Re: Wireless Security
Party on Wayne,
(scnr) I have the exact setup here at home and am using ipsec to
overcome the security issues of WEP. I'll give you a brief walk-through.
On Fri, 2003-04-25 at 14:24, R. Wayne McCorkle wrote:
> I recently purchased a wireless access point. After some research into the
> relative insecurity of WEP, I am looking implent more stringent measures.
> My current setup includes a LAN sitting behind a packet filtering firewall
> running Debian Woody. The current plan is to move the access point outside
> the firewall, as shown in the diagram below ...
Afaik an malicious intruder has to capture ca. 2GB of traffic to compute
the preshared key (PSK) of WEP, therefor IPSEC is preferred. I am using
IPSEC with the x509 patch to enable win32 clients to connect with
certificates.
> The network address for each of the interfaces is shown above. Connections
> to the access point are exclusivly MS Windows machines running XP. A file
> server in the LAN runs Samba and a DHCP server (I plan to serve DHCP
> address from the LAN, not the access point ... if possible).
If you deploy IPSEC, you can run every TCP/UDP service on top of it,
DHCP is used here to supply the clients with an IP adress over the
initially insecure WLAN connection. IPSEC is a virtual device on top of
eg eth1.
> I am currently in the process of building a new firewall where I'll
> upgrade from ipchains to iptables. At the same time, I'd like to implement
> some security and authentication services for the access point. Some
> questions I have:
>
> I understand that WEP is not optimal. My research indicates that IPSec
> would be better. Any suggestions or pointers on setting up IPSec on
> the new firewall? Or, is there someting prefereable to IPSec?
The only drawback of IPSEC with win32 clients that I am aware of is the
terrible certification mgt. in winXP/2K.
> What can I use to autenticate the Windows services from Samba. It seems
> to me that I am going to have a two step autentication process. First
> step is authenticate access to the Access Point. Second step is granting
> permission to utilize services shared by machines on the LAN (i.e.
> Samba)
Well, I use share based authentication since I use ssh/sshfs with my
clients, but you are right, it boils down to generate the secure IPSEC
connection and run whatever service you want on top of it.
> Will I be able to access Samba services across the network boundary
> from 192.168.1.x to 191.168.2.x?
Sure.
> I realize these are not all Debian related questions. But I will be
> running Debian on the firewall and this seemed like a good place to start.
> Ideas and pointers to documentation/HowTos would be much appreciated.
I got IPSEC up and running with the following steps, this is not the
debian way of doing things:
Get a tarball of freeswan, the debian packages are missing the x509
patch from http://www.strongsec.com/freeswan/ and patch the sources.
Install the client (there is a file explaining the steps to patch the
kernel).
For win32 clients you want to use the gpl'd ipsec implementation from
marcus mueller http://vpn.ebootis.de/ - I had a hard time trying to get
IPSEC/L2TP working with the built-in WinXP client and failed at last.
Generate and distribute certificates.
An excellent howto with winXP/2K is available here:
http://www.natecarlson.com/linux/ipsec-x509.php
or here:
http://www.jacco2.dds.nl/networking/freeswan-l2tp.html
This should be sufficent to get you started.
hth
Stefan
--
"boredom is not a burden anyone should bear"
--
Stefan Radomski <sr@oop.info>
Reply to: