Wireless Networking...but this time with a BSD router...

[450]

I've been looking for a good way to network two computers together wirelessly.

I got a few solutions from my previous thread but then when I went searching for different routers I came across a site about using an older PC as a router. I knew about them before (slightly) but didn't know if it would be a good idea for me. Then a while later in one Head-Fi thread, someone posted about OpenBSD, which really made me think about it more.

So here I am now with 3 NIC's, a P75 from '94, and a question. Instead of a router, should I go for a wireless access point, that will go into the P75 or should I just stick with a wireless router (with or without BSD router?)? The added security might be nice.

Thanks

 

[stevesurf]

I would always go for the Access Point for the increased performance and the ability to use the more popular "infrastructure" mode of wireless LAN comm. The AP can also be a combined Layer 1 switch and router - this is pretty much the most popular config; it will balance the throughput between LAN devices. Good luck

 

[psychogentoo]

If you want speed AND security (its all relative), go ahead and go with a 100 or 1000 mbps switched router, if you have gigabit ethernet cards installed on all your puters. Its going to be faster than trying to route multiple computers via an access point where the theoretical max is 54 mbps.

Personally though for ease of use and NOT having to deal with wires, I'd go with the 802.11g access point with a switched router built in like the previous poster suggests. Make sure it supports WPA and possibly RADIUS. If you go this route (no pun intended) make sure and change the factory settings for SSID and do NOT broadcast. Also change the default admin password, if possible the admin login.

good luck and hope this helps.

 

[raymondlin]

Why not broadcast? surely if it is WEP encrpyted and Mac address enable then it should be safe as can be.

 

[Welly Wu]

Quote:

Originally Posted by raymondlin Why not broadcast? surely if it is WEP encrpyted and Mac address enable then it should be safe as can be.

Are you being facetious? WEP has been demonstrably proven to be defeated at either the 64bit or 128bit key lengths. MAC address filtering is a bit more effective, except that MAC filter spoofing is easily achieved.

If I were you, then I would indeed go ahead with a FreeBSD firewall, but I would decide against any type of WiFi technologies until 802.17 is codified and the real world performance / security profile have been published. Disable SSID broadcasting and enable MAC filtering plus block out any unused DHCP address space that will not be used at the site where you plan to deploy the firewall + ethernet switch or hub. If you decide to go with a traditional 10/100/1000 ethernet hub, switch, or router, then do change the remote login ID, passphrase, and disable uPNP along with the 8080 remote port login. STAY ON TOP OF FIRMWARE PATCHES FOR ALL SECURITY DEVICES! REVIEW YOUR IP LOGS DAILY! CHANGE YOUR IDs AND PASSPHRASES ONCE EVERY WEEK!

Lastly, go to your local bookstore and locate the computer networking or security section. Find a Dummies guide on how networks really work and how to develop a multi-layered security policy. Consider getting CISSP certified and investigate UNIX clones such as Linux or BSD as a second operating system as well.

The moment you become complacent is the moment when you become vulnerable.

 

[Welly Wu]

If you really must have Wi-Fi, then at least go with LINKSYS Wi-Fi APs or routers. Then, do a search on Google for the model number that you are interested in buying and look for alternative firmware hacks. Pay particular attention to firmware hacks that give you finer granular controls over the behavior of the specific Linksys router along with more esoteric encryption systems / algorithms. They may cost money, but no price is too high to pay for greater security in an increasingly digital, networked, and troubled world.

 

[raymondlin]

Geeze ! I live in a street where kids ride around on push bikes after school. It's hardly the middle of MIT dorm.

just a question regarding diabling SSID, wont that stop wifi working?

 

[psychogentoo]

Quote:

Originally Posted by raymondlin Geeze ! I live in a street where kids ride around on push bikes after school. It's hardly the middle of MIT dorm. just a question regarding diabling SSID, wont that stop wifi working?

Its just a way of keeping the name of your network private. Since you know the SSID, you can enter those in when setting up your puter(s). Its a recommended step in securing your wireless network.

