linux: a wireless solution josh joiner. agenda introduction minimum hardware basic components steps...
TRANSCRIPT
Linux: A Wireless SolutionLinux: A Wireless Solution
Josh JoinerJosh Joiner
AgendaAgenda
IntroductionIntroduction
Minimum HardwareMinimum Hardware
Basic ComponentsBasic Components
Steps on setting up a wireless networkSteps on setting up a wireless network
Security Concerns and ConclusionSecurity Concerns and Conclusion
IntroductionIntroduction
What is a wireless networkWhat is a wireless networkWireless LANs range of coverageWireless LANs range of coverageWe are setting up a 802.11b (also known as Wi-Fi) We are setting up a 802.11b (also known as Wi-Fi) implementation of a wlan. There are other implementation of a wlan. There are other implementation that can be found at implementation that can be found at http://http://ieee802.org/11/ieee802.org/11/ More info on wireless can be found at: More info on wireless can be found at: http://www.nsrc.org/wireless.htmlhttp://www.nsrc.org/wireless.html http://www.webopedia.com/TERM/W/Wi_Fi.hthttp://www.webopedia.com/TERM/W/Wi_Fi.ht
mlml
Minimum Hardware NeededMinimum Hardware Needed
desktop or laptop(>=386)desktop or laptop(>=386) - ap - ap Desktop or laptopDesktop or laptop - client - clientTwo or more 802.11b wireless cards (I use Two or more 802.11b wireless cards (I use Lucent's Wavelan card)Lucent's Wavelan card)ISA-to-PCMCIA or PCI-to-PCMCIA ISA-to-PCMCIA or PCI-to-PCMCIA adapteradapterHardware to set up the link from the Hardware to set up the link from the gateway to the Internet. gateway to the Internet. A Unix-like operating system. A Unix-like operating system.
Basic Components of a Wireless Basic Components of a Wireless NetworkNetwork
Wired NetworkWired Network
Gateway or Acess PointGateway or Acess Point
Client(s)Client(s)
Example Wireless LayoutExample Wireless Layout
Internet
SD
Lucent
WaveLAN / PCMCIA~
SD
Lucent
WaveLAN / PCMCIA~
Wireless Gateway/AcessPoint
LAN (Wired) Switch
Cable Modem/DSL Router
ISP - DSL/Cable
ModemProvider
Authentication Server
How To:How To:
Step1: Install the PCI/ISA-to-PCMCIA adapter in Step1: Install the PCI/ISA-to-PCMCIA adapter in the gatewaythe gatewayStep2: Install Unix Like OS on the Gateway Step2: Install Unix Like OS on the Gateway (desktop/laptop). I used Red Hat 7.0.(desktop/laptop). I used Red Hat 7.0. Firewall softwareFirewall software DHCP server DHCP server SSH server SSH server
Step 3: configure the wireless information in Step 3: configure the wireless information in /etc/pcmcia/wireless.opts (see next slide for /etc/pcmcia/wireless.opts (see next slide for example)example)
My /etc/pcmcia/wireless.opts file:My /etc/pcmcia/wireless.opts file:
case "$ADDRESS" incase "$ADDRESS" in*,*,*,*)*,*,*,*) INFO="LinuxAirport"INFO="LinuxAirport" ESSID=“name-of-network"ESSID=“name-of-network" MODE=“managed“ ##(there is several modes here)MODE=“managed“ ##(there is several modes here) RATE="auto"RATE="auto" KEY=“xxxxxxxxxxxxx" KEY=“xxxxxxxxxxxxx" # KEY="s:securityisfun"# KEY="s:securityisfun" # s: followed by thirteen chars, for 128-bit WEP# s: followed by thirteen chars, for 128-bit WEP # e.g. Lucent Gold# e.g. Lucent Gold ;;;;esacesac
How to (cont)How to (cont)
Step 4: Assign a wireless subnet under Step 4: Assign a wireless subnet under /etc/pcmcia/network.opts (see my next /etc/pcmcia/network.opts (see my next slide example)slide example)
Step 5: Setup the external (dsl/lan) Step 5: Setup the external (dsl/lan) network.network.
