discuss: Wireless Gateway Howto (proof reading volunteer)
Subject:
Wireless Gateway Howto (proof reading volunteer)
From:
####@####.####
Date:
10 Sep 2001 17:46:00 -0000
Message-Id: <20010910134605.A28498@musc.edu>
I have attached my first draft of the Wireless Authentication Gateway HOWTO.
Would anyone like to volunteer to proof read it and give me some help?
Thanks.
--
Nathan Zorn
Medical University of South Carolina
Information Technology Lab
http://www.itlab.musc.edu/
843-792-4985
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook V3.1//EN">
<article>
<!-- Header -->
<artheader>
<title>HOWTO-Wireless Authentication Gateway</title>
<author>
<firstname>Nathan</firstname>
<surname>Zorn</surname>
<affiliation>
<address>
####@####.####
</address>
</affiliation>
</author>
<revhistory>
<revision>
<revnumber>0.01</revnumber>
<date>2001-09-06</date>
<authorinitials>nhz</authorinitials>
</revision>
<!-- Additional (*earlier*) revision histories go here -->
</revhistory>
<abstract>
<indexterm>
<primary></primary>
</indexterm>
<para>
There are many concerns with the security of wireless networks. These
concerns are not met with current security implementations. A work around
has been proposed by using an authentication gateway. This gateway
addresses the security concerns by forcing the user to authenticate
in order to use the wireless network.
</para>
<para>
This <ulink url="http://www.nas.nasa.gov/Groups/Networks/Projects/Wireless/index.html">document</ulink>
describes the NASA implementation of the authentication gateway.
</para>
</abstract>
</artheader>
<!-- Section1: intro -->
<sect1 id="intro">
<title>Introduction</title>
<indexterm>
<primary>security!introduction</primary>
</indexterm>
<para>
With wireless networks it is very easy for an unauthorized user to
gain access. This can be easily done by looking for a signal and
grabbing connection information from the signal. Security has been
put in place such as WEP, but this can be subverted with tools like
AirSnort. In order to get around these problems a suggested approach
is to not rely on the wireless security features. Instead place
an authentication gateway in front of the wireless network and force
users to authenticate against it before using the network. This HOWTO
describes how to set up this gateway with Linux.
</para>
<!-- Section2: copyright -->
<sect2 id="copyright">
<title>Copyright Information</title>
<para>
This document is copyrighted (c) 2001 Nathan Zorn and is
distributed under the terms of the Linux Documentation Project
(LDP) license, stated below.
</para>
<para>
Unless otherwise stated, Linux HOWTO documents are
copyrighted by their respective authors. Linux HOWTO documents may
be reproduced and distributed in whole or in part, in any medium
physical or electronic, as long as this copyright notice is
retained on all copies. Commercial redistribution is allowed and
encouraged; however, the author would like to be notified of any
such distributions.
</para>
<para>
All translations, derivative works, or aggregate works
incorporating any Linux HOWTO documents must be covered under this
copyright notice. That is, you may not produce a derivative work
from a HOWTO and impose additional restrictions on its
distribution. Exceptions to these rules may be granted under
certain conditions; please contact the Linux HOWTO coordinator at
the address given below.
</para>
<para>
In short, we wish to promote dissemination of this
information through as many channels as possible. However, we do
wish to retain copyright on the HOWTO documents, and would like to
be notified of any plans to redistribute the HOWTOs.
</para>
<para>
If you have any questions, please contact
####@####.####
</para>
</sect2>
<!-- Section2: disclaimer -->
<sect2 id="disclaimer">
<title>Disclaimer</title>
<para>
No liability for the contents of this documents can be accepted.
Use the concepts, examples and other content at your own risk.
As this is a new edition of this document, there may be errors
and inaccuracies, that may of course be damaging to your system.
Proceed with caution, and although this is highly unlikely,
the author(s) do not take any responsibility for that.
</para>
<para>
All copyrights are held by their by their respective owners, unless
specifically noted otherwise. Use of a term in this document
should not be regarded as affecting the validity of any trademark
or service mark.
</para>
<para>
Naming of particular products or brands should not be seen
as endorsements.
</para>
<para>
You are strongly recommended to take a backup of your system
before major installation and backups at regular intervals.
</para>
</sect2>
<!-- Section2: newversions-->
<sect2 id="newversions">
<title>New Versions</title>
<indexterm>
<primary>(your index root)!news on</primary>
</indexterm>
<para>
This is the initial release.
</para>
<para>
The newest release of this document can be found at <ulink url="http://www.itlab.musc.edu/~nathan/wireless_gateway/">http://www.itlab.musc.edu/~nathan/wireless_gateway/</ulink>.
Related HOWTOs can be found at the
<ulink url="http://www.linuxdoc.org/">Linux Documentation
Project</ulink> homepage.
