190 likes | 351 Views
SOHO DIY SECURE WIRELESS. Matthew Maples Eastern Kentucky University Networking Security and Electronics. Overview. Cost effective implementation of dual SSIDS in SOHO environment Utilize wireless technology for maximum connectivity and decrease security risks
E N D
SOHO DIY SECURE WIRELESS Matthew Maples Eastern Kentucky University Networking Security and Electronics
Overview • Cost effective implementation of dual SSIDS in SOHO environment • Utilize wireless technology for maximum connectivity and decrease security risks • Re-purpose old or unused hardware
Motivation • Mobile technology is growing • More security risks from unsecure devices • Experience customizing network to solve a problem • Cost effectiveness
Problem Statement • Design and implementation of a mock SOHO setting using common or old hardware. • Utilize dual SSIDs to provide connectivity to typical network devices (file server) to secure connection while providing protection from unsecure devices.
Initial Assumptions • Key for “secure” line will be handled appropriately by personnel. • Background in PC communications and networking or willingness to learn. • Designed for small settings. Number of devices would need to be increased for larger networks.
Components Needed • FreeNas(or your choice of live cd/os to setup file server) • 3 PCS (1 for server, 2 workstations for demonstration) • 1 Linksys WRT54G Wireless-G Router • 1 Modem • Ethernet Cable • Wireless NIC/Adapters
Preparation • 3 PCs (2 Workstations and 1 File Server) • File Server Min. Specs: • CPU: 32 bit or 64 bit (64bit for ZFS • RAM: 4gb, 6gb for ZFS • HD: Sata drives • After choosing specifications for each system, make sure that the master/slave drives are appropriately set and documented
Preparation • Download FreeNAS to appropriate removable media (CD or USB) • Run FreeNAS image on File Server • Set static IP for file server by selecting Configure Network Interfaces during installation • Typing the IP into a web browser from a LAN workstation will connect to the server setup.
Preparation • Under Storage Volumes choose the volumes used for storage within the server. • Under Services CIFS setup the shares for the file server. Choose home directory
Preparation • Setup Wireless router for dual APS. • If the router does not come configured with DD-WRT then it must be installed. • Download the DD-WRT version that fits your router onto a PC • Connect the router to the PC via ethernet cable and log into the config using web browser (internet explorer recommended)
Preparations • Log in with the appropriate credentials for your router. Click on Router Upgrade under Maintenance • Browse to the image located on your systems hard drive. • Wait for the installation to finish (takes some time) and log back into the router. • DD-WRT IP: 192.168.1.1, User: root, Pass: Admin • Perform hard reset (30/30/30) to restore factory defaults and confirm installation.
Preparations • Setup 2 SSIDS on WRT54G router • Connect router to PC via Ethernet cable • In web browser, connect to 192.168.1.1 • Navigate to WirelessBasic Settings. • Click Add below Virtual Interfaces • Change SSIDs as needed.(I.E office and guest)
Preperations • Navigate to Wireless Wireless Security • Set Security Mode on main SSID to WPA2 Personal. Set shared key and save • Navigate to Setup- Networking • Under Bridging, click ADD • Change first slot to br1, click apply settings • In the new bridge set the IP address to 1 off the primary network (i.e 192.168.1.1192.168.2.1), subnet mask 255.255.255.0
Preparations • Scroll to bottom to DHCPD section. Click ADD • Switch first slot to br1, click apply settings • Navigate to Administration Commands • Command Shell: Paste and Save firewall and reset routeriptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROPiptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP#Removes guest access to the router's config GUI/portsiptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-resetiptables -I INPUT -i br1 -p tcp --dportssh -j REJECT --reject-with tcp-resetiptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-resetiptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
Setup • Now that the Router is configured for dual SSIDS, you can setup the network • Setup workstations and file server with wireless communications via either wireless NICs or wireless adapters • On one workstation connect to the main network (i.e office) and on the other connect to the new one (i.e guest). • On the file server, connect to the main network.
Testing/Results • From the workstation connected to the main network, create a new file under the share for the file server. • Try to do the same from a the second workstation. If setup properly the second workstation should not see the network share from the file server.
Conclusion • The setup takes time and some knowledge of networking/pc hardware or willingness to learn. • Utilizing older systems/hardware can be a cost effective way to segregate small office or home networks to protect sensitive information without having to spend a lot of money on numerous WAP or limiting connectivity.
Future Work • For added security, enable AP isolation for Guest SSID to prevent any workstation-> workstation communications on the guest network. • Inclusion of groups within FreeNAS software can also add an extra layer of security
References • (n.d.). Wireless Networking. Retrieved from http://www.vicomsoft.com/learning-center/wireless- networking/ • Bernadette, J. How WiFi Works (n.d). Retrived from http://computer.howstuffworks.com/wireless- network.htm • Fitzpatrick, J. (2013, April 22). How to Enable a Guest Access Point on Your Wireless Network. HowTo Geek RSS. Retrieved May 6, 2014, from http://www.howtogeek.com/153827/how-to-enable-a-guest-access-point-on-your- wireless-network/ • Heyne, C. (2013, 06 23). 7 tips to boost wireless speed, range, and reliablity. Retrieved from http://www.audioholics.com/home-theater-connection/increase-wireless-speed-and-range • NetworkOC. Converting stand-alone cisco autonomous access point to lightweight access point. 2013, 09 23). Retrieved from http://www.networkoc.net/blog/ converting-stand-alone-cisco-autonomous-access-point-to-lightweight-access-point/ • Rubens, P. (2012, 05 10). Top 10 ways to secure a windows file server. Retrieved from http://www.esecurityplanet.com/windows-security/top-10-ways-to-secure-a-windows-file- server.html • Trived, Y. (2011, March 22). Turn Your Home Router Into a Super-Powered Router with DD- WRT. HowTo Geek RSS. Retrieved May 6, 2014, from http://www.howtogeek.com/56612/turn-your- home-router-into-a-super-powered-router- with-dd-wrt/