LDP
/
LDP
mirror of https://github.com/tLDP/LDP
0
1
Fork 0
Code Releases Activity

new entry

This commit is contained in:
gferg 2001-10-01 13:29:27 +00:00
parent c59ad9a207
commit 42ec3c2fdd
1 changed files with 738 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

738
LDP/howto/docbook/Wireless-Gateway-HOWTO.sgml Normal file
View File

@ -0,0 +1,738 @@
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook V3.1//EN">
<article>
<!-- Header -->
<artheader>
<title>Wireless Authentication Gateway HOWTO</title>
<author>
<firstname>Nathan</firstname>
<surname>Zorn</surname>
<affiliation>
<address>
<email>zornnh@musc.edu</email>
</address>
</affiliation>
</author>
<revhistory>
<revision>
<revnumber>0.02</revnumber>
<date>2001-09-28</date>
<authorinitials>KET</authorinitials>
</revision>
<revision>
<revnumber>0.01</revnumber>
<date>2001-09-06</date>
<authorinitials>nhz</authorinitials>
</revision>
<!-- Additional (*earlier*) revision histories go here -->
</revhistory>
<abstract>
<indexterm>
<primary></primary>
</indexterm>
<para>
There are many concerns with the security of wireless networks. These
concerns are not met with current security implementations. A work around
has been proposed by using an authentication gateway. This gateway
addresses the security concerns by forcing the user to authenticate
in order to use the wireless network.
</para>
</abstract>
</artheader>
<!-- Section1: intro -->
<sect1 id="intro">
<title>Introduction</title>
<indexterm>
<primary>security!introduction</primary>
</indexterm>
<para>
With wireless networks it is very easy for an unauthorized user to
gain access. Unauthorized users can look for a signal and
grab connection information from the signal. Security has been
put in place such as WEP, but this security can be subverted with tools like
AirSnort. One approach to solving these problems is to not rely on
the wireless security features , and instead to place
an authentication gateway in front of the wireless network and force
users to authenticate against it before using the network. This HOWTO
describes how to set up this gateway with Linux.
</para>
<!-- Section2: copyright -->
<sect2 id="copyright">
<title>Copyright Information</title>
<para>
This document is copyrighted (c) 2001 Nathan Zorn and is
distributed under the terms of the Linux Documentation Project
(LDP) license, stated below.
</para>
<para>
Unless otherwise stated, Linux HOWTO documents are
copyrighted by their respective authors. Linux HOWTO documents may
be reproduced and distributed in whole or in part, in any medium
physical or electronic, as long as this copyright notice is
retained on all copies. Commercial redistribution is allowed and
encouraged; however, the author would like to be notified of any
such distributions.
</para>
<para>
All translations, derivative works, or aggregate works
incorporating any Linux HOWTO documents must be covered under this
copyright notice. That is, you may not produce a derivative work
from a HOWTO and impose additional restrictions on its
distribution. Exceptions to these rules may be granted under
certain conditions; please contact the Linux HOWTO coordinator at
the address given below.
</para>
<para>
In short, we wish to promote dissemination of this
information through as many channels as possible. However, we do
wish to retain copyright on the HOWTO documents, and would like to
be notified of any plans to redistribute the HOWTOs.
</para>
<para>
If you have any questions, please contact
<email>zornnh@musc.edu</email>
</para>
</sect2>
<!-- Section2: disclaimer -->
<sect2 id="disclaimer">
<title>Disclaimer</title>
<para>
No liability for the contents of this documents can be accepted.
Use the concepts, examples and other content at your own risk.
As this is a new edition of this document, there may be errors
and inaccuracies, that may of course be damaging to your system.
Proceed with caution, and although this is highly unlikely,
the author(s) do not take any responsibility for that.
</para>
<para>
All copyrights are held by their by their respective owners, unless
specifically noted otherwise. Use of a term in this document
should not be regarded as affecting the validity of any trademark
or service mark.
</para>
<para>
Naming of particular products or brands should not be seen
as endorsements.
</para>
<para>
You are strongly recommended to take a backup of your system
before major installation and backups at regular intervals.
</para>
</sect2>
<!-- Section2: newversions-->
<sect2 id="newversions">
<title>New Versions</title>
<indexterm>
<primary>(your index root)!news on</primary>
</indexterm>
<para>
This is the initial release.
