Re: Semi-Public Wireless Access Setu....

[GuidoZ <uberguidoz () gmail com>]

Awesome write-up Paul. Very complete with excellent ideas. =)

Chad, I had just a few things to add... clarification more then
anything else. You asked about how do coffee houses and airports do
it... they use what's called a "Captive Portal". There are a bunch of
options out there (both free/open source and commercial). You can see
a listing of many of them here:
 - http://wiki.personaltelco.net/index.cgi/PortalSoftware

Basically, a portal (as you likely know) is a website/service that
offers access to a collection of resources and other services. (Like
Yahoo is a web portal.) A captive portal is the same thing, but it's a
portal in which users are first "caught" and restricted in what they
can do. The restriction can be anything capable from the software
(from a login screen to a unrestricted portal).

I won't go into immense details on list, as you may decide not to even
go with any specific software package. The most popular of the
freebies is called "NoCatAuth". It's a Linux based solution. There are
many others to choose from, though NoCatAuth is certainly the most
popular and most widely used captive portal for amatuer "HotSpots" and
such. Check out the link above (and Google) for additional
information.

Feel free to email me directly if you have other specific questions
and I'll do my best to help. =) Of course you can feel free to email
to the list instead and hopefully get different perspectives and ideas
too.

--
Peace. ~G


On Mon, 1 Nov 2004 19:06:48 -0500, Paul Kurczaba <paul () myipis com> wrote:
> Although it is not a bed and breakfast, while staying at Mandalay Bay in Las
> Vegas, I tried connecting to their wireless network.
>
> I quickly found out that they don't use WEP, probably because it would be a
> pain in the butt for guests to set up. Instead, they have a proxy server set
> up. Here is how it works: You connect your computer to either their wireless
> or wired network. If you try to browse a page on the internet, say
> google.com, their proxy will intercept it and redirect your browser to their
> "login" page. Trying to check emails, or connect to the office via VPN would
> not work (at this time).
>
> You would then request a four digit password from the TV. Your password
> would be active for 24 hours. You then go back to the computer and type in
> the password in the browser, and click "ok". Their system would then map
> your MAC address to the 4 digit password; and allow you to use the internet.
> At this point, they also unblock all ports. This now allows you to check
> emails, and use VPN(s).
>
> For your bed and breakfast, I would do the following:
>
> Set up a gateway running Linux/FreeBSD, which is free :). Install IPTables
> and Apache. When your guests want to use your WiFi, they can request a
> password from the front desk or office. Once they have the password, the
> guest can browse to any page they wish. The first time their MAC address is
> recognized, they will be re-directed to your proxy; which has the login
> screen. They type in their password and are set.
>
> Some security concerns:
>
> It *is* easily possible to sniff wireless packets. Therefore an "attacker"
> could sniff your wireless waiting until one of your guests types in the
> password they received. Then, the attacker could use the password they
> sniffed.
>
> To secure the bed and breakfast owned boxes, you can set IPTables to drop
> packets from Wireless to the bed and breakfast owned boxes.
>
> Just my 2 cents,
> Paul Kurczaba
>
>
>
> -----Original Message-----
> From: Chad Thomsen [mailto:chad.thomsen () bramespecialty com]
> Sent: Monday, November 01, 2004 4:50 PM
> To: security-basics () securityfocus com
> Subject: Semi-Public Wireless Access Setu....
>
> Hello all.  Our CEO owns a small Bed and Breakfast and wants me to setup
> wireless for him in that facility.  The question is how would you recommend
> setting it up so that anybody that comes in can use in a secure fashion?
> How do airport and coffee houses and the like set theirs up?  I am pretty
> sure the only thing on his little network will be a few home PCs of his own
> which I will make sure run a personal firewall on them to keep those guests
> who may become a bit "curious" out of his equipment.  Other then that I am
> not really sure what to do.  Also since this is a very small business, cost
> is crucial.  Any suggestions would be appreciated.
>
> Thanks,
> Chad Thomsen, MCSE, CCNA
> Network Administrator
> Brame Specialty