and I want to start running IPSec over the wireless connection. I had planned on throwing a wireless NIC into the firewall and additionally blocking all packets on the wireless nic that weren't from the static IP I'll give my airport card. So...

1) anyone have any thoughts on the configuration (should my access point _not_ be my main firewall?)

2) anyone have tutorials/ideas on other protection I should take? I know about making the network identifier obscure, but any other steps I should take for wireless security other than IPSec that both OBSD and OS X support?

Thanks in advance,
-p

illusion
August 8th, 2002, 23:00
First of all this is a great question and topic. We all know that traditional wireless security is all but worthless. So your IPsec idea is well founded.

1. Your main firewall should not be your WAP. By not making your firewall you WAP you keep the would be attacker an extra level away from your firewall.

2. I have a similar setup in my house. I have not set up IPsec tunnels but I eventually will. I have a Linksys router attached to my IFITL DSL via DHCP and the LAN port is configured with a /28 for NATing (you can use a firewall for the router if you choose, I just prefer a small dumb router with limited functionality). My Linksys router is directly connected to an IP-less bridge firewall that lies between a catalyst 1900 switch. From my switch I connect all my Unix, Linux and Windows(my wife's) workstations. I have a DLINK WAP connected to the switch. I have three laptops connected to the DLINK. On the DLINK I have restricted access to only my three wireless cards via MAC restrictions. I also have configured 128bit encryption. The only thing I am missing is VPN/IPSec on the wireless laptops. Another good idea is to set up something like mrtg that graphs usage stats. I monitor all ports on the Catalyst including the DLINK WAP port. If I see a spike during times that I know my wife and I are not using the laptops then I know someone is on the WAP.

If you only need internet access on the wireless box(s) then you can always set up your WAP stuff on a small separate subnet and then only route to the internet and not your other internal boxes. I can't do that because my wireless laptops need access to my samba server. I hope this helps.

elmore
August 15th, 2002, 19:11
I'm actually setting up a wireless lan off my main wired home LAN right now. I actually used your post as an excuse to "justify" to my wife, why I needed to buy a WAP. I'll be posting my notes, when I'm done.

kremlyn
August 16th, 2002, 03:03
Indeed, an excellent topic for discussion. I've managed to convince the powers-that-be at my Unviersity, that allowing me to build and document a home 802.11b network, and get credit for my degree for it, is a good thing.

My setup (and motivation) is slightly different to the ones mentioned thus far. I live in a grannyflat which is around 10 meters from the main house. The main house has a cable uplink, whereas I'm limited to a dialup connection. Initially, I wanted to set up a VPN between two WiFi stations in the house (in IBSS mode) to allow my subnet in the flat to get online via the main house.

I recently acquired a notebook however, so the requirements have changed and the complexity has increased substantially. In order to facilitate roaming, I'm now creating three (3) subnets. A, B and C for the house, wireless and flat respectively. Any wireless node connects to subnet 'B'.

Security and Authentication will be facilitated on multiple levels. Firstly, using `authpf' users must first successfully establish an ssh connection with either WiFi endpoint to have the pf rules modified for use by them, with their IP. I don't have an AP, however, and I'm not sure of how to incorporate DHCP into this equation, so for now, wireless nodes must connect via a static IP. (How authpf will handle two nodes authenticating using separate IP's but with the same account, I'm yet to implement/test).

Blocking on MAC is onyl possible with a bridge setup, as pf does not (and will not, according to a thread I read at monkey.org) support MAC filtering. The reason is obvious - MAC addresses can be sniffed and spoofer just as easily as IP addresses, so the added complexity to the firewall code is not justified by the security payoff. Unfortunately, my WiFi card's chipset cannot be bridged, so MAC filtering wouldn't be an option even if i chose to do it.

Other than authentication, the problem still remains that once the firewall is opened through authpf, anyone can still sniff packets, crack WEP and then spoof the authenticated IP. The only solution, as far as I know so far, is therefore to encrypt all traffic. If TCP-based services the only ones required, the best way to do this is with an ssh tunnel. Anything more broad, and IPsec looks like the way to go.

I'll be posting updates to my project (which has deadline in around 9 weeks) to http://soyuz.homeunix.net

Until then..

//kremlyn

psxndc
September 23rd, 2002, 10:24
Though I haven't gotten to IPSec yet (been distracted), here's what I've put together about just getting stuff set up.

http://www.idiotblocks.com/


It is by no means exhaustive and as always, YMMV.

-------------- edit ---------------
Link was broken. Go to my site and click "how-tos" in the right side nav.

I can't directly link because the journaling software I use creates odd folder names

I might get around to actually setting up the IPSec soon.

illusion
September 23rd, 2002, 23:52
Nice How-to! I still have to implement the IPSec stuff as soon as I replace my WAP. It died during a thunderstorm the other night.