Wayne Frazee.com
Login
Semi-Public Wireless Access
  • Home
  • Scribblings
  • Soapbox
  • Setting up public access for Bed and Breakfast companies.

In response to Security Focus Security-basics mailing list subject Semi-Public Wireless Access Setup.

On Monday 01 November 2004 17:06, Paul Kurczaba wrote:
>
> Some security concerns:
>
> It *is* easily possible to sniff wireless packets. Therefore an "attacker"
> could sniff your wireless waiting until one of your guests types in the
> password they received. Then, the attacker could use the password they
> sniffed.
>

Actually your data exposure problems are far more substantial than just a compromised internet access password. Because you cant really impose WEP or WPA without some integration at the guest-level (which means staff to help with key assignment and configuration), the proposed solution would implement a COMPLETLY open wireless network. Sure, the password could get sniffed but thats small potatoes compared to unrestricted access to ALL the data flowing over the network.

What if a guest attempts to book a flight or a car or pay for a gift? Credit card data is now exposed. This recently happened at Denver International Airport, some security analysts went into the airport, were bored before a flight, and set thier wireless notebooks to just record data. The public wireless network was open, as were MANY of the airport-related organizations. Work orders, credit cards, all kinds of guest data was flying over the networks completely unprotected. It ended up on 9News here in Colorado, bad publicity for all concerned.

Now, for this specific implementation, a proxy is a good access control against the casual person who is just trying to hop internet access. Unfortunately, it is very difficult to provide "secure" wireless without the B&B having an IT person on staff (or someone with wireless config skills on the existing staff) to assist guests with laptop configuration. My $.02 on this implementation is to let guests know that the wireless is good for general surfing but ensure they know either in accepting an AUP or something of that nature, that the wireless is NOT considered secure and that if they send personal (read: "Credit Card") data over the network, it could be intercepted.

THEN provide several wired hookups for someone to link into. Indicate that these wired hookups are availible for guests and use the same password that thier wireless does. Essentially, you would just have both the wireless and this wired segment behind the proxy you are setting up.

Further, I agree with Paul that you should use either existing firewall equipment (if any) or an IPtables implementation to segregate the public and corporate LANs.

Sample Implementation:

Setup a hardened inexpensive linux box to operate as a firewall and your proxy. Install a quad-port ethernet card.

For purposes of this example, Eth0 handles the route out to the internet, Eth1 handles the route to the corporate LAN. Eth2 handles the route to the wireless segment. Eth3 handles the route to the "secured" guest wired connections.

Eth1 should be trusted and can access other segments. Corporate LAN ports should not be in places where guests can access them. If Corporate LAN machines are static, some form of MAC authentication would be ideal.

Eth 2 and 3 are only allowed to direct traffic to the proxy implementation on this firewall. The proxy will then handle the traffic out eth0 and returning to the appropriate segment/address. Your proxy should not allow proxy tunnels to be initiated from Eth0, only Eth 2 and 3 should be able to initiate proxy requests.

Further, in an ideal, Eth1 would be statically assigned IPs, Eth2 (wireless) would be handled by DHCP on the AP with static addresses between the AP and the firewall/proxy box, Eth3 (wired public segment) would need a DHCP provider (dhcpd on proxy box, bound to Eth3?).

Non-Equipment Imperatives:

The guests need to know that the wireless should not be trusted for personal data.

The guests need to know that more secure networking is availible for them to make purchases, etc over in the lobby (or wherever).

An additional $.02 for the pot.

All content and materials Copyright ©2004 by Wayne S. Frazee. All Rights Reserved.

Please note that the postings on this site, including news, scribblings, past writings, posted files, and other material, are my own and don't necessarily represent neither Avanade's nor Avanade's Customers' positions, strategies or opinions nor that of any organization I have previously worked with or represented.