</para>
</sect2>
<!-- Section2: credits -->
<sect2 id="credits">
<title>Credits</title>
<para>...</para>
</sect2>
<!-- Section2: feedback -->
<sect2 id="feedback">
<title>Feedback</title>
<para>
Feedback is most certainly welcome for this document. Without
your submissions and input, this document wouldn't exist. Please
send your additions, comments and criticisms to the following
email address : ####@####.####
</para>
</sect2>
</sect1>
<!-- Section1: intro: END -->
<!-- Section1: services -->
<sect1 id="services">
<title>What is needed.</title>
<para>
This section describes what is needed for the authentication gateway.
</para>
<sect2 id="netfilter">
<title>Netfilter</title>
<para>
The authentication gateway uses Netfilter and ipables to manage the
firewall. Please see the
<ulink url="http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/index.html">Netfilter HOWTO</ulink>.
</para>
</sect2>
<sect2 id="pamiptables">
<title>PAM module for Netfilter rules.</title>
<para>
This is a pam module written by Nathan Zorn and can be found
at <ulink url="http://www.itlab.musc.edu/~nathan/pam_iptables/">http://www.itlab.musc.edu/~nathan/pam_iptables</ulink>.
</para>
</sect2>
<sect2 id="dhcpd">
<title>DHCP Server</title>
<para>
The authentication gateway will act as the dhcp server for the wireless network. It will only serve those requesting DHCP services on the wireless network. The dhcp server
used was the <ulink url="http://www.isc.org/products/DHCP/">ISC DHCP Server
</ulink>.
</para>
</sect2>
<sect2 id="authentication">
<title>Authentication mechanism</title>
<para>The authentication mechanism the Medical University of South Carolina uses is
LDAP. Since this is the means of authentication we chose the pam modules on the gateway box were set up to use LDAP. More information can be found at <ulink url="http://www.padl.com/pam_ldap.html">http://www.padl.com/pam_ldap.html</ulink>.
PAM gives you the ability to use many means of authentication. Please see
the documentation for the PAM module you would like to use.
</para>
</sect2>
<sect2 id="dnsserver">
<title>DNS Server</title>
<para>
The gateway box also serves as a DNS server for the wireless network.
<ulink url="http://www.isc.org/products/BIND/">Bind</ulink> was installed
and set up as a caching nameserver. The rpm package caching-namserver was
used. This came with redhat.
</sect1>
<sect1 id="setup">
<title>Setup the Gateway Services.</title>
<para>
This section describes the details in how to setup each piece of
the authentication gateway. The examples used are for a private
wireless network in the 10.0.1.0 subnet. eth0 is the interface on
the box that is connected to the internal network. eth1 is the
interface connected to the wireless network. Both of these can be
changed to fit the network you are using. Redhat 7.1 was used for
the gateway box, so a lot of the examples are specific to RedHat.
</para>
<sect2 id="netfiltersetup">
<title>Netfilter Setup</title>
<para>
To setup netfilter the kernel must be recompiled to include netfilter
support. Please see the <ulink url="http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html">Kernel-HOWTO</ulink>
for more information on configuring and compiling your kernel.
</para>
<para>
This is what the kernel configuration looked like.
<screen>
#
# Networking options
#
CONFIG_PACKET=y
# CONFIG_PACKET_MMAP is not set
# CONFIG_NETLINK is not set
CONFIG_NETFILTER=y
CONFIG_NETFILTER_DEBUG=y
CONFIG_FILTER=y
CONFIG_UNIX=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
# CONFIG_IP_ADVANCED_ROUTER is not set
# CONFIG_IP_PNP is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
# CONFIG_IP_MROUTE is not set
# CONFIG_INET_ECN is not set
# CONFIG_SYN_COOKIES is not set
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_FTP=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
CONFIG_IP_NF_MATCH_MAC=y
CONFIG_IP_NF_MATCH_MARK=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_TCPMSS=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_UNCLEAN=y
CONFIG_IP_NF_MATCH_OWNER=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_MIRROR=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_MARK=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y
</screen>
</para>
<para>
Iptables needs to be installed. To install iptables either use
a package from your distribution or install from source.
Once the above options were compiled in the new kernel and iptables installed
the following default firewall rules were set.
<screen>
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -s 10.0.1.0/24 -d 10.0.1.1 -j ACCEPT
</screen>
The above commands can also be put in an initscript to start up when
the server restarts.
To make sure the rules have been added issue the following command:
<screen>
iptables -L
</screen>
To save these rules we used redhat's init scripts.
<screen>
/etc/init.d/iptables save
/etc/init.d/iptables restart
</screen>
Once the rules are in place turn on ip forwarding by
adding the following line to /etc/sysctl.conf.
<screen>
net.ipv4.ip_forward = 1
</screen>
Now the gateway box will be able to do NAT, but it will be dropping
all forwarding packets except those coming from within the wireless
network and bound for the gateway.
