elmore
August 11th, 2002, 22:26
Well I did it, I finally broke down and bought a wireless access point for the house. I was tired of not being able to sit out on my back deck and surf the net. So today when I was in Staples copying some documents so I can get out of jury duty, I went over to the computer section of the store. I looked around and saw several different WAP's. I began to think about how I could put OpenBSD to work to help me secure my wireless network. Here's a topographical of what I've been initially thinking.


My current home net.

|internet|----|CableModem|----|IP-LessBridge|----|FW/VPN|----lLAN|

Here's what I'm initially thinking for the wireless.

|Internet|----|CableModem|----|IP-LessBridge|----|FW/VPN|----|WiredLAN|----|bridge|----|WirelessLAN|



Of course my internal bridge will be much much more restrictive on outbound services. I.E. I'll be filtering everything except for www, dns and possibly ssh, and then I'll only allow for those services to connect from certain IP addresses. Not to mention the wireless subnet will probably be a /28 and will run 128 bit WEP and will have static mac address assigning.

Does anyone else have any initial thoughts or ideas?
Once I'm done I'll post all of my notes so everyone can have a looksy.

bsdjunkie
August 11th, 2002, 23:04
What type of WAPS were you looking at? Most are quite $$$$ yet for a decent one. I have Orinoco wavelan cards and just run in AdHoc mode. My gateway is an old 233mhz box with wired and wireless cards in it running pf and ipnat :roll:

elmore
August 11th, 2002, 23:11
Specifically I was looking at dlink, linksys, compaq, and netgear. I went with the netgear. It provides most ofthe funtionality I need plus it was affordable.

bsdjunkie
August 11th, 2002, 23:16
Not to mention the wireless subnet will probably be a /28 and will run 128 bit WEP and will have static mac address assigning.

Not that it will be a problem at most home locations, but WEP is Useless ;P There are nice programs out there to crack it in minutes in most cases, or just have to wait for enough traffic to pass over your net. You would be much better off making a VPN or something and using AH or ESP for protection. Depending on what level you want. OpenBSD allows you to spoof MAC addresses easily, back in 2.9 you needed Obecian's (Mark Grimes) etherspoof patch in kernel, but any newer release its trivial to do.

8)

elmore
August 11th, 2002, 23:37
I'm very fimiliar with lots of those tools specially with the bsd-airtools. Another tool which can be particularly nasty with wireless is ettercap.

BSD-Airtools
http://www.dachb0den.com

Ettercap
http://ettercap.sourceforge.net

I'll be walking thoroughly around my house with good old dstumbler checking signal strength.
As far as esp is concerned, I've thought about it and I might very well do something with it, although I'm unclear as to what I'll do with my wife's winblows laptop, I suppose borderware or something would work.

In any case thanks for the suggestions. I'll let you know how it turns out.

bsdjunkie
August 12th, 2002, 01:13
Yeah, ettercap is fun isnt it :P
If your wife is running Win 2K its fairly easy to get IPSEC wiht AH/ESP going. Havnt tried it with any other ver of winblows though.

elmore
August 12th, 2002, 01:24
ettercap is a definate adventure.

yeah, she is, :( , I wish I could get her to convince her company to look at OpenSource but, that'll never happen so I've given up. Yeah, I think borderware a good product and I know it works specifically with the OBSD implementation of IPsec, however I don't know how'd she'd take having me load software onto her company laptop. Are you saying that this can be done natively in win2k? That would be nice. [/quote]

bsdjunkie
August 12th, 2002, 01:26
Yes, win2k has an ipsec implementation in it. Its kinda a pain in the ass to figure out at first, but it does work.
http://www.allard.nu/openbsd/ is a good site for diff ipsec clients in obsd as well.

:roll:

|MiNi0n|
August 12th, 2002, 08:46
Yes, win2k has an ipsec implementation in it. Its kinda a pain in the ass to figure out at first, but it does work.
http://www.allard.nu/openbsd/ is a good site for diff ipsec clients in obsd as well.

:roll:

Well... I've done a lot of research on VPN/IPsec clients for Windoze and I'd recommend avoiding the native 2k one like the plague. Leaving anything to do with security up to windoze is never a good idea ;-)

As an interesting note, here's an old article about NASA's efforts to secure wireless:

http://www.bsdtoday.com/2001/August/News546.html

elmore
August 13th, 2002, 23:51
Well, I'm getting closer, I have my wireless net all blocked off, I have isakmpd all configured, I think I'm almost ready to test this puppy out. Tomorrow I'll finally plug in the wireless connection. Once I'm done I'll post my configuration up here for critique.

kremlyn
August 16th, 2002, 03:23
I just joined the forums (saw a link on the IRC channel #openbsd on irc.openprojects.net), I hope I havn't jumped into this thread too late.. ;)

I just posted to another thread about wireless and security.. so refer to that thread for what I'm attempting to do.. (good to know others out there are trying to put OpenBSD to work for them in this way too).

One very useful feature noone has mentioned yet is authpf..

//kremlyn

elmore
August 16th, 2002, 03:28
I've actually been thinking about how I could implement authpf into my setup. It's new with OBSD 3.1 right? I haven't tried it yet but I have done a "little" initial reading on it. Sounds promising. I also read your post earlier about your wireless project. Sounds nice. Once I post my notes perhaps we should compare.

frisco
August 16th, 2002, 10:21
seen on misc@, anohter doc that covers setting up IPsec between Windows and OpenBSD

http://www.mindspring.com/~opticalcarrier/ipsec.htm

kremlyn
August 16th, 2002, 23:08
I'd be quite happy to share experiences/thoughts with anyone else doing something similar with wireless.. we might also be able to produce some sort of FAQ to help others seeking to do this in the future..

Thoughts on this?

//kremlyn

punkball
August 19th, 2002, 08:59
Another interesting tool for wireless net discovery is kismet. I've only tried it on linux though.

http://kismet.sf.net

marco_peereboom
August 20th, 2002, 09:27
See http://www.mindspring.com/~opticalcarrier/ipsec.htm
for a step by step implementation of Win+IPSec.

elmore
November 13th, 2002, 01:17
So I have finally gotten some time to configure this. Here's what I did.

First I have subnet A which is a regular old "wired subnet with a few computers on it sitting behind an OBSD firewall attached to the internet via a cable modem.

For the wireless network I did the following:

I setup a second subnet, Subnet B, I setup an OpenBSD firewall to route between the subnets.
I then setup a very restrivtive ruleset which allows only port 80 and 443 (http & https) traffic to flow in and out. from that point I setup my WAP and OBSD laptop to put in the kitchen, worked great.

From there I configured the WAP and the OBSD laptop to use 128 WEP encryption, then I setup IPsec on the firewall and the receiving end on the laptop. IPsec using ESP and shared secret, using blowfish main mode for encryption.

Anyone have any comments?

Is anyone interested in seeing a detailed how-to?

mca1
November 13th, 2002, 07:27
Sounds interesting elmore, I wouldnt mind seeing a howto.

elmore
November 19th, 2002, 11:22
Seems I have spoken too soon there is an error in my configuration somewhere. :oops:


Here's a small (imagination needed) diagram:

[code:1:a604a55371]

/Internet/--/CableModem/--/TransparentBridgeA/
|
/FirewallA-VPNtoWork/
|
/SubnetA/
|
/FirewallB-VPNtoWirelessClients/
|
/SubnetB/--/WAP/--/WirelessClient/
[/code:1:a604a55371]

Ok some specifics,

FirewallA
Inet Iface: dhcp
Internal Iface 10.26.1.1
Subnet A: 10.26.1.0/24

FirewallsB
Iface 10.26.1.4
Iface 192.168.229.1
Subnet B: 192.168.229.0/24

the VPN in subnetB is running IKE/ISAKMPD
VPN listens on 192.168.229.1

What Works:
With an open ruleset the internet works fine.
traffic destined to the 10.26.1.0/24 network uses the ipsec tunnel.
Traffic destined to the internet also works with out a problem. I initially thought this traffic was also using theipsec tunnel, because all traffic going to the internet must first pass through the 10.26.1.0/24 net. However looking at tcpdump and adding a deny ruleset, it quickly becomes apparent that this is not the case.

Upon adding a default deny ruleset with only ISAKMPD/ipsec traffic allowed the following is true:

Traffic destined for the 10.26.1.0/24 net still works without a problem using the tunnel.

Traffic destined to the internet ginds to a complete halt.


The question I have is this:

Is there a way to force all traffic to use the ipsec tunnel?

I'll post some relevant configs a little later on today.

elmore
November 19th, 2002, 14:49
So I've been reading and reading about this and I spoke to both |MiNi0n| and eskwire about this, low and behold I think I might have a solution :idea:

So you know on the IPsec clients have tunnels to the 10.26.1.0/24 network but thats it. Even though traffic destined to the internet needs to pass through the 10.26.1.0/24 network, it still needs a tunnel. Perhaps configuring the tunnel on the client end to pass all through the IPsec tunnel will do the trick. DUH! :oops:

Well we'll see, perhaps I was just too tired to realize this yestrerday, I don't know. Thanks to eskwire who pointed this out to me, and to |MiNi0n| who got me thinking along this line.

I'll post back when I get home this afternoon to let you know if it worked.