Open Source Wifi Hotspot Implementation Tyler Sondag and Jim Feher

Total Page:16

File Type:pdf, Size:1020Kb

Open Source Wifi Hotspot Implementation Tyler Sondag and Jim Feher Open Source Wifi Hotspot Implementation Tyler Sondag and Jim Feher The goal of this paper is to describe a design—includ- other hardware. The routing functions of the WRT54GS ing the hardware, software, and configuration––for an were not used in this implementation. The servers need not be anything special; older hardware will work just fine. For open source wireless network. The network designed will this implementation, decommissioned 900 MHz units with require authentication. While care will be taken to keep 512MB of RAM and 40GB hard drives were used. the authentication exchange secure, the network will oth- erwise transmit data without encryption. n Wireless router software ireless networks are an essential tool for provid- ing service for colleges and libraries. This paper In order to provide the functionality required, the units Wwill explain the setup of a wireless network had their firmware flashed with an open-source, Linux- using open-source software and inexpensive commodity based operating system available from OpenWrt for the hardware. Open-source software was employed exclu- Linksys routers (http://www.openwrt.org). Support is also sively. This allowed for flexibility in design and reduction available for other wireless devices. “The firmware from in expense while also providing a platform for students to OpenWrt provides a fully writable file system with pack- learn more about the internal workings of the system by age management. This allows developers the freedom to examining particular sections of code in which they have customize the devices by choosing only the packages and interest. Standard commodity hardware was used as a software that are necessary for their applications.”1 As the means of saving cost. This should allow others to repeat routers have limited storage, being able to hand select only this design with a minimum of funding. the necessary components is a definite advantage. The purpose of a network, like any resource, is to provide a service for those who own it; in this case, the patrons of a library, or students, faculty, and staff at a col- lege. To ensure that this network serves its owners, users n Server software will be required to authenticate before gaining access. Once authenticated, the central captive portal can pro- For the operating system on the servers, Fedora Core vide different levels of service for specific user groups, was chosen.2 Fedora provides the Yellow Dog Updater, including guest access, if desired. For this system, ease Modified (yum), which eases the updating of all pack- of access for users was the primary concern; other than ages installed on the system, including kernel updates.3 using the Secure Socket Layer for authentication, the This aids security by providing a platform for easily and remainder of the traffic was unencrypted. frequently updating the system. Fedora Core is an open- Other than the base nodes, the remaining access points source distribution that is available for free. Fedora Core were connected to each other using a wireless connection also comes with many other open-source packages that in order to avoid physically connecting all access points were used in this design, such as the Apache Web server. across campus and to further reduce the expense for the While the designers had more familiarity with Fedora, deployment of the network. This was accomplished using other distributions are also available that provide simi- the WDS (wireless distributed system) feature on the lar benefits (Suse, Ubuntu, OpenBSD, Debian, etc.). The wireless routers. All access points connect to a centralized server was run in command line mode with no graphical set of servers that provide: DHCP, Web-caching proxy, user interface in order to reduce the load on the server DNS caching, radius, Web server, a captive portal, and and save space on the hard drive. logging of network traffic. n Captive portal n Hardware In order to require authentication before gaining access Requirements for the network were relatively modest, to the network, a captive portal was used. Some of the using inexpensive wireless routers along with several Linux servers built upon older Pentium 3 desktop systems. Linksys WRT54GS routers were chosen as the access points as they are inexpensive, readily available, and possess the Jim Feher ([email protected]) is an Associate Professor ability to run custom open-source firmware. Other access of Computer Science at McKendree College in Lebanon, Illinois. points could be used; however, the configuration sugges- Tyler Sondag ([email protected]), is a senior in tions are specific to the WRT54GS and may not apply to Computer Science at McKendree College. OPEN SOURCE WIFI hotspot implementation | sondag AND feher 35 desired features in the choice of the captive portal were: to the rest of the network (appendix A). SSH login for root encrypted authentication, traffic logging, and the ability was also disabled at this time for added security. to provide different levels of service for different user groups. Logging traffic allows the system administrators to identify accounts that have been misusing the network. Those who inadvertently misuse the system or perhaps n Server #1 configuration have had their accounts compromised can have their access temporarily disabled until they can be contacted For server #1, very little setup was required. Since this with instructions concerning acceptable use of the net- server works mainly as a router, the only major items that work. As the network must be shared by all, those who went into its configuration were the iptables rules, which habitually abuse the resource can have their accounts per- are shown and described in appendix B.7 Rules were set manently disabled. The captive portal should also redi- up to: rect Web traffic to a login page that is served on the Secure Socket Layer until the user logs in. Chillispot was chosen n set up network address translation; as it possesses all of the features mentioned above.4 n allow traffic to flow within the network; n log the traffic from the wireless portion of the net- work; n allow for the transparent setup of the Web proxy n Server layout server; and n set up port knocking before allowing users to log into As can be seen in appendix A, three servers were used the router via SSH.8 for this implementation. The first server was used as the main router to the Internet. The second server ran A reference to this script was placed in the /etc/rc.d/ a Squid Web caching server.5 It also ran a DNS cach- rc.local file so that it would run when the server boots. ing server and the FreeRADIUS server.6 The third was Last was the setup of the three network interfaces in used for the captive portal. Three servers were used for the machine. This can be done during system installation various reasons. First, this distributed the load. Second, or afterwards on the Fedora Core based server by editing portions of the network that were not behind the cap- the configuration files in the /etc/sysconfig/networking- tive portal could more easily use the services on the scripts/ directory. One of the configuration files used in second server running Squid, DNS, and FreeRADIUS. It this implementation can be seen in appendix C. Of course should be noted that three independent servers are not the configuration will change as the topology of the net- required; many of the services could be consolidated on work changes. two or even one single server to reduce the hardware requirements. The implementation depends upon the specific needs for the network. n Server #2 configuration The second server required significantly more setup to n Server installation configure all of the necessary services that it runs. The first service added for this implementation was the Web- Installing the operating system (Fedora Core) on each caching proxy server, Squid. Squid’s default configura- server is a relatively straightforward procedure. Each tion file (/etc/squid.conf) is quite large; fortunately it machine was partitioned with 1024 MBs of swap space requires little modification to get a simple server up and with the rest of the drive being an ext3 partition with running.9 The changes made for this implementation can the mount point “/”. Only the minimal set of packages be seen in appendix D. The most important lines in this required were installed at this time. The first server, configuration are the last few, which enable it to act as a server #1 (router), was given three network interfaces, transparent proxy server, making it invisible to the users one for the Internet connection, one to connect to a switch and requiring no setup of their browsers. that then connects to server #2 (Web/DNS caching and As there was no need for an authoritative DNS server, radius) as well as other machines that do not connect just DNS caching for the network, dnsmasq, which is through the captive portal, and one connecting to server easy to configure and can handle both DHCP services as #3 (captive portal machine). The second server, server #2, well as DNS caching, was chosen.10 In this instance, the only needs one interface, but the third, server #3, requires captive portal was used to provide DHCP services for the two interfaces, one for the master wireless access point, wireless clients; however dnsmasq was used for dynamic and one to connect to the switch connecting this machine clients on the remaining portion of the network. Dnsmasq 36 INFORMATION TECHNOLOGY AND LIBRARIES | jUNE 2007 is relatively easy to configure, requiring only one change be configured and copied to the proper directory, the in its default configuration file, which points to the file in main configuration file and the login file.