</para>
<para>
The newest release of this document can be found at <ulink url="http://www.itlab.musc.edu/~nathan/wireless_gateway/">http://www.itlab.musc.edu/~nathan/wireless_gateway/</ulink>.
Related HOWTOs can be found at the
<ulink url="http://www.linuxdoc.org/">Linux Documentation
Project</ulink> homepage.
</para>
</sect2>
<!-- Section2: credits -->
<sect2 id="credits">
<title>Credits</title>
<para>Jamin W. Collins</para>
</sect2>
<!-- Section2: feedback -->
<sect2 id="feedback">
<title>Feedback</title>
<para>
Feedback is most certainly welcome for this document. Without
your submissions and input, this document wouldn't exist. Please
send your additions, comments and criticisms to the following
email address : <email>zornnh@musc.edu</email>.
</para>
</sect2>
</sect1>
<!-- Section1: intro: END -->
<!-- Section1: services -->
<sect1 id="services">
<title>What is needed</title>
<para>
This section describes what is needed for the authentication gateway.
</para>
<sect2 id="netfilter">
<title>Netfilter</title>
<para>
The authentication gateway uses Netfilter and iptables to manage the
firewall. Please see the
<ulink url="http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/index.html">Netfilter HOWTO</ulink>.
</para>
</sect2>
<sect2 id="pamiptables">
<title>PAM for Netfilter rules.</title>
<para>
This is a pluggable authentication module (PAM) written by Nathan Zorn that can be found
at <ulink url="http://www.itlab.musc.edu/~nathan/pam_iptables/">http://www.itlab.musc.edu/~nathan/pam_iptables</ulink>.
</para>
</sect2>
<sect2 id="dhcpd">
<title>DHCP Server</title>
<para>
The authentication gateway will act as the dynamic host
configuration protocol (DHCP) server for the wireless network. It
only serves those requesting DHCP services on the wireless
network. I used the <ulink url="http://www.isc.org/products/DHCP/">ISC DHCP Server
</ulink>.
</para>
</sect2>
<sect2 id="authentication">
<title>Authentication mechanism</title>
<para>The gateway can use any means of PAM authentication.
The authentication mechanism the Medical University of South
Carolina uses is LDAP. Since LDAP was used for authentication,
the pam modules on the gateway box were set up to use
LDAP. More information can be found at <ulink
url="http://www.padl.com/pam_ldap.html">http://www.padl.com/pam_ldap.html</ulink>.
PAM allows you to use many means of authentication. Please see
the documentation for the PAM module you would like to use. For
more information on other methods, see <ulink url="http://www.kernel.org/pub/linux/libs/pam/modules.html">pam modules</ulink>.
</para>
</sect2>
<sect2 id="dnsserver">
<title>DNS Server</title>
<para>
The gateway box also serves as a DNS server for the wireless
network. I installed <ulink
url="http://www.isc.org/products/BIND/">Bind</ulink>, and set it
up as a caching nameserver. The rpm package
caching-namserver was also used. This package came with Red Hat.
</para>
</sect2>
</sect1>
<sect1 id="setup">
<title>Setting up the Gateway Services</title>
<para>
This section describes how to setup each piece of
the authentication gateway. The examples used are for a private
wireless network in the 10.0.1.0 subnet. eth0 is the interface on
the box that is connected to the internal network. eth1 is the
interface connected to the wireless network. The IP address used
for this interface is 10.0.1.1. These settings can be
changed to fit the network you are using. Red Hat 7.1 was used for
the gateway box, so a lot of the examples are specific to Red Hat.
</para>
<sect2 id="netfiltersetup">
<title>Netfilter Setup</title>
<para>
To setup netfilter the kernel must be recompiled to include netfilter
support. Please see the <ulink url="http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html">Kernel-HOWTO</ulink>
for more information on configuring and compiling your kernel.
</para>
<para>
This is what my kernel configuration looked like.
