View Single Post
  #8   (View Single Post)  
Old 21st January 2013
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 124
Default

Quote:
Originally Posted by jggimi View Post
As an example, EverydayDiesel, I manage two WiFi networks at my home. One network uses WPA2 with pre-shared keys, the other is an "open" WiFi subnet where the 802.11 frames are sent in plaintext. However, it is not "open" to other subnets or to the Internet - security is managed by IPSec and PF:
  • DHCP is the only service permitted to unauthenticated devices.
  • Static IP addresses are assigned by MAC address in dhcpd.conf to pre-authenticated devices, and permitted by PF table.
  • Dynamic IP addresses are permitted access only via addition to another PF table. (e.g.: # pfctl -T add -t guests pool-112)
  • Unauthenticated devices that attempt access to any IP address with destination port 80 (HTTP) are redirected to a virtual host that displays a static web page telling them they can't use the network.
  • VPNs are used for encrypted communication - IPSec or L2TP/IPSec - depending upon client type.
  • An authenticated device (guest, or known MAC address) does not have access to addresses on the LAN when using plaintext; LAN traffic is only passed by PF when using IPSec.
Is this totally secure? No. The easiest way to exploit this system is to spoof a known MAC address, then access to the Internet is possible. Eliminating DHCP access would not eliminate the hole, anyone who can set a MAC address can certainly set an IP address too.

I REALLY like this methodology and will revisit some of these items later. For now I have to get my current up to speed
Reply With Quote