Securing a Linux Wireless Access PointIn this third part of a five-part series on building a Linux wireless access point, you'll learn several different ways to secure your servers, so you can choose the level of security that best suits your needs. This article is excerpted from chapter four of the Linux Networking Cookbook, written by Carla Schroder (O'Reilly; ISBN: 0596102488). Copyright © 2008 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.
print this article SEARCH DEV SHED |
4.7 Making WPA2-Personal Almost As Good As WPA-Enterprise Problem You’re nervous about sitting there with an unsecured wireless access point, and you really want to lock it up before you do anything else. You’ve made sure that all of your wireless network interfaces support WPA2, so you’re ready to go. You don’t want to run a RADIUS authentication server, but using the same shared key for all clients doesn’t seem very secure. Isn’t there some kind of in-between option? Solution Yes, there is. Pyramid Linux comes with hostapd, which is a user space daemon for access point and authentication servers. This recipe will show you how to assign different pre-shared keys to your clients, instead of everyone using the same one. And, we’ll use a nice strong AES-CCMP encryption, instead of the weaker RC4-based ciphers that WPA and WEP use. First, run/sbin/rwto make the Pyramid filesystem writeable, then create or edit the /etc/hostapd.conf file: ##/etc/hostapd.conf Next, create /etc/hostapd_wpa_psk, which holds the shared plaintext passphrase: 00:00:00:00:00:00 waylongpassword Then, edit /etc/network/interfaces so that hostapd starts when the br0 interface comes up. Add these lines to the end of your br0 entry: up hostapd -B /etc/hostapd.conf Run/sbin/ro, then restart networking: pyramid:~# /etc/init.d/networking restart Now, grab a Linux client PC for testing. On the client, create an /etc/wpa_supplicant.conf file with these lines, using your own ESSID and super-secret passphrase from /etc/hostapd_wpa_psk: ##/etc/wpa_supplicant.conf Shut down the client’s wireless interface, then test the key exchange: # ifdown ath0 This shows a successful key exchange, and it confirms that the CCMP cipher is being used, which you want to see because it is much stronger than the RC4 stream encryption used by WEP. Hit Ctrl-C to end the key exchange test. So, you can add more clients, giving each of them a unique key. All you do is line them up in /etc/hostapd_wpa_psk, and match their passphrases to their MAC addresses: 00:0D:44:00:83:CF uniquetextpassword Now, you have a good strong AES-CCMP based encryption, and if one user compromises her key, you don’t have to change all of them. Revoking a user’s access is as easy as commenting out or deleting their key. You can make it permanent on the clients by configuring their wireless interfaces to call wpa_supplicant when they come up. On Debian, do this: ##/etc/network/interfaces On Fedora, add this line to /etc/sysconfig/network-scripts/ifup-wireless: wpa_supplicant -ieth0 -c/etc/wpa_supplicant/wpa_supplicant.conf -Dmadwifi -Bw Make sure your filepath to wpa_supplicant.conf is correct, that you specify the correct interface with-i, and that you specify the correct driver for your wireless interface with the-Doption. Discussion When you test the key exchange, you need to specify the driver for your WIC (in the example, it’s - Dmadwifi). man 8 wpa_supplicant lists all options. The wext driver is a generic Linux kernel driver. You’ll see documentation recommending that you use this. It’s better to try the driver for your interface first, then give wext a try if that causes problems. The example passphrases are terrible, and should not be used in real life. Make yours the maximum length of 63 characters, no words or names, just random jumbles of letters and numbers. Avoid punctuation marks because some Windows clients don’t handle them correctly. There are all kinds of random password generators floating around if you want some help, which a quick web search will find. Windows XP needs SP2 for WPA support, plus client software that comes with your wireless interfaces. Older Windows may be able to get all the necessary client software with their wireless interfaces. Or maybe not—shop carefully. It takes some computational power to encrypt a plaintext passphrase, so using plaintext passphrases could slow things down a bit. You can use wpa_password to encrypt your passphrases, then copy the encrypted strings into place: $ wpa_passphrase alrac-net w894uiernnfif98389rbbybdbyu8i3yenfig87bfop Now your clients and access point won’t have to expend so many CPU cycles on the passphrase. Encrypted keys do not have quotation marks in wpa_supplicant.conf; plaintext passphrases do. In our original example, 00:00:00:00:00:00 means “accept all MAC addresses.” You can see your keys in action with the iwlist ath0 key command on the access point and clients. Your access point supports virtually all clients: Linux, Mac OS X, Windows, Unix, the BSDs...any client with a supplicant and support for the protocols will work. NetworkManager and Kwlan are good graphical network management tools for Linux clients. NetworkManager is designed for all Linux desktops and window managers, and comes with Gnome; Kwlan is part of KDE. Both support profiles, key management, and easy network switching. When you’re using an Ethernet bridge, make sure that you enter your wireless and bridge interfaces in /etc/hostapd.conf. hostapd.conf supports access controls based on MAC addresses. You’re welcome to use these; however, I think they’re a waste of time because MAC addresses are so easy to spoof your cat can do it. HostAP was originally a project that supported only Prism wireless chips, but now it supports these drivers:
See Also
blog comments powered by Disqus |
|
|
|
|
|
|
|