Recommended publications
  • Campus Networking Best Practices Session 5: Wireless
    Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen Dale Smith NSRC & University of Oregon University of Oregon & NSRC [email protected] [email protected] Wireless LAN • Provide wireless network across your campus that has the following characteristics: – Authentication – only allow your users – Roaming – allow users to start up in one section of your network, then move to another location – Runs on your campus network Firewall/ Border Traffic Shaper Router Wireless REN switch Authentication Core Gateway Router Core Servers Network Access Control (NAC) Enterprise Identity Management • Processes and Documentation of users. – Now you must deal with this. – What to use as the back-end user store? • LDAP • Active Directory • Kerberos • Other? – Will this play nice with future use? • email, student/staff information, resource access, ... Identity Management Cont. • An example of such a project can be seen here: – http://ccadmin.uoregon.edu/idm/ • This is a retrofit on to an already retrofitted system. • Learn from others and try to avoid this situation if possible. A Wireless Captive Portal The Wireless Captive Portal • Previous example was very simple. • A Captive Portal is your chance to: – Explain your Acceptable Use Policies – Decide if you must authenticate, or – Allow users on your network and monitor for problems instead (alternate solution). – Anything else? Branding? What's Happening? • remember our initial network diagrams...? • Do you think our hotel built their own solution? • Probably not... Commercial Solutions • Aruba http://www.arubanetworks.com/ • Bradford Networks – http://www.bradfordnetworks.com/ • Cisco NAC Appliance (Clean Access) – http://www.cisco.com/en/US/products/ps6128/ • Cisco Wireless LAN Controllers – http://www.cisco.com/en/US/products/hw/wireless/ • Enterasys http://www.enterasys.com/ • Vernier http://www.verniernetworks.com Open Source Solutions • CoovaChilli (morphed from Chillispot) – http://coova.org/wiki/index.php/CoovaChilli – Uses RADIUS for access and accounting.
    [Show full text]
  • Setting up the Linksys EA9300 Max-Stream AC4000 Tri-Band Wi-Fi Router
    Setting up the Linksys EA9300 Max-Stream AC4000 Tri-Band Wi-Fi Router Setting up the Linksys EA9300 Max-Stream AC4000 Tri-Band Wi-Fi Router is made easy using the Smart Setup wizard which is embedded in the router's firmware and is available even if the router does not have an internet connection or the router is on factory default settings. Before you begin: Make sure you have a working internet connection. Power on your modem and connect an ethernet cable from the modem to the internet port of the router. NOTE: If you are replacing an existing router, make sure to disconnect and remove the old one. Connect the power adapter to the router and turn it ON. Wait until the Linksys logo light is solid. Step 1: Connect a wireless computer, tablet or smartphone to the default Wi-Fi network of your router. The wireless credentials are located on a label at the bottom of the device. NOTE: If you need to set up the router using a hardwired computer, connect your computer to one of the ethernet ports at the back of the router. Step 2: Launch a supported web browser and enter “linksyssmartwifi.com” in the Address bar then press [Enter]. NOTE: You can also enter “http://192.168.1.1” or “myrouter.local”. Step 3: Check the box beside I have read and accepted the License Terms for using this software. Then click Next to proceed. NOTE: Open the link to know the license terms and other information. If you prefer to manually set up the router, click on the Manual configuration link.
    [Show full text]
  • Iptables with Shorewall!
    Iptables with shorewall! Table of Contents 1. Install swarmlab-sec (Home PC) . 1 2. shorewall . 1 2.1. Installation . 2 3. Basic Two-Interface Firewall. 2 4. Shorewall Concepts . 3 4.1. zones — Shorewall zone declaration file . 3 4.2. interfaces — Shorewall interfaces file. 4 4.3. policy — Shorewall policy file . 4 4.4. rules — Shorewall rules file . 4 4.5. Compile then Execute . 4 5. Three-Interface Firewall. 5 5.1. zones . 6 5.2. interfaces . 6 5.3. policy . 7 5.4. rules . 7 5.5. masq - Shorewall Masquerade/SNAT definition file . 7 5.6. snat — Shorewall SNAT/Masquerade definition file . 8 5.7. Compile and Execute . 8 1. Install swarmlab-sec (Home PC) HowTo: See http://docs.swarmlab.io/lab/sec/sec.adoc.html NOTE Assuming you’re already logged in 2. shorewall Shorewall is an open source firewall tool for Linux that builds upon the Netfilter (iptables/ipchains) system built into the Linux kernel, making it easier to manage more complex configuration schemes by providing a higher level of abstraction for describing rules using text files. More: wikipedia 1 NOTE Our docker instances have only one nic to add more nic’s: create netowrk frist docker network create --driver=bridge --subnet=192.168.0.0/16 net1 docker network create --driver=bridge --subnet=192.168.0.0/16 net2 docker network create --driver=bridge --subnet=192.168.0.0/16 net3 then connect network to container connect network created to container docker network connect net1 master docker network connect net1 worker1 docker network connect net2 master docker network connect net2 worker2 now let’s look at the following image 2.1.
    [Show full text]
  • A Single Packet Authorization System for Tor Bridges
    BridgeSPA: A Single Packet Authorization System for Tor Bridges by Robin Smits A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Mathematics in Computer Science Waterloo, Ontario, Canada, 2012 c Robin Smits 2012 I hereby declare that I am the sole author of this thesis. This is a true copy of the thesis, including any required final revisions, as accepted by my examiners. I understand that my thesis may be made electronically available to the public. ii Abstract Tor is a network designed for low-latency anonymous communications. Tor clients form circuits through relays that are listed in a public directory, and then relay their encrypted traffic through these circuits. This indirection makes it difficult for a local adversary to determine with whom a particular Tor user is communicating. Tor may also be used to circumvent regional Internet censorship, since the final hop of a user’s connection can be in a different country. In response, some local adversaries restrict access to Tor by blocking each of the publicly listed relays. To deal with such an adversary, Tor uses bridges, which are unlisted relays that can be used as alternative entry points into the Tor network. Unfortunately, issues with Tor’s bridge implementation make it easy to discover large numbers of bridges. This makes bridges easy to block. Also, an adversary that hoards this information may use it to determine when each bridge is online over time. If a bridge operator also browses with Tor on the same machine, this information may be sufficient to deanonymize him.
    [Show full text]
  • Technical Impacts of DNS Privacy and Security on Network Service Scenarios
    - Technical Impacts of DNS Privacy and Security on Network Service Scenarios ATIS-I-0000079 | April 2020 Abstract The domain name system (DNS) is a key network function used to resolve domain names (e.g., atis.org) into routable addresses and other data. Most DNS signalling today is sent using protocols that do not support security provisions (e.g., cryptographic confidentiality protection and integrity protection). This may create privacy and security risks for users due to on-path nodes being able to read or modify DNS signalling. In response to these concerns, particularly for DNS privacy, new protocols have been specified that implement cryptographic DNS security. Support for these protocols is being rapidly introduced in client software (particularly web browsers) and in some DNS servers. The implementation of DNS security protocols can have a range of positive benefits, but it can also conflict with important network services that are currently widely implemented based on DNS. These services include techniques to mitigate malware and to fulfill legal obligations placed on network operators. This report describes the technical impacts of DNS security protocols in a range of network scenarios. This analysis is used to derive recommendations for deploying DNS security protocols and for further industry collaboration. The aim of these recommendations is to maximize the benefits of DNS security support while reducing problem areas. Foreword As a leading technology and solutions development organization, the Alliance for Telecommunications Industry Solutions (ATIS) brings together the top global ICT companies to advance the industry’s business priorities. ATIS’ 150 member companies are currently working to address network reliability, 5G, robocall mitigation, smart cities, artificial intelligence-enabled networks, distributed ledger/blockchain technology, cybersecurity, IoT, emergency services, quality of service, billing support, operations and much more.
    [Show full text]
  • Captive Portal Detection Error May Be Triggered If There Is HTTP 302 Response Code Received PRS-325375 While Connecting to IVE
    Pulse Connect Secure Release Notes 8.1 R4 Build 37085: July 2015 Revision 01 Contents Introduction......................................................................................................................... 1 Interoperability and Supported Platforms ............................................................................ 2 Noteworthy changes in 8.1r4 Release ................................................................................ 2 Problems Resolved in 8.1R4 Release ................................................................................ 2 Known Issues in 8.1R3.2 release ....................................................................................... 4 Problems Resolved in 8.1R3.1 Release ............................................................................. 4 Pulse Connect Secure New Features in 8.1R3 ................................................................... 5 Noteworthy changes in this Release................................................................................... 6 Problems Resolved in 8.1R3 Release ................................................................................ 6 Known Issues in this release .............................................................................................. 7 Pulse Connect Secure Access New Features in 8.1R2 Release ........................................ 8 Disable TLS 1.0 ....................................................................................................... 8 New Functionality to create role mapping rules
    [Show full text]
  • Sentry Firewall CD HOWTO Sentry Firewall CD HOWTO Table of Contents
    Sentry Firewall CD HOWTO Sentry Firewall CD HOWTO Table of Contents Sentry Firewall CD HOWTO............................................................................................................................1 Stephen A. Zarkos, Obsid@Sentry.net....................................................................................................1 1. Introduction..........................................................................................................................................1 2. How the CD Works (Overview)..........................................................................................................1 3. Obtaining the CDROM........................................................................................................................1 4. Using the Sentry Firewall CDROM.....................................................................................................1 5. Overview of Available Configuration Directives................................................................................1 6. Setting Up a Firewall...........................................................................................................................2 7. Troubleshooting...................................................................................................................................2 8. Building a Custom Sentry CD.............................................................................................................2 9. More About the Sentry Firewall Project..............................................................................................2
    [Show full text]
  • Integrity Enhancements for Embedded Linux Devices
    Integrity Enhancements for Embedded Linux Devices David Safford [email protected] This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology Directorate, Homeland Security Advanced Research Projects Agency, Cyber Security Division (DHS S&T/HSARPA/CSD), BAA 11-02 and Air Force Research Laboratory, Information Directorate under agreement number FA8750-12-2-0243. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of Department of Homeland Security, Air Force Research Laboratory or the U.S. Government. Embedded Linux Integrity ● Server $10K+ PB 4768 Crypto card Trusted and Secure Boot ● PC $1K TB TPM Trusted and Secure Boot (Win8) ● mobile $500 GB Restricted Boot ● embedded $50 MB Nothing ● Sensor $10 KB Nothing Example Embedded Linux Devices ● Pogoplug ● TP-Link MR3020 ● D-Link DIR-505 ● Linksys WRT54G MR-3020 Main Components Three main chips SoC (32 bit MIPS) RAM (32MB) SPI Flash (4MB) Partition Name Size Contents mtd0 “boot” 64KB u-boot mtd1 “kernel” 1024KB Linux Kernel mtd2 “rootfs” 2816KB Linux root filesystem mtd3 “config” 64KB config data mtd4 “ART” 64KB radio config data Recent Embedded Linux Vulnerabilities ● 2012: 4.5 Million home routers compromised in Brazil – https://www.securelist.com/en/blog/208193852/The_tale_of_one_thousand
    [Show full text]
  • Filtering and Identifying Web Activity by User Name
    Wavecrest®TechBrief Filtering and Identifying Web Activity by User Name www.wavecrest.net When a company implements a Web filtering and monitoring solution, it typically wants to filter and monitor the Web traffic flowing through its network by user name versus IP address for various reasons. Some of these reasons include curtailing casual surfing, protecting against security threats, and conserving bandwidth. Furthermore, a company’s Acceptable Use Policy (AUP) is usually based on user names and/or groups of user names. Therefore, the application that enforces and monitors the company’s AUP needs to identify Web activity by user name. IP addresses can be dynamic, and sometimes more than one employee can log on to a computer, and hence, more than one user name will be using the same IP address. Many an IT administrator is tasked with ensuring that the company’s employees are going through the proxy that is in place, so that Web activity can be monitored by user name. To get user names and authenticate users, IT administrators can choose any of the proxy configuration options and authentication methods described below. Depending on the company’s preference, one proxy configuration option may be more favorable than the other. Here, we will discuss applying browser settings manually, pushing out group policies using Active Directory (AD), using a captive portal, and installing client software. We will also touch on the different ways that you can authenticate your Internet users using our CyBlock products. Applying Browser Settings Manually Applying browser settings involves identifying a proxy server which is required if you need user names.
    [Show full text]
  • 9 Caching Proxy Server
    webXaccelerator: Owner's Guide by Luis Soltero, Ph.D., MCS Revision 1.06 February 10, 2010 (v1.2.3.10-RELEASE) Copyright © 2010 Global Marine Networks, LLC Table of Contents 1 Quick Start..............................................................................................................................................5 2 Introduction.............................................................................................................................................8 3 Initial Installation and Configuration......................................................................................................9 3.1 Connections.....................................................................................................................................9 3.2 Power-up..........................................................................................................................................9 3.3 Power-down...................................................................................................................................10 3.4 Web Administrator........................................................................................................................10 3.5 LAN Setup.....................................................................................................................................10 3.6 WAN Setup....................................................................................................................................11 3.7 WAN2 (Backup WAN) Setup........................................................................................................13
    [Show full text]
  • Tunneled Internet Gateway Wi-Fi Access for Mobile Devices in High-Security Environments Table of Contents
    WHITE PAPER TUNNELED INTERNET GATEWAY Wi-FI ACCESS FOR MOBILE DEVICES IN High-SECURitY ENVIRONMENTS TABLE OF CONTENTS THE ChALLENGE: Wi-FI ACCESS FOR MOBILE DEVICES IN high-SECURitY ENVIRONMENTS 3 ARUBA TUNNELED INTERNET GATEWAY SOLUtiON 3 HOW thE TUNNELED INTERNET GATEWAY WORKS 3 APPENDIX 5 TOPOLOGY DIAGRAMS 8 ABOUT ARUBA NETWORKS, INC. 9 WHITE PAPER TUNNELED INTERNET GATEWAY THE CHALLENGE: WI-FI ACCESS FOR MOBILE HOW THE TUNNELED INTERNET GATEWAY WORKS DEVICES IN HIGH-SECURITY ENVIRONMENTS Summary Since the debut of the iPhone in 2007, the private sector The Tunneled Internet Gateway is enabled through software has seen a proliferation of personal mobile devices used in configuration to any new or existing controller-based Aruba the workplace. Government customers, while slower to WLAN. Mobile users connect their devices to the Internet adopt commercially available mobile devices in the gateway SSID, creating an encrypted session with an Aruba workplace, recognize the cost and productivity advantages Mobility Controller deployed in the restricted network. and are looking for ways to increase their usage and speed- up adoption. The controller maintains logical separation between Internet sessions and restricted sessions using a Common Criteria Many civilian and military organizations have already begun EAL4+ validated firewall, then routes Internet traffic through large-scale acquisitions of commercial off-the-shelf (COTS) an additional encrypted data tunnel to a router attached to a mobile devices for distribution to relevant personnel. The commercial Internet service provider. The result is a secure, February 2013 purchase by the U.S. Department of Defense simple and low-cost network overlay with strong separation of 630,000 Apple iOS-based mobile devices is just one between restricted and Internet data.
    [Show full text]
  • WRT310N Wireless-N Gigabit Router
    USER GUIDE Wireless-N Gigabit Router Model: WRT310N About This Guide About This Guide Icon Descriptions While reading through the User Guide you may see various icons that call attention to specific items. Below is a description of these icons: NOTE: This check mark indicates that there is a note of interest and is something that you should pay special attention to while using the product. WARNING: This exclamation point indicates that there is a caution or warning and it is something that could damage your property or product. WEB: This globe icon indicates a noteworthy website address or e-mail address. Online Resources Website addresses in this document are listed without http:// in front of the address because most current web browsers do not require it. If you use an older web browser, you may have to add http:// in front of the web address. Resource Website Linksys www.linksys.com Linksys International www.linksys.com/international Glossary www.linksys.com/glossary Network Security www.linksys.com/security Copyright and Trademarks Linksys is a registered trademark or trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. Copyright © 2008 Cisco Systems, Inc. All rights reserved. Other brands and product names are trademarks or registered trademarks of their respective holders. Wireless-N Gigabit Router i Table of Contents Chapter 1: Product Overview 4 Front Panel. 4 Back Panel . 4 Placement Positions . 4 Chapter 2: Wireless Security Checklist 6 General Network Security Guidelines . 6 Additional Security Tips . 6 Chapter 3: Advanced Configuration 7 Setup > Basic Setup .
    [Show full text]