Step 6: Setup the firewall software in Step 6: Setup the firewall software in /etc/rc.d/rc.firewall (I used ipchains, see /etc/rc.d/rc.firewall (I used ipchains, see next slide for example)next slide for example)
/etc/pcmcia/network.opts/etc/pcmcia/network.opts
case "$ADDRESS" incase "$ADDRESS" in*,*,*,*)*,*,*,*) INFO="Sample private network setup"INFO="Sample private network setup" # Transceiver selection, for some cards -- see 'man ifport'# Transceiver selection, for some cards -- see 'man ifport' IF_PORT=""IF_PORT="" # Use BOOTP (via /sbin/bootpc, or /sbin/pump)? [y/n]# Use BOOTP (via /sbin/bootpc, or /sbin/pump)? [y/n] BOOTP="n"BOOTP="n" # Use DHCP (via /sbin/dhcpcd, /sbin/dhclient, or /sbin/pump)? [y/n]# Use DHCP (via /sbin/dhcpcd, /sbin/dhclient, or /sbin/pump)? [y/n] DHCP=“Y"DHCP=“Y" # If you need to explicitly specify a hostname for DHCP requests# If you need to explicitly specify a hostname for DHCP requests DHCP_HOSTNAME=""DHCP_HOSTNAME="" # Host's IP address, netmask, network address, broadcast address# Host's IP address, netmask, network address, broadcast address IPADDR="192.168.1.1"IPADDR="192.168.1.1" NETMASK="255.255.255.0"NETMASK="255.255.255.0" NETWORK="192.168.1.0"NETWORK="192.168.1.0" BROADCAST="192.168.1.255"BROADCAST="192.168.1.255"
/etc/pcmcia/network.opts/etc/pcmcia/network.opts# Gateway address for static routing# Gateway address for static routing GATEWAY="10.64.48.1"GATEWAY="10.64.48.1" # Things to add to /etc/resolv.conf for this interface# Things to add to /etc/resolv.conf for this interface DOMAIN=""DOMAIN="" SEARCH=""SEARCH="" DNS_1=""DNS_1="" DNS_2=""DNS_2="" DNS_3=""DNS_3=""# Extra stuff to do after setting up the interface# Extra stuff to do after setting up the interface start_fn () { return; }start_fn () { return; } # Extra stuff to do before shutting down the interface# Extra stuff to do before shutting down the interface stop_fn () { return; }stop_fn () { return; } # Card eject policy options# Card eject policy options NO_CHECK=nNO_CHECK=n NO_FUSER=nNO_FUSER=n ;;;;esacesac
/etc/rc.d/rc.firewall/etc/rc.d/rc.firewall#!/bin/sh#!/bin/sh### rc.firewall-2.2# rc.firewall-2.2FWVER="1.01"FWVER="1.01"echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"#Setting the EXTERNAL and INTERNAL interfaces for the network#Setting the EXTERNAL and INTERNAL interfaces for the networkEXTIF="eth0"EXTIF="eth0"INTIF="eth1"INTIF="eth1"echo " External Interface: $EXTIF"echo " External Interface: $EXTIF"echo " Internal Interface: $INTIF"echo " Internal Interface: $INTIF"# Network Address of the Internal Network# Network Address of the Internal Network##INTLAN="192.168.1.0/24"INTLAN="192.168.1.0/24"echo -e " Internal Interface: $INTLAN\n"echo -e " Internal Interface: $INTLAN\n"# Load all required IP MASQ modules# Load all required IP MASQ modulesecho " loading required IPMASQ kernel modules.."echo " loading required IPMASQ kernel modules.."# Needed to initially load modules# Needed to initially load modules##/sbin/depmod -a/sbin/depmod -a
echo -en " Loading modules: "echo -en " Loading modules: "echo ". Done loading modules."echo ". Done loading modules."
#CRITICAL: Enable IP forwarding since it is disabled by default since#CRITICAL: Enable IP forwarding since it is disabled by default since# Redhat Users: you may try changing the options in /etc/sysconfig/network from:# Redhat Users: you may try changing the options in /etc/sysconfig/network from:# FORWARD_IPV4=false to FORWARD_IPV4=true# FORWARD_IPV4=false to FORWARD_IPV4=trueecho " enabling forwarding.."echo " enabling forwarding.."echo "1" > /proc/sys/net/ipv4/ip_forwardecho "1" > /proc/sys/net/ipv4/ip_forward#CRITICAL: Enable automatic IP defragmenting since it is disabled by default #CRITICAL: Enable automatic IP defragmenting since it is disabled by default echo " enabling AlwaysDefrag.."echo " enabling AlwaysDefrag.."echo "1" > /proc/sys/net/ipv4/ip_always_defragecho "1" > /proc/sys/net/ipv4/ip_always_defrag
echo " clearing any existing rules and setting default policy.."echo " clearing any existing rules and setting default policy.."/sbin/ipchains -P input ACCEPT/sbin/ipchains -P input ACCEPT/sbin/ipchains -P output ACCEPT/sbin/ipchains -P output ACCEPT/sbin/ipchains -P forward REJECT/sbin/ipchains -P forward REJECT/sbin/ipchains -F input/sbin/ipchains -F input/sbin/ipchains -F output/sbin/ipchains -F output/sbin/ipchains -F forward/sbin/ipchains -F forward
# MASQ timeouts# MASQ timeouts### 2 hrs timeout for TCP session timeouts# 2 hrs timeout for TCP session timeouts# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received# 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users) # 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users) ##echo " setting default timers.."echo " setting default timers.."/sbin/ipchains -M -S 7200 10 160/sbin/ipchains -M -S 7200 10 160
# DHCP: For people who receive their external IP address from either DHCP or # DHCP: For people who receive their external IP address from either DHCP or # BOOTP such as ADSL or Cablemodem users, it is necessary to use the # BOOTP such as ADSL or Cablemodem users, it is necessary to use the # following before the deny command. # following before the deny command. ### This example is currently commented out.# This example is currently commented out.####/sbin/ipchains -A input -j ACCEPT -i $EXTIF -s 0/0 67 -d 0/0 68 -p udp/sbin/ipchains -A input -j ACCEPT -i $EXTIF -s 0/0 67 -d 0/0 68 -p udp
# Enable simple IP forwarding and Masquerading# Enable simple IP forwarding and Masquerading##echo " enabling IPMASQ functionality on $EXTIF"echo " enabling IPMASQ functionality on $EXTIF"/sbin/ipchains -P forward DENY/sbin/ipchains -P forward DENY/sbin/ipchains -A forward -i $EXTIF -s $INTLAN -j MASQ/sbin/ipchains -A forward -i $EXTIF -s $INTLAN -j MASQ
echo -e "\nrc.firewall v$FWVER done.\n"echo -e "\nrc.firewall v$FWVER done.\n"
How To (cont):How To (cont):
Step 7: Setup DHCPD (see sample config)Step 7: Setup DHCPD (see sample config)
Step 8: Now you are ready to configure Step 8: Now you are ready to configure the clients.the clients.
/etc/dhcpd.conf/etc/dhcpd.confsubnet 192.168.1.0 netmask 255.255.255.0 {subnet 192.168.1.0 netmask 255.255.255.0 {# --- default gateway# --- default gateway option routers 192.168.1.1;option routers 192.168.1.1; option subnet-mask 255.255.255.0;option subnet-mask 255.255.255.0;
option domain-name “domainname.com"; # replace this woption domain-name “domainname.com"; # replace this with the domain name of your internal net, if anyith the domain name of your internal net, if any option domain-name-servers 10.64.48.5; # replace this woption domain-name-servers 10.64.48.5; # replace this with the IP of your Domain Name Serverith the IP of your Domain Name Server
range dynamic-bootp 192.168.1.128 192.168.1.255;range dynamic-bootp 192.168.1.128 192.168.1.255; default-lease-time 21600; # 6 hrsdefault-lease-time 21600; # 6 hrs max-lease-time 43200; # 12 hrsmax-lease-time 43200; # 12 hrs}}subnet 10.64.48.0 netmask 255.255.252.0 {subnet 10.64.48.0 netmask 255.255.252.0 { not authoritative;not authoritative;}}
Security Concerns and ConclusionSecurity Concerns and Conclusion
You can enable WEP (Wired Equivalent Privacy ) but it is You can enable WEP (Wired Equivalent Privacy ) but it is not very secure.not very secure.There are other solutions for Wireless Encryption:There are other solutions for Wireless Encryption:
EAPTLS (Extensible Authentication Protocol Transport Level EAPTLS (Extensible Authentication Protocol Transport Level Security)Security)
TKIP(Temporal Key Integrity Protocol )TKIP(Temporal Key Integrity Protocol )
One of the better ways to implement security on a One of the better ways to implement security on a wireless network is to setup a VPN for secure access. wireless network is to setup a VPN for secure access. The same client can often tunnel IPsec over wireless to The same client can often tunnel IPsec over wireless to a VPN gateway located between the access point and a VPN gateway located between the access point and the rest of the corporate network.the rest of the corporate network.
Questions?Questions?
Sites of ReferenceSites of Reference
http://www.oreillynet.com/pub/a/wireless/2http://www.oreillynet.com/pub/a/wireless/2001/03/06/recipe.html001/03/06/recipe.html
http://www.live.com/wireless/unix-base-stahttp://www.live.com/wireless/unix-base-station.htmltion.html