DOCSLIB.ORG

Features Security Lessons: Linux WAP

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Features Security Lessons: Linux WAP FEATURES Security Lessons: Linux WAP Wireless security and Linux Access Point If you are looking for a cheap and secure wireless router setup, check out Tomato, DD-WRT, or OpenWrt. By Kurt Seifried actually remember when I bought WPA2 with a good password (again support? You have three main options: my first wireless network card. I was none force this), and that’s it. You can buy a high-end wireless router in Vancouver airport, and they were To make matters worse, most of these designed to allow for a more full-fea- Iselling them for about US$ 200 with wireless routers are running pretty mini- tured system (e.g., Mikrotik or Soekris); unlimited usage in the air- you can add a wireless card to port (as opposed to having an existing Linux box and set to rent one for US$ 20 an "Open source firmware it up as a wireless router; or hour). At that time, I was you can buy a cheap wireless spending a lot of time in this blows the vendor firm- router that is supported by airport, so I purchased a card OpenWrt, DD-WRT, or To- and had a whopping 2Mbps ware out of the water." mato. (802.11a) of bandwidth to The first option is pretty use while waiting. This purchase was mal operating systems (sometimes re- simple: You just go spend US$ 100-400 quickly followed by a wireless router so I ferred to as firmware) that have just (you buy the system, wireless card(s), could enjoy the wireless goodness at enough capability to get you online home. and not much else. Additionally, much Fast forward a decade and now ISPs of this firmware is either out of date, are giving away wireless N routers like contains security flaws, or simply does banks used to give away toasters. But not provide reliable (reset the router what steps have been taken to ensure daily to keep it working) or fast perfor- the security of all these wireless net- mance (200Kbp s on file transfers over works? Originally, there was WEP a 15Mb line). (Wired Equivalent Privacy), which can So, what do you do if you want to be broken in real time and is pretty build a secure router that will support much useless now, then came its succes- more than just WPA2 and some simple sor WPA, which was basically WEP with packet passing? What if you want a rotating keys, again pretty useless in wireless router that will act as a VPN practice [1]. (e.g., allowing you to bridge Finally, WPA2 came along, which uses access to a corporate the AES encryption algorithm (very network) or to act as a strong) and has proper key setup, mak- VPN server (e.g., al- ing it very difficult to break into. And lowing you to con- that is pretty much the extent of wireless nect securely to it security for most people. You buy a wire- from elsewhere less router, you hopefully set a password on the Inter- on it for the administrative interface (al- net). Or, though virtually no wireless routers ac- what if you tually force you to do this), you set up need IPv6 KURT SEIFRIED Kurt Seifried is an Information Security Consultant specializing in Linux and net- works since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale. 48 OCTOBER 2010 ISSUE 119 LINUX-MAGAZINE.COM | LINUXPROMAGAZINE.COM 048-049_kurt.indd 48 19.08.2010 14:41:18 Uhr FEATURES Security Lessons: Linux WAP Figure 1: Tomato CIFS client setup. Figure 2: DD-WRT PPTP server setup. power supply, and enclosure), load up (Figure 1). If you are simply looking for (Figure 3). But then I read about pack- either the vendor-supplied firmware or something more reliable or up to date, ages. OpenWrt has a package system for install a stripped-down system on it, and this is the one for you. additional add-ons, and, boy, do they off you go. The main disadvantages of provide add-ons. It has everything from this are cost, although some really nice DD-WRT Squid, NTP, OpenVPN, CUPS (printing enclosures and boards will take three or DD-WRT [4] offers a number of builds, support), and lightHTTPD to an IRC more wireless cards and provide multi- from a Micro and Mini generic with lim- server, Nagios (network monitoring), As- ple network interfaces (including Gigabit ited capabilities (similar to Tomato) all terisk (a VoIP server), and the Perl pro- Ethernet). the way to a VoIP-specific and VPN-spe- gramming language. The second option is cheaper but faces cific build. Fortunately, a chart lists all Basically, anything you want OpenWrt one problem typically: Firewalls are the capabilities and various versions of to do, it can do. The only catch is that often hidden away in server rooms, wir- DD-WRT in the wiki (look for the page you will need a router with a sufficiently ing closets, or other areas that are less called “What_is_DD-WRT”). You have large amount of storage space and mem- than ideal for placing aerials. However, if