<screen>
#
# Networking options
#
CONFIG_PACKET=y
# CONFIG_PACKET_MMAP is not set
# CONFIG_NETLINK is not set
CONFIG_NETFILTER=y
CONFIG_NETFILTER_DEBUG=y
CONFIG_FILTER=y
CONFIG_UNIX=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
# CONFIG_IP_ADVANCED_ROUTER is not set
# CONFIG_IP_PNP is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
# CONFIG_IP_MROUTE is not set
# CONFIG_INET_ECN is not set
# CONFIG_SYN_COOKIES is not set
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_FTP=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
CONFIG_IP_NF_MATCH_MAC=y
CONFIG_IP_NF_MATCH_MARK=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_TCPMSS=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_UNCLEAN=y
CONFIG_IP_NF_MATCH_OWNER=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_MIRROR=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_MARK=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y
</screen>
</para>
<para>
iptables needs to be installed. To install iptables either use
a package from your distribution or install from source.
Once the above options were compiled in the new kernel and iptables
was installed, I set the following default firewall rules.
</para>
<screen>
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -i eth0 -m state --state NEW, INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -s 10.0.1.0/24 -d 10.0.1.1 -j ACCEPT
</screen>
<para>
The above commands can also be put in an initscript to start up when
the server restarts.
To make sure the rules have been added issue the following
commands:
</para>
<screen>
iptables -v -t nat -L
iptables -v -t filter -L
</screen>
<para>
To save these rules I used Red Hat's init scripts.
</para>
<screen>
/etc/init.d/iptables save
/etc/init.d/iptables restart
</screen>
<para>
Once the rules are in place turn on IP forwarding by
executing this command.
</para>
<screen>
echo 1 > /proc/sys/net/ipv4/ip_forward
</screen>
<para>
To make sure ip forwarding is enabled when the machine restarts
add the following line to <filename>/etc/sysctl.conf</filename>.
</para>
<screen>
net.ipv4.ip_forward = 1
</screen>
<para>
Now the gateway box will be able to do network address translation
(NAT), but it will drop all forwarding packets except those
coming from within the wireless network and bound for the gateway.
</para>
</sect2>
<sect2 id="pamiptablessetup">
<title>PAM iptables Module</title>
<para>
This module is a PAM session module that inserts the firewall rule
needed to allow forwarding for the authenticated client. To set it
up simply get the <ulink
url="ftp://ftp.itlab.musc.edu/pub/pam_iptables.tar.gz">source</ulink>
and compile it by running the following commands.
</para>
<screen>
gcc -fPIC -c pam_iptables.c
ld -x --shared -o pam_iptables.so pam_iptables.o
</screen>
<para>
You should now have two binaries called
<filename>pam_iptables.so</filename> and <filename>pam_iptables.o</filename>.
Copy <filename>pam_iptables.so</filename> to
<filename>/lib/security/pam_iptables.so</filename>.
</para>
<screen>
cp pam_iptables.so /lib/security/pam_iptables.so
</screen>
<para>
The chosen authentication client for the gateway was ssh so we added the
following line to <filename>/etc/pam.d/sshd</filename>.
</para>
<screen>
session required /lib/security/pam_iptables.so
</screen>
<para>
Now, when a user logs in with ssh, the firewall rule will be added.
</para>
<para>
The default interface for pam_iptables is eth0. This default can be
changed by adding the interface parameter.
</para>
<screen>
session required /lib/security/pam_iptables.so interface=eth1
</screen>
<para>
This is only needed if the interface name that connects to the external
network is not eth0.
</para>
<para>
To test if the pam_iptables module is working perform the following
steps:
</para>
<orderedlist>
<listitem>
<para>Log into the box with ssh.</para>
</listitem>
<listitem>
<para>Check to see if the rule was added with the command
<command>iptables -L</command>.</para>
</listitem>
<listitem>
<para>Log out of the box to make sure the rule is removed.</para>
</listitem>
</orderedlist>
</sect2>
<sect2 id="dhcpdsetup">
<title>DHCP Server Setup</title>
<para>I installed DHCP using the following
<filename>dhcpd.conf</filename> file.
</para>
<screen>
subnet 10.0.1.0 netmask 255.255.255.0 {
# --- default gateway
option routers 10.0.1.1;
option subnet-mask 255.255.255.0;
option broadcast-address 10.0.1.255;
option domain-name-servers 10.0.1.1;
range 10.0.1.3 10.0.1.254;
option time-offset -5; # Eastern Standard Time
default-lease-time 21600;
max-lease-time 43200;
}
</screen>
<para>The server was then run using eth1 , the interface to the
wireless net.
