Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Wireless LAN Design at public places

From: Bennett Todd <bet () rahul net>
Date: Mon, 2 Dec 2002 16:30:44 -0500
2002-12-01-23:09:25 Leonard.Ong () nokia com:

Anyone has URL or experiences at designing WLAN at public Places.


Neither of them, no, but...


I would like to replicate a good implementation, I've seen [...]
Once we have joined the WLAN using auto-detect accesspoint, my
notebook was assigned IP address. However, even the next hop /
default gateway is not reachable (destination unreachable - ACL?)
and so does any other services.

It is only when I have authenticate via webpage ( the browser
redirects me to the auth page, regardless whatever URL I have
typed in ), then access is allowed to any.


I think I can sketch out at least part of this. For the auto-detect
accesspoint, you've just got normal off-the-shelf Access Points
normally configured. That's how they come. The non-standard config
change you make is to disable their IP addr entirely, so they
offer no IP services of their own at all. This makes them hard to
burgle:-). Confirm that you got this right with nmap, make sure you
scan for all services and not just the well-known ones (I found
one AP whose manufacturer had left open a debugging backdoor on a
high-numbered UDP port).

For a public-access setup, you won't worry about the end-users'
systems security, that's their own problem. The only device you
offer on this net that has an IP addr is your gateway server. The
only public service it initially offers is DHCP. That's how the
clients get their initial IP addr and default router and so forth.

The clever bit is diverting all http queries from un-authenticated
IPs to an authentication webserver; I suspect that'd be an
ipchains/ipfilter/ip-filter/... hack, possibly with some companion
jiggery-pokery in the webserver.


Thanks... I am particularly intrested on how you can block access
even to the def. gateway.


Clarify what you mean by "def. gateway". The Access Point only has
to offer layer-2 and below services, it doesn't need to offer any IP
services, there's nothing there you need to "block". The gateway
server, that offers the DHCP, and is the default router, is a
firewall running reconfigurable filtering rules; once you
authenticate the rules are adjusted to let you out of the box.

-Bennett

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: