2010.10_Access Point-Wireless Security and Linux.pdf

Wireless security and Linux

Access Point

If you are looking for a cheap and secure wireless router setup, check out Tomato, DD-WRT, or OpenWrt.

By Kurt Seifried

I actually remember when I bought my first wireless network card. I was in Vancouver airport, and they were

selling them for about US$ 200 with unlimited usage in the airport (as opposed to having to rent one for US$

20 an hour). At that time, I was spending a lot of time in this airport, so I purchased a card and had a

whopping 2Mbps (802.11a) of bandwidth to use while waiting. This purchase was quickly followed by a

wireless router so I could enjoy the wireless goodness at home.

Fast forward a decade and now ISPs are giving away wireless N routers like banks used to give away toasters.

But what steps have been taken to ensure the security of all these wireless networks? Originally, there was

WEP (Wired Equivalent Privacy), which can be broken in real time and is pretty much useless now, then

came its successor WPA, which was basically WEP with rotating keys, again pretty useless in practice [1].

Finally, WPA2 came along, which uses the AES encryption algorithm (very strong) and has proper key setup,

making it very difficult to break into. And that is pretty much the extent of wireless security for most people.

You buy a wireless router, you hopefully set a password on it for the administrative interface (although

virtually no wireless routers actually force you to do this), you set up WPA2 with a good password (again

none force this), and that's it.

To make matters worse, most of these wireless routers are running pretty minimal operating systems

(sometimes referred to as firmware) that have just enough capability to get you online and not much else.

Additionally, much of this firmware is either out of date, contains security flaws, or simply does not provide

reliable (reset the router daily to keep it working) or fast performance (200Kbps on file transfers over a 15Mb

line).

So, what do you do if you want to build a secure router that will support more than just WPA2 and some

simple packet passing? What if you want a wireless router that will act as a VPN (e.g., allowing you to bridge

access to a corporate network) or to act as a VPN server (e.g., allowing you to connect securely to it from

elsewhere on the Internet). Or, what if you need IPv6 support? You have three main options: You can buy a

high-end wireless router designed to allow for a more full-featured system (e.g., Mikrotik or Soekris); you can

add a wireless card to an existing Linux box and set it up as a wireless router; or you can buy a cheap wireless

Access Point

router that is supported by OpenWrt, DD-WRT, or Tomato.

The first option is pretty simple: You just go spend US$ 100-400 (you buy the system, wireless card(s), power

supply, and enclosure), load up either the vendor-supplied firmware or install a stripped-down system on it,

and off you go. The main disadvantages of this are cost, although some really nice enclosures and boards will

take three or more wireless cards and provide multiple network interfaces (including Gigabit Ethernet).

The second option is cheaper but faces one problem typically: Firewalls are often hidden away in server

rooms, wiring closets, or other areas that are less than ideal for placing aerials. However, if you want to go

this route (either because placement isn't a problem or you can run an extension cable for the antenna), then

you'll want to check out HostAP for Linux [2].

That brings me to the third option: Buy a cheap wireless router - the advantages are: no moving parts, small,

did I mention cheap? - and install custom firmware that provides more capabilities and better reliability and

performance. To make things even more interesting, each of the three open source firmware options has a

different design philosophy, resulting in three very different products and almost guaranteeing that one will fit

your needs.

Tomato

Tomato doesn't include a lot of features but then it isn't meant to; "Tomato is a small, lean and simple

replacement firmware" [3], making it the simplest of the three. If you don't need features such as VPN

capabilities or network bridging, then Tomato is a great replacement for the vendor-supplied firmware. I

really like Tomato's interface. It's incredibly simple, and it's easy to use and configure; setup is a snap as well

(Figure 1). If you are simply looking for something more reliable or up to date, this is the one for you.

Figure 1: Tomato CIFS client setup.

DD-WRT

DD-WRT [4] offers a number of builds, from a Micro and Mini generic with limited capabilities (similar to

Tomato) all the way to a VoIP-specific and VPN-specific build. Fortunately, a chart lists all the capabilities

and various versions of DD-WRT in the wiki (look for the page called "What_is_DD-WRT"). You have

everything from Hotspot, IPv6, OpenVPN, PPTP (see Figure 2), ProFTPD, SNMP, SSH, and Telnetd to a

Samba/CIFS client (so you can mount Windows shares onto the device).

Access Point

Figure 2: DD-WRT PPTP server setup.

I chose the VPN build and would strongly recommend this product if you're looking for good network-related

capabilities. It has EoIP (Ethernet over IP, allowing you to bridge networks), VLAN, QoS, and advanced

firewalling (including the ability to block specific P2P networks). I also like that it forces a mandatory

password change before you can configure it.

OpenWrt

OpenWrt [5] out of the box is pretty minimal, and at first I wasn't too impressed (Figure 3). But then I read

about packages. OpenWrt has a package system for additional add-ons, and, boy, do they provide add-ons. It

has everything from Squid, NTP, OpenVPN, CUPS (printing support), and lightHTTPD to an IRC server,

Nagios (network monitoring), Asterisk (a VoIP server), and the Perl programming language.

Figure 3: OpenWrt process control.

Basically, anything you want OpenWrt to do, it can do. The only catch is that you will need a router with a

sufficiently large amount of storage space and memory (the WRT54GLs I bought are seriously underpowered,

with only 4MB of flash RAM and 16MB of system memory). My advice is to do the research and buy

something with 8MB of flash memory (like the WRTSL54GS).

Summary

In every respect, these open source firmware alternatives blow the default vendor-supplied firmware out of the

water. Combined with a USB port, you can even have your router do print server or file server duty, or both,

for your network, which adds up to a pretty complete package.

If you add OpenWrt's packages into the mix, then it is no contest between OpenWrt and DD-WRT. So, to

upgrade your router and make it more secure, I would recommend replacing the default firmware if you can.

(Make sure you check the compatibility lists!)

INFO

[1] Aircrack-ng: http://www.aircrack-ng.org/

[2] Host AP: http://hostap.epitest.fi/

[3] Tomato: http://www.polarcloud.com/tomato

[4] DD-WRT: http://www.dd-wrt.com/

[5] OpenWrt: http://openwrt.org/

THE AUTHOR

Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often

wonders how it is that technology works on a large scale but often fails on a small scale.

Access Point

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: