Re: Require password for network access

["J. Theriault" <administrator () maginetworks com>]

rolando_ruiz () jetaviation com wrote:
> Hello Security world. 
>
> I would like to know if anyone can provide best solutions for password
> protecting access to network (internet) from unauthorized users,
> particularly from visitors. We would like to have a solution in place
> like most hotels have where you connect and are prompted to pay for
> internet access. In our case, we don't want to charge but we would like
> to restrict access unless we provide a password to obtain an IP address
> and internet access. This solution will be for wired network, and
> preferably, each user will need to contact IT for temporary username and
> password. Right now anyone can come in and connect to any live jack and
> get network access. Although we can unplug all unused network jacks, we
> would rather have a more centralized management solution. 

Hello Rolando,



Since you used a very generic terminology and this is a "basics" list, 
I'm going to give a fairly nontechnical reply, but one that should tell 
you everything you need to know.

I'm going to assume that you are representing a small hotel of ~50 rooms 
and not part of a larger chain, but the suggestions scale fine if you 
are larger.

Well, personally, you have two viable options that I can think off of 
the top of my head, and one sucks so that makes it easier. ;-)

You could install a captive portal or install switches that support 
authentication.

The switching solution is more for big enterprise, schools, secure 
computer labs and the like - it is more secure and offers more control 
and management of each and every end user - but that doesn't do anything 
for what you want, and they cost more money. A *lot* more money. They 
also mean that your backbone is far less expandable, so you might get 
crunched up in the future - not too smart an idea. Of course, they offer 
the better security and segregation between end nodes, and can totally 
prevent users snooping on each other and so on - but that's not what 
you're looking for.

What you want is to segregate the users from *your* network, to 
authenticate them before they can access the *Internet* (who cares if 
they can snoop on *each other* if they break several computer laws and 
do so - it's not your issue if it's in your terms of service, it's not 
likely, and it's their own known risk. The rest of the 'net is open, 
wouldn't the last link be...), and to provide a nice cheap easily 
expandable system that works for everyone. If you tell a user he's going 
to have to create a virtual dialup connection he's going to give you a 
nasty look. Mention that he needs to configure RADIUS and he's going to 
decline paying for your service as it's wasting his time and too 
complicated for the Average Joe.


I think a captive portal better fits your situation as a hotel - it's 
basically a small embedded computer you stick somewhere on your network 
- where your users are and you aren't - between your net and your 
connection to your ISP that denies everyone (the users, not you) access 
to the Internet until they login (when someone opens up a webbrowser and 
tries to go to any website, the captive portal will redirect them to a 
logon page). The usernames and passwords are either specified by someone 
or generated as a batch. Good captive portals will let you, say, 
generate 50 "cards" with usernames and passwords (and your logo, for 
example) that will expire after a certain time of usage - so you could 
click "50 cards that last for 24 hours" and print them out. When someone 
wanted one, you just hand them the card with their room number as the 
username, for example, and a randomly generated password. Good captive 
portals also let you do content filtering (either against unwanted 
surfing or also by file types, such as preventing users from downloading 
mp3s, which, if not in your Terms of Service could lead to litigation - 
of course, getting each user to sign a "Terms of Use" form that they are 
responsible for anything they do means this isn't required in most 
cases) if you need it...

Captive Portals aren't expensive and you can easily buy one or build 
your own with little experience or effort.

http://en.wikipedia.org/wiki/Captive_portal
http://www.publicip.net/ - An example of a complete free, and good, 
captive portal that I suggest you look at to "get a feel" for the technology



About expandability with a captive portal:

For a small hotel network that doesn't currently have network cabling 
and only wants to pay for one connection (such as a DSL2 connection, 
which offers the ability for 16 concurrent users to get full high-speed 
DSL speeds simultaneously for only 40$ a month or so), I'd recommend a 
network like so:


Internet
   |
Modem
   |
Router
   |
Switch-------------------
|                       |
Captive Portal          |
|         Firewall/router for hotel systems
Switch--                |
|      |         Hotel Systems
AP*    PL*

(Looks more complicated and expensive than it is... The point of this is 
that it's easy to manage, troubleshoot, monitor, anything - while 
keeping everything simple and cheap)

With such a configuration, you can upgrade any main part without 
bothering the others. If you want to get two DSL2 lines, all you need to 
do is buy good router that supports two WAN ports simultaneously or if 
you want to install fiber lines later on, you just add them to the 
switch behind your captive portal...

The AP (a wireless Access Point) connected to this switch can be used as 
a wireless "base station" with several "slave" (repeater) access points 
on the other floors (I've seen 2APs per floor work fine for >10 rooms 
with concrete walls - get someone who can test the signal to stick an AP 
in the hall and test it for you with various wifi cards and angles in 
EACH ROOM). That would mean that you would then have good high-speed 
reliable WiFi access, secured with your captive portal, and at speeds up 
to 16x normal DSL (depending on usage), for the cost of a normal DSL2 
line (40$/month here) a captive portal (200-300$ bought, less if 
self-made), and a few (say, perhaps 9 for a 4-floor 50-room hotel?) 40$ 
Linksys access points. Also, if you have a conference room, you can 
simply stick in an encrypted access point just for conferences that 
would still have Internet connectivity, but not be accessible by hotel 
patrons or people trying to snoop from the outside - and generating a 
new key for each conference takes only a second or two. Also, I would 
recommend buying perhaps 4-5 old ORINOCO wireless PCMCIA cards off of 
eBay in case someone does not have wireless connectivity or is too 
stupid to know how to operate his machine - old ORINOCO gold/silver 
cards are very powerful cards with good transmit rates and very good 
receive rates, but, most importantly, they're PCMCIA cards (normal 
laptop cards) that are hot-swappable (you can just plug it in and out 
when the machine's running) and they are NATIVELY supported in Windows 
XP (I believe Windows 2k, as well) and most *NIX distributions. That 
means you plug the card in and it works. No configuration, no drivers, 
no nothing. You can get them off eBay for perhaps 20$ each. Then you 
have wireless covered for unlimited normal users, with a few spare cards 
for idiots who either don't have one but thought they did or who are 
trying desperately to log on to their AOL dialup ;-)... Now you should 
have something for the few devices that don't have wireless capability.


PL stands for PowerLine; it would probably be too much work, and cost 
too much, to bore holes through to each room and run a load of network 
cable - even if you used just one cable and connected each room to it - 
but there is a good wired solution, aswell. PowerLine Networking. 
"PowerLAN". Basically, you get a phase coupler (perhaps it's a different 
word in English, I'm not sure, ask whatever company you're looking at 
the power line products of...) installed on your power lines for 
100-200$, then you buy one "master" adapter (70$?), like your "master" 
AP, and plug it into your Captive portal's switch with network cable, 
then plug it into the normal electrical socket. Then buy a few more 
"slave" adapters (40$ for 14mbps, 70$ for 85mbps or so - normal "high 
speed Internet" is ~1mbps in comparison) for the few people that have 
older laptops without wireless cards, or the few people with never 
laptops without PCMCIA slots or any other non-wireless devices. When 
they ask for Internet access, just give them the small adapter (imagine 
a normal AC-DC power adapter with a LAN cable sticking out) which they 
plug into the power socket in their room, and plug the network cable 
into their computer, which sees a normal lan. Again, works with ALL 
programs and operating systems and every device with a normal network 
jack - fast, cheap, expandable, upgradeable, and easily managed. Users 
would plug it in, turn on their laptop, open their browser, get the 
normal captive portal login page, login, and then access the Internet at 
high speeds without worrying about drivers, installation issues, or 
incompatibility. Now you have wired and wireless access, all of which 
require a user and password and are segregated from your company's 
network, and all components are easily upgradeable, scalable, and 
replaceable.

http://en.wikipedia.org/wiki/HomePlug_powerline_alliance

So, that should be all that you need.

Cheers,



Joe Theriault
administrator () maginetworks com

---------------------------------------------------------------------------
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and  
practice to master. We can't teach you to hack. But we can teach you  
what we've learned so far. Our courses are honest, real, technical  
and practical. SensePost willl be at Black Hat Vegas in July. To see  
what we're about, visit us at: 

http://www.sensepost.com/training.html
---------------------------------------------------------------------------