Slashdot Mirror
Build an Open Source Network Sniffer
An anonymous reader writes "This article reviews common issues of wireless security, and shows how to use open source software to suss out wireless networks, get information about them, and start recognizing common security problems. You will learn how build a lightweight wireless sniffer that runs on open source software and see how simple it is to interact with wireless networks."
What you really want is something like NoCatAuth (described nicely by this article. There are plenty of other similar solutions out there - look for 'linux wireless authentication gateway' or something similar on your favorite search engine.
This flies in the face of science.
Try ipcop, it can split off your network into a wireless part and a wired part, and even add a third zone for public servers. The wireless part defaults to not giving access to either the internet or your other, wired computers, and you have to add mac addresses to a table for wireless clients to be able to connect. And it has nice graphs too, so you can see if someone's using your connection. Use this with WPA and vpn maybe. If you want more security, use wired lan instead.
Sounds like you like something like this?
From the website above:
"NetReg is an automated system that requires an unknown DHCP client to register their hardware before gaining full network access. Through a simple web interface, the client is prompted for their user identification. Powerful scripts then retrieve the client's network fingerprint and store it along with the user's information in a database. The database provides administrators with real-time information for troubleshooting and auditing their networks. The entire system was developed utilizing unmodified, open-source servers and in-house developed CGI programs."
Sadly this isn't very secure, since mac addresses can be faked (my wireless router already has this feature built-in). However it looks like ipcop has other types of authentication too [Version 0.2 of IPCop will include an Amber Zone (Wireless DMZ) which will support CIPE, IPSec or VPNd encrypted connections among other things] so I will check it out :-)
I Am My Own Worst Enemy
I know they can be faked, but it's still much better that if someone wants access to your network, they have to spend some time trying to figure out your mac and ip addresses than not, IMO.
It's more of a deterrent than an unbreakable security measure, but add enough deterrents and that wardriver might just use your neighbours unsecured network instead.
And if they manage to get access, they still have to crack an iptables firewall to get to your servers. Good enough for me.
The problem with IPCop and Smoothwall for that matter, is the inability to filter traffic outbound. All traffic originating on the "Green" (inside or internal) interface is permitted. Nachia and Slammer will fly right through this config. Any worm or virus or trojan that tries to use TFTP to download more tools will also be successful.
Permitting only the traffic that needs to traverse a firewall IN ALL DIRECTIONS is a basic firewall/security concept.
=====
imagetweak.netWeb-based image t
Considering the number of entirely open networks out there, I expect most people will just drive onto the next one unless they know you have something valuable on your network that they really want. For the average home user, WEP + MAC Address filtering is enough security to make the wardriver go to the next house. If you're a business with your name on the outside of the building though, you might have people that will be willing to try a little more to get access to your network.
(I did this when I first moved into my apartment, since I wasn't going to have cable hooked up for 3 weeks, I just took my laptop and walked around until I found a few open networks and used them for Internet access.)
What?
Let me clarify my last post. If a machine on your IPCop/Smoothwall protected network is compromised, then any outbound connections that these worms/virus/trojans/attackers make, will successfully traverse the firewall.
In the case of a worm like Slammer, it will be able to further propogate, Nachia will be able to flood your ISP connection, an attacker will be able to download a toolkit, etc...
=====
imagetweak.netWeb-based image t
The GS has twice the RAM and NVRAM of the regular WRT54G. This can be helpful as far as running packet sniffing apps on it is concerned.
/usr/games/fortune
There's a paper which discusses the problem quite well: http://luca.ntop.org/Ring.pdf
The thing which I found surprising is how awful Linux stood up to the tests. The standard Linux kernel + stack was dropping the majority of packets; and only with special tweaks was it able to get to capturing 93% of the packets. But 93% still isn't 100%, which is what commercial sniffers have been doing since the DOS days.
So the bottom line here is:
1. Don't use off-the-shelf BSD or Linux without serious tweaking.
2. Even then you'll still be dropping packets.
What is also interesting is that MS Windows isn't close to supporting this type of technology, which means the MS servers are going to be in serious trouble as more people adopt Gigabit networks.
Exactly so here is my method to solve this problem:
/proc/sys/net/ipv4/ip_forward
* Buy wireless AP and a linux box with 2 NICs
* Hook one NIC to your network the other NIC to the wireless AP
* Download and install OpenVPN on your linux box
* Setup iptables to DROP all packets being forwarded from the outside NIC to the inside and vice versa:
# Assuming:
# * eth0 is the outside NIC
# * eth1 is the inside NIC
# * Default iptables policy is ALLOW
# * Your linux kernel supports iptables,
# and routing
iptables -A FORWARD -i eth0 -j DROP
iptables -A FORWARD -i eth1 -o eth0 -j DROP
echo 1 >>
* Install OpenVPN on all clients and point them to the outside NIC as the remote server
This way only VPNInside NIC packets will traverse your linux box, and everything will be encrypted with as big a key as you want. So you could just set up your AP without a WEP key and not worry (assuming you are using some key to encrypt the communications with OpenVPN, which you should). Have Fun!
Occam's razor is the blind faith in the natural selection of least resistance and in universal oversimplification. -- EF
What you've described is exactly what MIT uses on their network. They have a large number of both wireless and wired access places. I'd assume some googling on their site might get you a little information.
Attach a forgeign computer and it prompts you to login. Non MIT users are prompted for name and email and only allowed 15 days access per year.
Apparently they key everything via MAC address. I let a friend borrow my old wireless NIC, when he went to register it welcomed ME back. I hadn't used the NIC in a year.