SOHO DIY SECURE WIRELESS Matthew Maples Eastern Kentucky University Networking Security and Electronics
Overview Cost effective implementation of dual SSIDS in SOHO environment Utilize wireless technology for maximum connectivity and decrease security risks Re-purpose old or unused hardware
Motivation Mobile technology is growing More security risks from unsecure devices Experience customizing network to solve a problem Cost effectiveness
Problem Statement Design and implementation of a mock SOHO setting using common or old hardware. Utilize dual SSIDs to provide connectivity to typical network devices (file server) to secure connection while providing protection from unsecure devices.
Initial Assumptions Key for “secure” line will be handled appropriately by personnel. Background in PC communications and networking or willingness to learn. Designed for small settings. Number of devices would need to be increased for larger networks.
Components Needed FreeNas (or your choice of live cd/os to setup file server) 3 PCS (1 for server, 2 workstations for demonstration) 1 Linksys WRT54G Wireless-G Router 1 Modem Ethernet Cable Wireless NIC/Adapters
Preparation 3 PCs (2 Workstations and 1 File Server) File Server Min. Specs: ▫CPU: 32 bit or 64 bit (64bit for ZFS ▫RAM: 4gb, 6gb for ZFS ▫HD: Sata drives After choosing specifications for each system, make sure that the master/slave drives are appropriately set and documented
Preparation Download FreeNAS to appropriate removable media (CD or USB) Run FreeNAS image on File Server Set static IP for file server by selecting Configure Network Interfaces during installation Typing the IP into a web browser from a LAN workstation will connect to the server setup.
Preparation Under Storage Volumes choose the volumes used for storage within the server. Under Services CIFS setup the shares for the file server. Choose home directory
Preparation Setup Wireless router for dual APS. If the router does not come configured with DD- WRT then it must be installed. Download the DD-WRT version that fits your router onto a PC Connect the router to the PC via ethernet cable and log into the config using web browser (internet explorer recommended)
Preparations Log in with the appropriate credentials for your router. Click on Router Upgrade under Maintenance Browse to the image located on your systems hard drive. Wait for the installation to finish (takes some time) and log back into the router. DD-WRT IP: , User: root, Pass: Admin Perform hard reset (30/30/30) to restore factory defaults and confirm installation.
Preparations Setup 2 SSIDS on WRT54G router Connect router to PC via Ethernet cable In web browser, connect to Navigate to Wireless Basic Settings. Click Add below Virtual Interfaces Change SSIDs as needed. (I.E office and guest)
Preperations Navigate to Wireless Wireless Security Set Security Mode on main SSID to WPA2 Personal. Set shared key and save Navigate to Setup- Networking Under Bridging, click ADD Change first slot to br1, click apply settings In the new bridge set the IP address to 1 off the primary network (i.e ), subnet mask
Preparations Scroll to bottom to DHCPD section. Click ADD Switch first slot to br1, click apply settings Navigate to Administration Commands Command Shell: Paste and Save firewall and reset router iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP #Removes guest access to the router's config GUI/ports iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
Setup Now that the Router is configured for dual SSIDS, you can setup the network Setup workstations and file server with wireless communications via either wireless NICs or wireless adapters On one workstation connect to the main network (i.e office) and on the other connect to the new one (i.e guest). On the file server, connect to the main network.
Testing/Results From the workstation connected to the main network, create a new file under the share for the file server. Try to do the same from a the second workstation. If setup properly the second workstation should not see the network share from the file server.
Conclusion The setup takes time and some knowledge of networking/pc hardware or willingness to learn. Utilizing older systems/hardware can be a cost effective way to segregate small office or home networks to protect sensitive information without having to spend a lot of money on numerous WAP or limiting connectivity.
Future Work For added security, enable AP isolation for Guest SSID to prevent any workstation-> workstation communications on the guest network. Inclusion of groups within FreeNAS software can also add an extra layer of security
References (n.d.). Wireless Networking. Retrieved from networking/ Bernadette, J. How WiFi Works (n.d). Retrived from network.htm Fitzpatrick, J. (2013, April 22). How to Enable a Guest Access Point on Your Wireless Network. HowTo Geek RSS. Retrieved May 6, 2014, from network/ Heyne, C. (2013, 06 23). 7 tips to boost wireless speed, range, and reliablity. Retrieved from NetworkOC. Converting stand-alone cisco autonomous access point to lightweight access point. 2013, 09 23). Retrieved from converting-stand-alone-cisco-autonomous-access-point-to-lightweight-access-point/ Rubens, P. (2012, 05 10). Top 10 ways to secure a windows file server. Retrieved from server.html Trived, Y. (2011, March 22). Turn Your Home Router Into a Super-Powered Router with DD- WRT. HowTo Geek RSS. Retrieved May 6, 2014, from with-dd-wrt/