Security - BrainDump

Security is extra important when you’re setting up wireless networking. Your bits are wafting forth into the air, so it’s dead easy for random snoops to eavesdrop on your network traffic. Unsecured wireless access points expose you to two different threats:

1. LAN intrusions. Your data might get stolen, or your LAN hosts turned into malware-spewing botnets, or used as rogue MP3 and porn servers.
   
2. Loss of bandwidth. It’s nice to share, but why allow your network performance to suffer because of some freeloader? Or worse, allow your bandwidth to be used for ill purposes?

If you wish to provide an open access point for anyone to use, do it the smart way. Wall it off securely from your LAN, and limit its bandwidth. One way to do this is to use a second wireless interface, if your routerboard supports it, or a dedicated access point, then use iptables to forward traffic from it to your WAN interface and block access to your LAN. Pyramid Linux comes with the WiFiDog captive portal, which you can use to remind your visitors of your generosity. Use the web interface to set it up; it takes just a few mouse clicks.

Encrypting and authenticating your wireless traffic is your number one priority. How do you do this? In the olden days, we had Wired Equivalent Privacy (WEP). Using WEP is barely better than nothing—it is famously weak, and can be cracked in less than 15 minutes with tools that anyone can download, like AirSnort and WEPCrack. Don’t use WEP. Upgrade to devices that support Wi-Fi Protected Access (WPA).

There are two flavors of WPA: WPA and WPA2. WPA is an upgrade of WEP; both use RC4 stream encryption. It was designed to be a transitional protocol between WEP and WPA2. WPA is stronger than WEP, but not as strong as WPA2. WPA2 uses a new strong encryption protocol called Counter Mode with CBC-MAC Protocol (CCMP), which is based on Advanced Encryption Standard (AES). WPA2 is the complete implementation of the 802.11i standard. See Matthew Gast’s excellent book 802.11 Wireless Networks: The Definitive Guide (O’Reilly) for more information on these. The short story is that using WPA2 gives the best protection.

Using modern wireless devices that support WPA2 makes it easy to encrypt and authenticate all of your wireless traffic. WPA supports two different types of authentication: WPA-PSK (aka WPA-Personal, which uses preshared keys) and WPA-EAP (aka WPA-Enterprise, which uses the Extensible Authentication Protocol).

WPA-Personal is simple to set up. It depends on a shared key, which is a passphrase, and which must be distributed to all authorized users. There is no built-in automated method to distribute the keys; you have to do it manually, or write a clever script, or use something like cfengine. The obvious flaw in this scheme is everyone has the same key, so anytime you need to change the key it has to be changed on all clients. However, there is a way to give users unique keys—use hostapd, the host access point daemon. It’s part of the HostAP suite of wireless drivers and utilities, and it includes a simple mechanism for managing multiple keys. This is a slick, simple way to implement some good, strong security.

WPA-Enterprise requires an authentication server, most commonly a RADIUS server. It’s more work to set up, but once it’s up, it’s easier to manage users and keys. A RADIUS server is overkill if you’re running a single access point, but it’s a lifesaver if your network has several points of entry, such as dial-up, a VPN gateway, and multiple wireless access points, because all of them can use a single RADIUS server for authentication and authorization.

HostAP includes an embedded RADIUS server. Other access points can use it just like a standalone RADIUS server.

wpa_supplicant handles the interaction between the client and the server. wpa_supplicant is included in virtually all Linux distributions, though it may not be installed by default. Mac OS X and Windows also have supplicants. The word supplicant was chosen deliberately, with its connotations of humbly requesting permission to enter your network.

These articles discuss the “binary blob” issue:

•  “OpenBSD: wpi, A Blob Free Intel PRO/Wireless 3945ABG Driver”:
  
     http://kerneltrap.org/node/6650
  
•  “Feature: OpenBSD Works To Open Wireless Chipsets”:
  
     http://kerneltrap.org/node/4118

For building your own wireless access points and getting product information in plain English without marketing guff, check out specialty online retailers like:

1. Metrix.net at http://metrix.net/metrix/ offers customized wireless access points and accessories based on Pyramid Linux, and custom services
   
2. Netgate.com: http://netgate.com/
   
3. Mini-box.com: http://www.mini-box.com/
   
4. Routerboard.com: http://www.routerboard.com 
   
5. DamnSmallLinux.org store: http://www.damnsmallinux.org/store/

These sites identify wireless chipsets by brand name and model number:

1. MadWifi.org for Atheros devices: http://madwifi.org/
   
2. Atheros.com: http://www.atheros.com/
   
3. rt2x00 Open Source Project for Ralink devices:
   
      http://rt2x00.serialmonkey.com/wiki/index.php?title=Main_Page 
   
4. FSF-approved wireless interface cards:
   
      http://www.fsf.org/resources/hw/net/wireless/cards.html

General wireless resources:

1. Ralinktech.com: http://www.ralinktech.com/
   
2. Linux on Realtek: http://rtl8181.sourceforge.net/
   
3. Realtek.com: http://www.realtek.com.tw/default.aspx
   
4. FS List of supported wireless cards: http://www.fsf.org/resources/hw/net/wireless/ cards.html
   
5. Seattle Wireless, a great resource for all things wireless, and especially building community networks: http://seattlewireless.net/
   
6. LiveKiosk: http://www.livekiosk.com
   
7. Wireless LAN resources for Linux, the gigantic mother lode of information for wireless on Linux: http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/