Edit: As far was WEP is concerned and without getting into the boring details about initialization vectors and packet injection, all you have to know is that there are a lot of tools at "hackers" disposal that will allow them to get your WEP key hence my suggestion of using WPA.

 

[psychogentoo]

Quote:

Originally Posted by Welly Wu Consider getting CISSP certified and investigate UNIX clones such as Linux or BSD as a second operating system as well.

CISSP?!?! I mean the guy is just asking how to hook up two computers together...

 

[raymondlin]

just found out that the SSID can be found un-encrypted in the header of every packet. Hence it is a simple task for somebody with a basic packet sniffer to find an SSID.

I've disable the broadcast just the same.

 

[Stephonovich]

Having just finished setting up a two-node (two WRT54G flashed with latest DD-WRT firmware) network at our church, I've been considering things like this for expansion. They want file sharing (the main reason I set up the network - the computers are all in an office building, with the main building about 75 feet away. They want to be able to grab files from the computers or internet) enabled, but I'm extremely hesitant to just set up a shared partition. Originally I thought I'd play around with RADIUS and VLAN, but it'd be a large pain to have to deal with that, not to mention administrate. Especially once I'm gone - they're screwed.

Right now I'm thinking NAS. Although the security would remain the same (currently just WPA. Had MAC filtering and no SSID, but it confused people so much I gave up), it would eliminate the problem of people destroying system files. So long as it was backed up regularly, it wouldn't be much of an issue.

However, I just recently set up a DynDNS account. I'm going to enable sshd on the routers so I can administrate them from home. I'm now again considering setting up a box that can act as a RADIUS server, in which case I could set up VLANs. Basically, there'd be two logical networks. One would have MAC and IP filtering (while neither of these is much of a challenge, layering even small things helps), while the other would not. They'd both utilize RADIUS. However, the open one would only have access to the internet. Nothing more. No files, nothing. Useful for if someone just wants access, such as a visiting pastor or the like.

If I did something like this, I'm thinking I'd put OpenBSD on it. Most secure OS, period. They have an insane track record; the only break-in I know of was when there was that massive SSH hole awhile back. And it was quickly patched. Again, though, the problem would be administration. I'm the only computer (well, *nix/security) literate person there. Once I leave, if something breaks, they won't be able to fix it. I could leave printed instructions for various scenarios, but that only goes so far. In which case they'd end up hiring someone to come in, who would no doubt rip everything out and put in something stupid, like WEP only.

 

[Welly Wu]

Keep it simple! Assess the true value of the data to the security risk inherent in this project. Then, plan the simplest solution accordingly. Seek someone whom you can trust with a background in UNIX clones such as BSD or LINUX if you decide to go that route with an OpenBSD firewall with RADIUS and MyDNS deployed -- or train such a person yourself before you leave the site. Never let the technical details supercede the project's goals and the day to day operations required by the people in mind; the last thing you want to do is to make it so complex and hardened that nobody can manage it when you are gone (but they will remember that you were responsible for creating the infrastructure).

Stick with Windows 2000 Professional with SP-5 installed. Stick with WPA-PSK TKIP and draw up diagrams of how to lay down the infrastructure. Setup Windows so that it will automatically download the latest updates, patches, and service packs during off-peak hours because that compromise will smoothen out day to day operations. Enable MAC Filtering with spoofing protection and restrict any unused IP address space. Teach them what SSID means, enable broadcasting, and stick to a single frequency channel for greater future hardware compatibility sake. Do not modify any of the advanced Wi-Fi settings as it is useless complexity for the people and project's goals. Be cautious of setting up a DMZ or port forwarding / triggering. Forget the remote login and uPNP completely as it would be tantamount to leaving the iron door ajar. Stay away from more sophisticated encryption systems and algorithms because that limits future hardware compatibility should the people at the church decide to upgrade their current network topology or add / remove hardware dependent on "traditional Wi-Fi standards."

Never forget the people's needs and projects goals take precedence over the design and implementation of the security infrastructure. Keep it simple.

 

[450]

Thanks for all the help guys...
I forgot to add one more thing...
Where do I fit the VoIP router in the chain?

 

[Stephonovich]

Quote:

Originally Posted by Welly Wu Seek someone whom you can trust with a background in UNIX clones such as BSD or LINUX if you decide to go that route with an OpenBSD firewall with RADIUS and MyDNS deployed -- or train such a person yourself before you leave the site.

Such a person, sadly, does not exist. I live in hick central, you forget. There's exactly one person in the church who would even think of trying to learn *nix, Wi-Fi, and so on, but he's a contractor and insanely busy.

Quote:

Never let the technical details supercede the project's goals and the day to day operations required by the people in mind; the last thing you want to do is to make it so complex and hardened that nobody can manage it when you are gone (but they will remember that you were responsible for creating the infrastructure).

Precisely my problem. I could whip up a wonderful system that'd be secure, effecient, and expandable, but no one else could fix it if it went bad.

Quote:

Stick with Windows 2000 Professional with SP-5 installed. Stick with WPA-PSK TKIP and draw up diagrams of how to lay down the infrastructure. Setup Windows so that it will automatically download the latest updates, patches, and service packs during off-peak hours because that compromise will smoothen out day to day operations.

They're all using XP Pro. Came with the computers. I highly doubt I'm going to get them to downgrade. Besides, XP isn't all that bad. And yes, they are all kept up to date, including Spybot, Ad-Aware, and whatever A/V software is installed. (currently, a mix of McAfee and Norton. I personally hate them both, but whatever...)

As for WPA-PSK, have you ever heard of NoCat? I found it in Wi-Foo. (which is an excellent book if you're looking to get into Wi-Fi security) My current thoughts are to go with this. It doesn't seem to have any downsides, nor does it seem prone to security holes. It uses GPGP to sign and authenticate the logon process, so the chance of breaking the encryption is virtually nil. Someone would have to manage to break into a client that contained the private key to get anywhere.

My bigger problem currently is actually getting the network to function correctly. Roaming goes in and out. Highly annoying. Actually, more so than that (should have heard my thoughts on it last night while driving home...), but I'll leave it as such. I'm going to go back there on a day when there's no around to bug me, or who wants to use the internet.

Quote:

Enable MAC Filtering with spoofing protection and restrict any unused IP address space.

Spoofing protection? I'm not sure what you mean by that. You could have the WAP/gateway run a RARP to match the MAC to the IP, but if someone knocked a client off the network (which is very easy to do), they'd just assume both of those, and you'd never know unless you implemented IDS. I don't care enough, nor do I wish to deal with the alarms and headaches associated with that.

Quote:

Teach them what SSID means, enable broadcasting, and stick to a single frequency channel for greater future hardware compatibility sake.

After everything's up and running, I'm going to schedule a mandatory meeting for anyone who uses or will use the network. Teach them basic security principles, troubleshooting, and so on. They will learn.

Quote:

Do not modify any of the advanced Wi-Fi settings as it is useless complexity for the people and project's goals. Be cautious of setting up a DMZ or port forwarding / triggering. Forget the remote login and uPNP completely as it would be tantamount to leaving the iron door ajar. Stay away from more sophisticated encryption systems and algorithms because that limits future hardware compatibility should the people at the church decide to upgrade their current network topology or add / remove hardware dependent on "traditional Wi-Fi standards."

I haven't touched DMZ. See no reason too. As for remote administration, I would only if I set it up to run through an SSH tunnel. I might do that eventually, but for now, I'm just going to leave it disabled. I can do a fair amount with SSHing into the router. If I end up setting up a Linux/BSD (still not sure... it's not like Linux is insecure, and I know it well. Never used BSD) box, I'd definitely be using SSH on that. Of course, it also introduces the problem of keeping it up to date security wise. I could install Fedora or a similar GUI system, as they could figure that out fairly easily, but I'd prefer to keep it small and simple.

 

[philodox]

There is such a thing as being too obsessed with security. I don't openly invite attack and I lock down my systems well enough, but what motivation would a hacker have to attack me? None. Ease up and relax a bit.