</para>
<screen>
/usr/sbin/dhcpd eth1
</screen>
</sect2>
<sect2 id="authenticationsetup">
<title>Authentication Method Setup</title>
<para>
As indicated in previous sections, I've set this gateway up to use
LDAP for authenticating. However, you can use any
means that PAM allows for authentication. See <xref linkend="authentication"> for
more information.
</para>
<para>
In order to get PAM LDAP to authenticate, I installed <ulink
url="http://www.openldap.org">OpenLDAP</ulink> and configured it
with the following in <filename>/etc/ldap.conf</filename>.
</para>
<screen>
# Your LDAP server. Must be resolvable without using LDAP.
host itc.musc.edu
# The distinguished name of the search base.
base dc=musc,dc=edu
ssl no
</screen>
<para>
The following files were used to configure PAM to do the LDAP authentication.
These files were generated by Red Hat's configuration utility.
</para>
<variablelist>
<varlistentry><term><filename>/etc/pam.d/system-auth</filename> was created and looked
like this.</term>
<listitem>
<para><screen>
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account [default=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so
</screen>
</para>
</listitem>
</varlistentry>
<varlistentry><term>Then the following
<filename>/etc/pam.d/sshd</filename> file was created.</term>
<listitem><para>
<screen>
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
#this line is added for firewall rule insertion upon login
session required /lib/security/pam_iptables.so debug
session optional /lib/security/pam_console.so
</screen>
</para>
</listitem>
</varlistentry>
</variablelist>
</sect2>
<sect2 id="dnssetup">
<title>DNS Setup</title>
<para>
I installed the default version of Bind that comes with Red Hat
7.1, and the caching-nameserver RPM. The DHCP server tells
the machines on the wireless net to use the gateway box as their nameserver.
</para>
</sect2>
</sect1>
<sect1 id="usage">
<title>Using the authentication gateway</title>
<para>
To use the authentication gateway, configure your client machine to use
DHCP. Install a ssh client on the box and ssh into the gateway.
Once you are logged in, you will have access to the internal network.
The following is an example session from a unix based client:
</para>
<screen>
bash>ssh zornnh@10.0.1.1
zornnh's Password:
gateway>
</screen>
<para>
As long as you stayed logged in, you will have access. Once you log out,
access will be taken away.
</para>
</sect1>
<!-- Section1: resources: END -->
<sect1 id="remarks">
<title>Concluding Remarks</title>
<indexterm>
<primary>(your index root)!conclusion</primary>
</indexterm>
<itemizedlist>
<listitem><para>
This method of security does not rely on the security provided by the
wireless network community. It assumes that the entire wireless network
is insecure and outside of your network.
</para>
</listitem>
<listitem><para>
The gateway does not encrypt traffic. It only allows you access
to the network behind it. If encryption and authentication are desired,
a VPN should be used.
</para>
</listitem>
</itemizedlist>
</sect1>
<!-- Section1: remarks: END -->
<!-- Section1: resources -->
<sect1 id="resource">
<title>Additional Resources</title>
<itemizedlist>
<listitem>
<para>A <ulink
url="http://www.nas.nasa.gov/Groups/Networks/Projects/Wireless/index.html">document</ulink>
describing the NASA implementation of the authentication gateway.
</para>
</listitem>
<listitem>
<para>
A <ulink url="http://www.ualberta.ca/~beck/authgw.html">white
paper</ulink> describing how the University of Alberta created an authentication gateway.
</para>
</listitem>
</itemizedlist>
</sect1>
<!-- Section1: faq -->
<sect1 id="faq">
<title>Questions and Answers</title>
<indexterm>
<primary>(your index root)!FAQ</primary>
</indexterm>
<indexterm>
<primary>(your index root)!frequently asked questions</primary>
</indexterm>
<para>
This is just a collection of what I believe are the most common
questions people might have. Give me more feedback and I will turn
this section into a proper FAQ.
</para>
</sect1>
<!-- Section1: faq: END -->
</article>
<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-namecase-general:t
sgml-general-insert-case:lower
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:nil
sgml-parent-document:nil
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
-->