everything from Hotspot, IPv6, Open- ory (the WRT54GLs I bought are seri- you want to go this route (either because VPN, PPTP (see Figure 2), ProFTPD, ously underpowered, with only 4MB of placement isn’t a problem or you can SNMP, SSH, and Telnetd to a Samba/ flash RAM and 16MB of system mem- run an extension cable for the antenna), CIFS client (so you can mount Windows ory). My advice is to do the research and then you’ll want to check out HostAP for shares onto the device). buy something with 8MB of flash mem- Linux [2]. I chose the VPN build and would ory (like the WRTSL54GS). That brings me to the third option: strongly recommend this product if Buy a cheap wireless router – the advan- you’re looking for good network-related Summary tages are: no moving parts, small, did I capabilities. It has EoIP (Ethernet over In every respect, these open source firm- mention cheap? – and install custom IP, allowing you to bridge networks), ware alternatives blow the default ven- firmware that provides more capabilities VLAN, QoS, and advanced firewalling dor-supplied firmware out of the water. and better reliability and performance. (including the ability to block specific Combined with a USB port, you can To make things even more interesting, P2P networks). I also like that it forces a even have your router do print server or each of the three open source firmware mandatory password change before you file server duty, or both, for your net- options has a different design philoso- can configure it. work, which adds up to a pretty com- phy, resulting in three very different plete package. products and almost guaranteeing that OpenWrt If you add OpenWrt’s packages into one will fit your needs. OpenWrt [5] out of the box is pretty min- the mix, then it is no contest between imal, and at first I wasn’t too impressed OpenWrt and DD-WRT. So, to upgrade Tomato your router and make it more secure, I Tomato doesn’t include a lot of would recommend replacing the default features but then it isn’t meant firmware if you can. (Make sure you to; “Tomato is a small, lean and check the compatibility lists!) nnn simple replacement firmware” [3], making it the simplest of the INFO three. If you don’t need features [1] Aircrack-ng: such as VPN capabilities or net- http://​­www.​­aircrack-ng.​­org/ work bridging, then Tomato is a [2] Host AP: http://​­hostap.​­epitest.​­fi/ great replacement for the vendor- supplied firmware. I really like [3] Tomato: Tomato’s interface. It’s incredibly http://​­www.​­polarcloud.​­com/​­tomato simple, and it’s easy to use and [4] DD-WRT: http://​­www.​­dd-wrt.​­com/ configure; setup is a snap as well Figure 3: OpenWrt process control. [5] OpenWrt: http://​­openwrt.​­org/ LINUX-MAGAZINE.COM | LINUXPROMAGAZINE.COM ISSUE 119 OCTOBER 2010 49 048-049_kurt.indd 49 19.08.2010 14:41:18 Uhr.
Load more

Recommended publications
  • Tomato Topology Management Tool
    ToMaTo Topology Management Tool Dennis Schwerdel University of Kaiserslautern, Germany Department of Computer Science Integrated Communication Systems ICSY http://www.icsy.de Introduction ToMaTo is a topology-oriented control framework for virtual networking experiments. Control framework Topology-oriented Like Planet-Lab, Emulab, ... Basic abstraction: Network Developed in the German-Lab topology project Each experiment has its own Open-Source project (hosted on topology Github) Topologies contain connected elements Virtual networking experiments Developed for networking Advanced features experiments Direct console access E.g. networking research or Link emulation software testing Packet capturing All parts of the experiment setup are virtual Dennis Schwerdel, University of Kaiserslautern, Germany 2 Topology Graphical representation Icons show element type Colored icons show virtualization technology Link color shows network segments Link style shows link attributes Example One central server 4 clients, connected with 2 switches Internet connected to server Per Topology Accounting Permissions Dennis Schwerdel, University of Kaiserslautern, Germany 3 VM Elements KVM Full virtualization Integrated into Linux Kernel OpenVZ Container virtualization Added to Linux Kernel via patch Scripts Programming language virtualization Installed as software Additional elements Easy to add more Planned: VirtualBox, LXC Dennis Schwerdel, University of Kaiserslautern, Germany 4 Repy scripts Repy Restricted Python (Sandbox) Technology from Seattle testbed Modified for ToMaTo Functions for receiving and sending raw ethernet packages packet = tuntap_read("eth0", timeout=None) ethernet = ethernet_decode(packet) echo("%s -> %s: %d bytes\n" % (ethernet.src, ethernet.dst, len(packet)) tuntap_send("eth1", packet) Library Basic protocols implemented: Ethernet, IPv4, TCP, UDP and ICMP Even some higher protocols: DHCP and DNS Examples for: NAT router, DHCP server, DNS server, Switch, ..
    [Show full text]
  • Hotspot Feature for Wi-Fi Clients with RADIUS User Authentication on Digi Transport
    Application Note 56 Hotspot feature for Wi-Fi clients with RADIUS User Authentication on Digi TransPort. Digi Support November 2015 1 Contents 1 Introduction ......................................................................................................................................... 4 1.1 Outline ......................................................................................................................................... 4 1.2 Assumptions ................................................................................................................................ 4 1.3 Corrections .................................................................................................................................. 4 2 Version .................................................................................................................................................5 3 Configuration .......................................................................................................................................5 3.1 Mobile Interface Configuration .....................................................................................................5 3.2 Ethernet Interface Configuration ................................................................................................. 6 3.2.1 ETH 0 Configuration ................................................................................................................. 6 3.2.2 ETH 12 Logical Interface Configuration ....................................................................................
    [Show full text]
  • Wireless Routers
    Information Systems Education Journal (ISEDJ) 13 (3) ISSN: 1545-679X May 2015 Empowering Freshmen with Technology Skills: Wireless Routers William VanderClock [email protected] Bentley University Waltham, MA 02452, USA Abstract Most freshmen taking required, introductory information systems courses do not understand why they are required to take such courses and can’t imagine that they will learn anything they don’t already know. This paper presents an exercise that will excite and enthuse students about their computers and Information Systems in general. Every freshman is familiar with wireless network connections having used them with both their computers and their phones. The setup of those wireless networks however is somewhat of a mystery and considered far too complex to deal with by most students. This paper outlines a strategy for demystifying the technology and involving students in hands-on learning. By actually setting up a wireless router students gain confidence in their computer skills and become interested in learning more about information systems. This paper describes the process used to gain their interest and includes a handbook that can be used with students everywhere. Keywords: wireless networks, routers, TCP/IP, teaching the introductory course 1. INTRODUCTION 1. They love to be connected and as cost As technology becomes more and more part of conscience consumers are always looking for our world many schools like Bentley require a “free” connection that will not impact the students to take an introductory course in cell phone bill. information systems. In most cases there is no 2. Speed is very important to them and often assessment of the student’s technology skills so a Wi-Fi connection is much faster than their that a typical class has a broad range of ability, cell carrier’s data connection.
    [Show full text]
  • View Your World Anywhere……Anytime!
    View Your World Anywhere……Anytime! Camera Installation for PC with Windows XP, Windows 7, Windows 8/ 8.1 Camera Installation for Mac with Airport Extreme and Time Capsule Note: Proceed to the Quick Guide for iPhone, iPad iOS device and Android OS Smartphone, Tablet. 1 Introduction ----------------------------------------------------------------------------------------------------------------3 Pre-requisites and Initial Connection--------------------------------------------------------------------------------- 5 PC Quick start-------------------------------------------------------------------------------------------------------------- 6 Install “Camera Setup” and “Camera Live” Utilities on a PC------------------------------------------------------7 Install “Camera Live” Utility & Multiple Cameras viewing on a PC--------------------------------------------10 Mac Quick start------------------------------------------------------------------------------------------------------------15 Apple Airport Remote Access Setup----------------------------------------------------------------------------------19 Wi-Fi Wireless Setup for PC and Mac-------------------------------------------------------------------------------- 22 Wi-Fi Troubleshooting--------------------------------------------------------------------------------------------------- 26 Is the Remote Access Setup already done? ----------------------------------------------------------------------- 27 Enabling UPNP for Automatic Remote Access Setup ------------------------------------------------------------
    [Show full text]
  • Multiple Internet Connections by Balancing Traffic and Managing Failover with Zeroshell
    Multiple Internet Connections by Balancing Traffic and Managing Failover With Zeroshell The purpose of this document is to describe the creation of a router to access a network that uses multiple Internet connections in order to balance the outgoing LAN demand and to obtain network access redundancy, managing fault situations for one or multiple lines. To reach our objective, we shall use the Net Balancer module by Zeroshell. Lastly, we shall examine the possibility of aggregation (Bonding) of VPN aimed at increasing the bandwidth for point-to-point connection between remote locations via the Internet. Is it really possible to increase the Internet connection bandwidth? The answer to this question is not, "yes, absolutely." It depends on what you mean by increasing the Internet connection bandwidth. In essence, the Net Balancer distributes requests originating from the LAN by round-robin (weighed) policy over multiple Internet gateways. In other words, if at a given point in time there is only one LAN user making only one TCP connection (e.g. he executes only one download from the web), his traffic will flow from a single gateway, thus it would not benefit from balanced connections. Instead, if the LAN is crowded with users, each executing multiple requests at the same time, as a whole, their connections will have access to a higher bandwidth, equal to the sum of the single-access bandwidths. We then conclude that a single connection may never have more bandwidth than what offered by a single link, while multiple simultaneous connections will, on average, altogether have access to a greater bandwidth, which will stretch to the sum of the bandwidths of all the Internet links being balanced.
    [Show full text]
  • Block Icmp Ping Requests
    Block Icmp Ping Requests Lenard often unpenned stutteringly when pedigreed Barton calques wittingly and forsook her stowage. Garcia is theropod vermiculatedand congregate unprosperously. winningly while nonnegotiable Timothy kedges and sever. Gyrate Fazeel sometimes hasting any magnetron Now we generally adds an email address of icmp block ping requests That after a domain name, feel free scans on or not sent by allowing through to append this friendship request. Might be incremented on your Echo press and the ICMP Echo reply messages are commonly as! Note that ping mechanism blocks ping icmp block not enforced for os. This case you provide personal information on. Send to subvert host directly, without using routing tables. Examples may be blocked these. Existence and capabilities is switched on or disparity the protocol IP protocol suite, but tcp is beat of. We are no latency and that address or another icmp message type of icmp ping so via those command in this information and get you? Before assigning it is almost indistinguishable from. Microsoft Windows found themselves unable to download security updates from Microsoft; Windows Update would boost and eventually time out. Important mechanisms are early when the ICMP protocol is restricted. Cisco device should be valuable so a host that block icmp? Add a normal packet will update would need access and others from. Now check if you? As an organization, you could weigh the risks of allowing this traffic against the risks of denying this traffic and causing potential users troubleshooting difficulties. Icmp block icmp packets. Please select create new know how long it disables a tcp syn flood option available in specific types through stateful firewalls can have old kernels.
    [Show full text]
  • Linksys E800 Router User Guide
    User Guide Linksys E800 Linksys E800 Contents Contents Product overview How to find your network on the Internet 14 How to clone a MAC address 15 Package contents 1 How to connect to your corporate office using a VPN 15 Features 1 Back view 2 How to optimize your router for gaming and voice 16 Bottom view 2 How to remotely change your router settings 17 How to enable Voice over IP on your network 18 Setting Up: Basics How to configure UPnP 19 How to create a home network 3 How to use a router as an access point 19 What is a network? 3 How to put your new router behind an existing router 21 How to set up a home network 3 To add your router to an existing router or gateway 21 Where to find more help 3 To share an Internet connection 21 To extend your network 23 How to set up your router 3 How to start Cisco Connect 4 How to expose a device to the Internet 23 How to improve your wireless connection speed 5 How to test your Internet connection speed 5 Improving Security How to connect devices to your network 6 How do I know if my network is secure? 25 How to connect a computer to your network 6 How to connect a printer 8 Network security following a manual setup 25 How to connect other devices 8 How to set up wireless security using Wi-Fi Protected Setup 26 How to change your router’s name and password 10 Wi-Fi Protected Setup activity light 26 Connecting a device using the Wi-Fi Protected Setup button 26 How to connect a device using its Wi-Fi Protected Setup PIN 27 How to connect a device using the router’s Wi-Fi Protected Setup PIN 27
    [Show full text]
  • Internet Protocol Suite
    InternetInternet ProtocolProtocol SuiteSuite Srinidhi Varadarajan InternetInternet ProtocolProtocol Suite:Suite: TransportTransport • TCP: Transmission Control Protocol • Byte stream transfer • Reliable, connection-oriented service • Point-to-point (one-to-one) service only • UDP: User Datagram Protocol • Unreliable (“best effort”) datagram service • Point-to-point, multicast (one-to-many), and • broadcast (one-to-all) InternetInternet ProtocolProtocol Suite:Suite: NetworkNetwork z IP: Internet Protocol – Unreliable service – Performs routing – Supported by routing protocols, • e.g. RIP, IS-IS, • OSPF, IGP, and BGP z ICMP: Internet Control Message Protocol – Used by IP (primarily) to exchange error and control messages with other nodes z IGMP: Internet Group Management Protocol – Used for controlling multicast (one-to-many transmission) for UDP datagrams InternetInternet ProtocolProtocol Suite:Suite: DataData LinkLink z ARP: Address Resolution Protocol – Translates from an IP (network) address to a network interface (hardware) address, e.g. IP address-to-Ethernet address or IP address-to- FDDI address z RARP: Reverse Address Resolution Protocol – Translates from a network interface (hardware) address to an IP (network) address AddressAddress ResolutionResolution ProtocolProtocol (ARP)(ARP) ARP Query What is the Ethernet Address of 130.245.20.2 Ethernet ARP Response IP Source 0A:03:23:65:09:FB IP Destination IP: 130.245.20.1 IP: 130.245.20.2 Ethernet: 0A:03:21:60:09:FA Ethernet: 0A:03:23:65:09:FB z Maps IP addresses to Ethernet Addresses
    [Show full text]
  • U.S. Government Printing Office Style Manual, 2008
    U.S. Government Printing Offi ce Style Manual An official guide to the form and style of Federal Government printing 2008 PPreliminary-CD.inddreliminary-CD.indd i 33/4/09/4/09 110:18:040:18:04 AAMM Production and Distribution Notes Th is publication was typeset electronically using Helvetica and Minion Pro typefaces. It was printed using vegetable oil-based ink on recycled paper containing 30% post consumer waste. Th e GPO Style Manual will be distributed to libraries in the Federal Depository Library Program. To fi nd a depository library near you, please go to the Federal depository library directory at http://catalog.gpo.gov/fdlpdir/public.jsp. Th e electronic text of this publication is available for public use free of charge at http://www.gpoaccess.gov/stylemanual/index.html. Use of ISBN Prefi x Th is is the offi cial U.S. Government edition of this publication and is herein identifi ed to certify its authenticity. ISBN 978–0–16–081813–4 is for U.S. Government Printing Offi ce offi cial editions only. Th e Superintendent of Documents of the U.S. Government Printing Offi ce requests that any re- printed edition be labeled clearly as a copy of the authentic work, and that a new ISBN be assigned. For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 ISBN 978-0-16-081813-4 (CD) II PPreliminary-CD.inddreliminary-CD.indd iiii 33/4/09/4/09 110:18:050:18:05 AAMM THE UNITED STATES GOVERNMENT PRINTING OFFICE STYLE MANUAL IS PUBLISHED UNDER THE DIRECTION AND AUTHORITY OF THE PUBLIC PRINTER OF THE UNITED STATES Robert C.
