Security Basics mailing list archives
Re: Wireless LAN Design at public places
From: Bennett Todd <bet () rahul net>
Date: Mon, 2 Dec 2002 16:30:44 -0500
2002-12-01-23:09:25 Leonard.Ong () nokia com:
Anyone has URL or experiences at designing WLAN at public Places.
Neither of them, no, but...
I would like to replicate a good implementation, I've seen [...] Once we have joined the WLAN using auto-detect accesspoint, my notebook was assigned IP address. However, even the next hop / default gateway is not reachable (destination unreachable - ACL?) and so does any other services. It is only when I have authenticate via webpage ( the browser redirects me to the auth page, regardless whatever URL I have typed in ), then access is allowed to any.
I think I can sketch out at least part of this. For the auto-detect accesspoint, you've just got normal off-the-shelf Access Points normally configured. That's how they come. The non-standard config change you make is to disable their IP addr entirely, so they offer no IP services of their own at all. This makes them hard to burgle:-). Confirm that you got this right with nmap, make sure you scan for all services and not just the well-known ones (I found one AP whose manufacturer had left open a debugging backdoor on a high-numbered UDP port). For a public-access setup, you won't worry about the end-users' systems security, that's their own problem. The only device you offer on this net that has an IP addr is your gateway server. The only public service it initially offers is DHCP. That's how the clients get their initial IP addr and default router and so forth. The clever bit is diverting all http queries from un-authenticated IPs to an authentication webserver; I suspect that'd be an ipchains/ipfilter/ip-filter/... hack, possibly with some companion jiggery-pokery in the webserver.
Thanks... I am particularly intrested on how you can block access even to the def. gateway.
Clarify what you mean by "def. gateway". The Access Point only has to offer layer-2 and below services, it doesn't need to offer any IP services, there's nothing there you need to "block". The gateway server, that offers the DHCP, and is the default router, is a firewall running reconfigurable filtering rules; once you authenticate the rules are adjusted to let you out of the box. -Bennett
Attachment:
_bin
Description:
Current thread:
- Wireless LAN Design at public places Leonard.Ong (Dec 02)
- Re: Wireless LAN Design at public places Jeremy Parr (Dec 03)
- Re: Wireless LAN Design at public places Bennett Todd (Dec 03)
- Re: Wireless LAN Design at public places Sunny Tang (Dec 03)
- Re: Wireless LAN Design at public places pneiber101 (Dec 04)