- Functioning of 802.11-based wireless access network
- DHCP server use and configuration
- Port forward use for firewalling and IP masquerading
- Configuring a workstation running Linux to work as a router and moderately sophisticated security gateway
- Web-based authentication
Evidence of requirement
According to the business purpose, there are many visitor will come to our company. Many of them are use the wireless of their notebook to connect to internet. So we need to provide the wireless network for them. However, we only use a WEP key for the encryption, and there are a few security risks for the Wi-Fi public user which we are concerned:
-
Lack of encryption: While not officially in an attempt to be both public and easy to use, many forgo data encryption protocols such as WEP (wired equivalent privacy), 802.11i, or WPA. This makes it especially easy for others to eavesdrop on a session, and so it’s up to the user to employ smart security practices.
-
The evil twin: There are a variety of tools that can be used to eavesdrop on an unsecured network session. One of the most nefarious of these has a name to match: the evil twin. An evil twin is a wireless network signal that masquerades as a legitimate hotspot for the purpose of stealing information from the user, such as a network password or a credit card number. With a little software and some ingenuity, a thief can make a device with a wireless signal look just like an access point to the unsuspecting computer.
3. Malware: The visitor computer may contain come viruses, worms, and spyware; it is very easy to spread to our network.
General context description
Actually, there are use an independence broadband line for the implementation of wireless network should be better. Unfortunately, my company only have a broadband line, so I cannot separate the corporate network and the guest network completely. Therefore, I got an idea that means use the sub network. I will setup another segment to do this. For example, my existing corporate network is (192.168.1.0). I will use the new firewall to setup another segment (192.168.10.0) to separate the corporate and the guest network. See the below figure:
Research method
I will use experimental research. Experiments are done to be able to predict phenomena. Typically, an experiment is constructed to find some kind of causation. Experimental research is important to - many experiments have made the world a better place. It approaches can be very complex, but at the most simple level these techniques involve:
- Measuring the issue of interest (e.g. wireless network security);
- Introducing the variable of interest (e.g. captive portal);
- Measuring the issue of interest again (e.g. wireless network security).
If I can show that security have increased after setup the captive portal, it might be possible to infer that the setup of captive portal has generated an increase in wireless network security.
Brief product description
I concern that in a captive portal environment.
1. Simplicity – a user should be able to gain access using a standard notebook or handheld computer with an 802.11b NIC and dynamic host configuration (i.e., using DHCP).
2. Security – only registered (paying) customers of the business should be allowed to access the network.
3. Maintainability – This firewall is using the web-based authentication and administration, that mean there are easy and convenience for management.
Some enhance function:
1. Bandwidth control and manage should be provided (Block P2P connection, priority of different protocol).
2. Use IP masquerading for all outgoing traffic sent over their cable modem.
3. Dynamically assign all IP addresses to incoming users and timeout users that are inactive.
4. Provide user authentication with an “allow” list that can be updated.
Deliverables
I will provide the following deliverables by the project.
a. The setup and configure source files.
b. All script files, source files, and any other files that I has created to implement the authentication mechanism. All files should be appropriately commented.
c. Files and screen dump that show the authentication process and the DHCP process. Perform the capture on the internal interface. The authentication capture should include the HTTP request, the authentication process, and the retransmission of the HTTP request and its fulfillment.
d. A project report, as described below.
- A cover page specifying the course number and name; the project name;
- A listing and brief description of all files included in the deliverables.
- A brief discussion of the firewalling approach and the firewalling rules. Also, address any problems I faced in creating the firewalling portion of the project and how these problems were resolved.
- A printout of the firewalling rules should be included as an appendix.
- A brief discussion of the routing scheme and related issues and printouts of the routing tables.
- A brief discussion of the authentication mechanism. I will provide an overview of the code and/or scripts that you used to implement authentication.
- A brief discussion of the two packet traces described above.
- A list and brief discussion of any optional features that I implemented.
Evaluation approach
The components shown in the resource are used as follows.
- ASUS wireless router (RT-N11)
- The wireless router acts as an access point only. Disable all of the gateway functionality of the access point. DHCP client and server capabilities in the wireless gateway are not needed and must be turned off.
- Configure the access point to use ESSID of WMSD.
- Workstation Computer
- The workstation computer, running Linux, acts as the DHCP server and IP masquerading gateway. There must contain two NIC, one for WAN, another for LAN.
- The DHCP server software of choice is the standard DHCP daemon, found with the Linux distribution on the workstation computer.
- The internal network interface has the address 192.168.10.1 with a 24-bit subnet mask. The external interface has the address 192.168.1.x, also with a 24-bit subnet mask.
- IP tables will be used for firewalling and IP masquerading.
- The workstation provides authentication, as described below. It runs the Apache web server to aid in this function.
- The workstation connects to the access point via the crossover cable. The access point will connect to the internal network. For ease of demonstration and testing, the 802.11x interface will act as the external interface to the public network.
- Authentication Server
- This server will promote to a domain controller which with Active Directory.
- It is use for the user management and authentication.
- PDA and Laptop
- The PDA and laptop serves as a test client. The service should work for multiple simultaneous users, although the available equipment limits my testing to two clients.
Resources
Hardware
The following is the hardware requirement for this project.
- A server which contain active directory (for use the radius authentication to login the web page).
- One workstation computer (to act as a security gateway or firewall) with two network interface, one for WAN and other fro LAN.
- Some wireless devices – laptops, PDA, or mobile which have Wi-Fi (to act as clients).
- One 802.11x wireless access point. I suggest using ASUS wireless router because I think that they are more stable and reliability.
- Three 802.11x network interface cards.
Software
I would like to use the following software for this project.
- pfSense Linux base firewall
- Internet Explorer or another web browser (Firefox is preferred).
- Windows server 2003
- Wirelesses scan and manage tools (optional).
Bibliography
Reference Book:
- pfSense: The Definitive Guide
Christopher M. Buechler (Author),
Jim Pingle (Author),
Michael W. Lucas (Foreword)
- Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort
Michael Rash (Author)
- 802.1X Port-Based Authentication
Edwin Lyle Brown (Author)
- Fundamentals of Wireless Networking
Ron Price (Author)
Reference Link:
Total project plan