</para>
</sect2>
<sect2 id="pamiptablessetup">
<title>PAM iptables Module.</title>
<para>
This module is a PAM session module that inserts the firewall rule
needed to allow forwarding for the authenticated client.
To set it up simple get the <ulink url="ftp://ftp.itlab.musc.edu/pub/pam_iptables.tar.gz">source</ulink> and compile it by doing the following.
<screen>
gcc -fPIC -c pam_iptables.c
ld -x --shared -o pam_iptables.so pam_iptables.o
</screen>
You should now have two binaries called pam_iptables.so and pam_iptables.o.
Copy pam_iptables.so to /lib/security/pam_iptables.so.
<screen>
cp pam_iptables.so /lib/security/pam_iptables.so
</screen>
The chosen authentication client for the gateway was ssh so we added the
following line to /etc/pam.d/sshd.
<screen>
session required /lib/security/pam_iptables.so
</screen>
Now when a user logs in with ssh the firewall rule will be added.
</para>
<para>
The default interface for pam_iptables is eth0. This can be
changed by adding the interface parameter.
<screen>
session required /lib/security/pam_iptables.so interface=eth1
</screen>
This is only needed if the interface name that connects to the external
network is not eth0.
</para>
<para>
To test if the pam_iptables module is working do the following:
Log into the box with ssh, Check to see if the rule was added (iptables -L),
and log out of the box to make sure the rule is removed.
</para>
</sect2>
<sect2 id="dhcpdsetup">
<title>DHCP Server Setup</title>
<para>
DHCP was installed and the following dhcpd.conf file was used.
<screen>
subnet 10.0.1.0 netmask 255.255.255.0 {
# --- default gateway
option routers 10.0.1.1;
option subnet-mask 255.255.255.0;
option broadcast-address 10.0.1.255;
option domain-name-servers 10.0.1.1;
range 10.0.1.3 10.0.1.254;
option time-offset -5; # Eastern Standard Time
default-lease-time 21600;
max-lease-time 43200;
}
</screen>
The server was then run using eth1 , the interface to the wireless net.
<screen>
/usr/sbin/dhcpd eth1
</screen>
</para>
</sect2>
<sect2 id="authenticationsetup">
<title>Authentication Method Setup</title>
<para>
This gateway uses LDAP for authenticating. You are able to use any
means that PAM allows for authentication. Please see the <ulink url="http://www.kernel.org/pub/linux/libs/pam/modules.html">pam modules</ulink>
for more information.
</para>
<para>
The following setup was used to get PAM LDAP to authenticate.
<ulink url="http://www.openldap.org">OpenLDAP</ulink> was installed
and configured with the following in /etc/ldap.conf.
<screen>
# Your LDAP server. Must be resolvable without using LDAP.
host itc.musc.edu
# The distinguished name of the search base.
base dc=musc,dc=edu
ssl no
</screen>
The following files were used to configure PAM to do the LDAP authentication.
These files were generated by redhat's configuration utility.
<filename>/etc/pam.d/system-auth</filename> was created and looked like this.
<screen>
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account [default=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so
</screen>
Then the following /etc/pam.d/sshd file was created.
<screen>
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
#this line is added for firewall rule insertion upon login
session required /lib/security/pam_iptables.so debug
session optional /lib/security/pam_console.so
</screen>
</sect2>
<sect2 id="dnssetup">
<title>DNS Setup</title>
<para>
Bind was installed, the default version with redhat 7.1. The rpm
called caching-nameserver was also installed. The DHCP server tells
the machines on the wireless net to use the gateway box as their nameserver.
</para>
</sect2>
</sect1>
<sect1 id="usage">
<title>Using the authentication gateway</title>
<para>
To use the authentication gateway configure your client machine to use
dhcp. Install a ssh client on the box and ssh into the gateway.
Once you are logged in you will then have access to the internal network.
An example session from a unix based client:
<screen>
bash>ssh ####@####.####
zornnh's Password:
gateway>
</screen>
As long as you stayed logged in you will have access. Once you log out
access will be taken away.
</para>
<sect1 id="remarks">
<title>Concluding Remarks</title>
<indexterm>
<primary>(your index root)!conclusion</primary>
</indexterm>
<para>
This method of security does not rely on the security provided by the
wireless network community. It assumes that the entire wireless network
is insecure and outside of your network.
</para>
</sect1>
<!-- Section1: remarks: END -->
<!-- Section1: faq -->
<sect1 id="faq">
<title>Questions and Answers</title>
<indexterm>
<primary>(your index root)!FAQ</primary>
</indexterm>
<indexterm>
<primary>(your index root)!frequently asked questions</primary>
</indexterm>
<para>
This is just a collection of what I believe are the most common
questions people might have. Give me more feedback and I will turn
this section into a proper FAQ.
</para>
</sect1>
<!-- Section1: faq: END -->
</article>
<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-namecase-general:t
sgml-general-insert-case:lower
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:nil
sgml-parent-document:nil
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
-->
