Securing open access points

To: debian-firewall@lists.debian.org
Subject: Securing open access points
From: Stephan Balmer <sb@cis.ch>
Date: Sat, 3 Mar 2018 12:13:00 +0100
Message-id: <[🔎] 2824269a-06bc-b291-da5c-c72c713c38ed@cis.ch>

Hi list

We're operating a few wifi access-points that allow connecting without
any password/encryption.To tighten security a bit, I've added ebtables
rules on the individual AP. (The AP are Pc-engines Alix running Debian,
hostapd.) I'd appreciate feedback on the effectiveness of my approach
and whether there are other low-hanging fruit to further separate
clients.These are the rules:

# Flush
ebtables -F
ebtables -t nat -F

# Block packets from the wifi side that purport to be from a gateway address
ebtables -A FORWARD --in-interface wlan+ --protocol arp --arp-ip-src
10.0.0.1 -j DROP
ebtables -A FORWARD --in-interface wlan+ --protocol arp --arp-ip-src
10.1.1.1 -j DROP
ebtables -A FORWARD --in-interface wlan+ -s 02:ba:de:af:fe:00 -j DROP

# Block DHCP server responses and IP6 router advertisements from wifi side
ebtables -A FORWARD --in-interface wlan+ --protocol ipv4 --ip-protocol
udp        --ip-source-port 67 -j DROP
ebtables -A FORWARD --in-interface wlan+ --protocol IPv6 --ip6-protocol
ipv6-icmp --ip6-icmp-type 134 -j DROP

# Allow visitors to talk to the gateway only
# Just send all packets to the gateway at 02:ba:de:af:fe:00 regardless
of target address
ebtables -t nat -A PREROUTING --in-interface wlan0_+ -j dnat
--to-destination 02:ba:de:af:fe:00
ebtables -t nat -A PREROUTING --in-interface wlan1_+ -j dnat
--to-destination 02:ba:de:af:fe:00

#  Block STP on the wifi side
for T in OUTPUT FORWARD; do ebtables -A $T --out-interface wlan+
--source BGA -j DROP; done
for T in OUTPUT FORWARD; do ebtables -A $T --out-interface wlan+
--destination BGA -j DROP; done


Explanation of the interfaces:

wlan0, wlan1:   used for internal WPA-secured traffic
wlan0_0, wlan1_0:    are open for guests
10.0.0.1/24:    Internal network (somewhat trusted)
10.1.1.1/24:    Guest network (untrusted)
02:ba:de:af:fe:00:    MAC-address of the gateway interface in 10.1.1.1


The idea is to prevent guests from talking to each other. This improves
security and removes broadcast noise because broadcast traffic is only
seen by the gateway. In particular, I expect this approach to prevent
wifi-clients from impersonating the IP-gateway. This should prevent the
most common form of MitM attacks. I'm aware that it's not a total
separation and that there are still opportunities for client-address
spoofing.

Maybe you see areas where clients could be separated further?

Thanks
Stephan

Reply to:

Index(es):
- Date
- Thread