    [Show full text]
  • Using the Cisco IOS Web Browser User Interface
    Using the Cisco IOS Web Browser User Interface The Cisco IOS software includes a Web browser user interface (UI) from which you can issue Cisco IOS commands. The Cisco IOS Web browser UI is accessed from the router home page, and can be customized for your business environment. For example, you can view pages in different languages and save them in Flash memory for easy retrieval. For a complete description of the Cisco Web browser UI configuration commands in this chapter, refer to the “Cisco IOS Web Browser User Interface Commands”chapter of the Configuration Fundamentals Command Reference. To locate documentation of other commands that appear in this chapter, use the Cisco IOS Command Reference Master Index or search online. • Finding Feature Information, on page 1 • Prerequisites for Cisco IOS Web Browser User Interface, on page 1 • Restrictions for Cisco IOS Web Browser User Interface, on page 2 • Information About Cisco IOS Web Browser User Interface, on page 2 • How to Configure and Use the Cisco IOS Web Browser User Interface, on page 7 • Configuration Examples for the Cisco IOS Web Browser User Interface, on page 12 Finding Feature Information Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module. Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
    [Show full text]
  • Voice Over IP Digital Phone Concerns with Security and Fire Alarm Communications Systems
    Voice Over IP Digital Phone Concerns with Security and Fire Alarm Communications Systems OMNI Fire and Security Systems LP, 9811 North Freeway #A101, Houston, TX, 77037, (281) 591-1944 Disclaimer: The term “digital phone” as used within this document refers to the generic VOIP phone infrastructure and layout. The term does NOT refer to the Digital Phone service offered by Time Warner Cable or Time Warner. The Digital Phone service is a trademark of Time Warner Communications and for more information on their service, please visit http://www.twcdigitalphone.com. This article outlines the new weaknesses concerned with Voice Over IP (VOIP) Digital Phone Service and how it can affect security and fire alarm system communication. VOIP service is much different than classic POTS telephone lines in that it routes all phone traffic through a digital converter, then over the internet. When compared with a POTS line, new concerns are introduced that could affect the stability and dependability of burglar or fire alarm system communication. Plain old telephone service, or POTS, is the service available from analogue telephones prior to the introduction of electronic telephone exchanges into the public switched telephone network. These services had been available almost since the introduction of the telephone system in the late 19th century. VOIP is a very new technology and this list will help reduce the possibilities of failure wherever possible by educating the end user and presenting possible solutions. 1 Power Supply Problem The VOIP modem can come as a stand-alone network device, or a combination broadband modem/router/and VOIP converter.
    [Show full text]
  • Wireless-G Broadband Router WIRELESS User Guide
    GHz 2,4802.11g Wireless-G Broadband Router WIRELESS User Guide Model No. WRT54G (EU/LA) Wireless-G Broadband Router Copyright and Trademarks Specifications are subject to change without notice. Linksys is a registered trademark or trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. Copyright © 2006 Cisco Systems, Inc. All rights reserved. Other brands and product names are trademarks or registered trademarks of their respective holders. How to Use This User Guide This User Guide has been designed to make understanding networking with the Wireless-G Broadband Router easier than ever. Look for the following items when reading this User Guide: This checkmark means there is a note of interest and is something you should pay special attention to while using the Wireless-G Broadband Router. This exclamation point means there is a caution or warning and is something that could damage your property or the Wireless-G Broadband Router. This question mark provides you with a reminder about something you might need to do while using the Wireless-G Broadband Router. In addition to these symbols, there are definitions for technical terms that are presented like this: word: definition. Also, each figure (diagram, screenshot, or other image) is provided with a figure number and description, like this: Figure 0-1: Sample Figure Description Figure numbers and descriptions can also be found in the “List of Figures” section in the “Table of Contents”. WRT54GV7-EU-UG-60307 BW Wireless-G Broadband Router Table of
    [Show full text]