Features Security Lessons: Linux WAP

Home , Router (computing), Tomato (firmware), Wireless router

Wireless security and Linux Access Point If you are looking for a cheap and secure wireless router setup, check out Tomato, DD-WRT,

or OpenWrt. By Kurt Seifried

actually remember when I bought WPA2 with a good password (again support? You have three main options: my first wireless network card. I was none force this), and that’s it. You can buy a high-end wireless router in Vancouver airport, and they were To make matters worse, most of these designed to allow for a more full-fea- I selling them for about US$ 200 with wireless routers are running pretty mini- tured system (e.g., Mikrotik or Soekris); unlimited usage in the air- you can add a wireless card to port (as opposed to having an existing Linux box and set to rent one for US$ 20 an "Open source firmware it up as a wireless router; or hour). At that time, I was you can buy a cheap wireless spending a lot of time in this blows the vendor firm- router that is supported by airport, so I purchased a card OpenWrt, DD-WRT, or To- and had a whopping 2Mbps ware out of the water." mato. (802.11a) of bandwidth to The first option is pretty use while waiting. This purchase was mal operating systems (sometimes re- simple: You just go spend US$ 100-400 quickly followed by a wireless router so I ferred to as firmware) that have just (you buy the system, wireless card(s), could enjoy the wireless goodness at enough capability to get you online home. and not much else. Additionally, much Fast forward a decade and now ISPs of this firmware is either out of date, are giving away wireless N routers like contains security flaws, or simply does banks used to give away toasters. But not provide reliable (reset the router what steps have been taken to ensure daily to keep it working) or fast perfor- the security of all these wireless net- mance (200Kbps on file transfers over works? Originally, there was WEP a 15Mb line). (Wired Equivalent Privacy), which can So, what do you do if you want to be broken in real time and is pretty build a secure router that will support much useless now, then came its succes- more than just WPA2 and some simple sor WPA, which was basically WEP with packet passing? What if you want a rotating keys, again pretty useless in wireless router that will act as a VPN practice [1]. (e.g., allowing you to bridge Finally, WPA2 came along, which uses access to a corporate the AES encryption algorithm (very network) or to act as a strong) and has proper key setup, mak- VPN server (e.g., al- ing it very difficult to break into. And lowing you to con- that is pretty much the extent of wireless nect securely to it security for most people. You buy a wire- from elsewhere less router, you hopefully set a password on the Inter- on it for the administrative interface (al- net). Or, though virtually no wireless routers ac- what if you tually force you to do this), you set up need IPv6

Kurt Seifried Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale.

48 October 2010 Issue 119 linux-magazine.com | Linuxpromagazine.com

048-049_kurt.indd 48 19.08.2010 14:41:18 Uhr Features Security Lessons: Linux WAP

Figure 1: Tomato CIFS client setup. Figure 2: DD-WRT PPTP server setup.

power supply, and enclosure), load up (Figure 1). If you are simply looking for (Figure 3). But then I read about pack- either the vendor-supplied firmware or something more reliable or up to date, ages. OpenWrt has a package system for install a stripped-down system on it, and this is the one for you. additional add-ons, and, boy, do they off you go. The main disadvantages of provide add-ons. It has everything from this are cost, although some really nice DD-WRT Squid, NTP, OpenVPN, CUPS (printing enclosures and boards will take three or DD-WRT [4] offers a number of builds, support), and lightHTTPD to an IRC more wireless cards and provide multi- from a Micro and Mini generic with lim- server, Nagios (network monitoring), As- ple network interfaces (including Gigabit ited capabilities (similar to Tomato) all terisk (a VoIP server), and the Perl pro- Ethernet). the way to a VoIP-specific and VPN-spe- gramming language. The second option is cheaper but faces cific build. Fortunately, a chart lists all Basically, anything you want OpenWrt one problem typically: Firewalls are the capabilities and various versions of to do, it can do. The only catch is that often hidden away in server rooms, wir- DD-WRT in the wiki (look for the page you will need a router with a sufficiently ing closets, or other areas that are less called “What_is_DD-WRT”). You have large amount of storage space and mem- than ideal for placing aerials. However, if everything from Hotspot, IPv6, Open ory (the WRT54GLs I bought are seri- you want to go this route (either because VPN, PPTP (see Figure 2), ProFTPD, ously underpowered, with only 4MB of placement isn’t a problem or you can SNMP, SSH, and Telnetd to a Samba/ flash RAM and 16MB of system mem- run an extension cable for the antenna), CIFS client (so you can mount Windows ory). My advice is to do the research and then you’ll want to check out HostAP for shares onto the device). buy something with 8MB of flash mem- Linux [2]. I chose the VPN build and would ory (like the WRTSL54GS). That brings me to the third option: strongly recommend this product if Buy a cheap wireless router – the advan- you’re looking for good network-related Summary tages are: no moving parts, small, did I capabilities. It has EoIP (Ethernet over In every respect, these open source firm- mention cheap? – and install custom IP, allowing you to bridge networks), ware alternatives blow the default ven- firmware that provides more capabilities VLAN, QoS, and advanced firewalling dor-supplied firmware out of the water. and better reliability and performance. (including the ability to block specific Combined with a USB port, you can To make things even more interesting, P2P networks). I also like that it forces a even have your router do print server or each of the three open source firmware mandatory password change before you file server duty, or both, for your net- options has a different design philoso- can configure it. work, which adds up to a pretty com- phy, resulting in three very different plete package. products and almost guaranteeing that OpenWrt If you add OpenWrt’s packages into one will fit your needs. OpenWrt [5] out of the box is pretty min- the mix, then it is no contest between imal, and at first I wasn’t too impressed OpenWrt and DD-WRT. So, to upgrade Tomato your router and make it more secure, I Tomato doesn’t include a lot of would recommend replacing the default features but then it isn’t meant firmware if you can. (Make sure you to; “Tomato is a small, lean and check the compatibility lists!) nnn simple replacement firmware” [3], making it the simplest of the Info three. If you don’t need features [1] Aircrack-ng: such as VPN capabilities or net- http://www. aircrack‑ng. org/ work bridging, then Tomato is a [2] Host AP: http://hostap. epitest. fi/ great replacement for the vendor- supplied firmware. I really like [3] Tomato: Tomato’s interface. It’s incredibly http://www. polarcloud. com/ tomato simple, and it’s easy to use and [4] DD-WRT: http://www. dd‑wrt. com/ configure; setup is a snap as well Figure 3: OpenWrt process control. [5] OpenWrt: http://openwrt. org/

linux-magazine.com | Linuxpromagazine.com Issue 119 October 2010 49

048-049_kurt.indd 49 19.08.2010 14:41:18 Uhr