how we do wireless security.
Results 1 to 3 of 3

Thread: how we do wireless security.

  1. #1
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672

    how we do wireless security.

    How I do wireless......

    This took a lot of thinking on my part and I did quite a bit of research on the subject. Problem is I got screwed on hardware.

    Anyways on to the layout.

    Wireless LAN 6 access points.
    128 bit WEP, no MAC filtering...why you ask ? MAC addresses can be changed with a single command that is why.
    DHCP disabled.- All static IP addresses.
    20+ character password on the Access Points( a little extreme perhaps but I take no chances)

    Now, on to the good part.
    After researching a few products a while back ( nocat, freeradius ) I came down to going to what's already included in one of my favorite operating systems.
    OpenBSD.
    so now what do we have ? an authenticating firewall. Introduced in Obsd 3.1 was Authpf. What this does is authenticate a user via SSH ( that's security right).
    Now SSH in itself has a few nifty features that people may or may not know.
    in /etc/ssh/sshd_config you can set up RSA key exchanges. ( which I use)
    You can also set up something I also employ. by adding the line AllowUsers username@IP address, you are restricting that user to that IP.

    So to recap the security method on the firewall.
    SSH login
    RSA key exchanges
    RSA passphrase
    User@IP address.

    Now another thing you could add to all of this is piped SSH connections between the firewall and the client( or Ipsec).. I haven't gone that far yet though.

    Jumping back to Authpf.
    As I said its an authenticating firewall, it's based on Daniel Hartemiers PF for OpenBSD.
    With this, I block EVERYTHING in and out on both interfaces. EXCEPT for SSH from my wireless network on my internal interface. within this I also have 2 more measures(both actually just features of authpf) One is authpf.allow ( a file that allows only users you want) and /usr/sbin/authpf ( the false shell that users login with). There are rulesets that get loaded per User and apply only to that User. Once said user logs out, those rules disappear and offer no threat.

    So to hack my network. You have to get through those security measures. All this is done with freely available software and basic Wireless Access Points. No Fancy/expensive cisco equipment or anything. Great for homes or small business or any other environment where you feel comfortable using free stuff

    If anyone wants details feel free to ask. I'm in the IRC server that has been set up for us.


    irc.yoursincyberspace.com
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    So, when are you setting up isakmpd?
    (I wish isakmpd could do auth with radius or something..)

    Ammo
    Credit travels up, blame travels down -- The Boss

  3. #3
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    heh when the need arises and not until then.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •