DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 4th January 2013
EverydayDiesel EverydayDiesel is offline
Fdisk Soldier
 
Join Date: Jan 2009
Posts: 67
Thanked 0 Times in 0 Posts
Default Wireless Security

Hello

I am wondering what the best practices are for wireless open bsd access points. (a openbsd server on the network with just a wireless card installed)

How can I make it a 'hidden' network (not broadcasting the SSID)
How can I filter on MAC addresses?
Most reliable pci card? (i saw the list on the FAQ)

Any other tips (or useful examples) would be greatly appreciated.
Reply With Quote
  #2   (View Single Post)  
Old 4th January 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

Non-broadcast SSID is not a security feature and will not protect a network. There are no best practices that attempt security via obscurity.

It is my understanding that filtering by MAC address on OpenBSD can only be performed on bridge(4) interfaces. Since bridge interfaces are passed through pf(4) filters twice -- once on input, and once on output -- you may block unwanted MAC address traffic either in, or out, or both directions. Filtration must be done by tagging the Ethernet frames. See the Tagging section of the PF User's Guide here: http://www.openbsd.org/faq/pf/tagging.html

WEP encryption is considered broken by the industry and should not be used for secure communication.

WPA/WPA2, if supported by your network device, is the preferred best practice for secure 802.11 communications.

Alternatives to WPA to consider may include ipsec(4) and authpf(8), or combinations.
Reply With Quote
  #3   (View Single Post)  
Old 5th January 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

Correction: blocking by MAC address can also be performed entirely within rules for bridge(4) interfaces set via ifconfig(8). Tagging is recommended as it permits the full range of PF rules and pfctl(8) management features to be used.
Reply With Quote
  #4   (View Single Post)  
Old 7th January 2013
EverydayDiesel EverydayDiesel is offline
Fdisk Soldier
 
Join Date: Jan 2009
Posts: 67
Thanked 0 Times in 0 Posts
Default

Wow thanks for the response! I have been reading a lot about the items you have listed above.

I know its not a security feature, but is it possible to not broadcast the SSID with openbsd? I would like to have this feature if possible.
Reply With Quote
  #5   (View Single Post)  
Old 7th January 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

From ifconfig(8). Please read both paragraphs.
Code:
     nwflag flag
             Set specified flag.  The flag name can be either `hidenwid' or
             `nobridge'.  The `hidenwid' flag will hide the network ID (ESSID)
             in beacon frames when operating in Host AP mode.  It will also
             prevent responses to probe requests with an unspecified network
             ID.  The `nobridge' flag will disable the direct bridging of
             frames between associated nodes when operating in Host AP mode.
             Setting this flag will block and filter direct inter-station
             communications.

             Note that the `hidenwid' and `nobridge' options do not provide
             any security.  The hidden network ID will be sent in clear text
             by associating stations and can be easily discovered with tools
             like tcpdump(8) and hostapd(8).
Reply With Quote
  #6   (View Single Post)  
Old 7th January 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

As an example, EverydayDiesel, I manage two WiFi networks at my home. One network uses WPA2 with pre-shared keys, the other is an "open" WiFi subnet where the 802.11 frames are sent in plaintext. However, it is not "open" to other subnets or to the Internet - security is managed by IPSec and PF:
  • DHCP is the only service permitted to unauthenticated devices.
  • Static IP addresses are assigned by MAC address in dhcpd.conf to pre-authenticated devices, and permitted by PF table.
  • Dynamic IP addresses are permitted access only via addition to another PF table. (e.g.: # pfctl -T add -t guests pool-112)
  • Unauthenticated devices that attempt access to any IP address with destination port 80 (HTTP) are redirected to a virtual host that displays a static web page telling them they can't use the network.
  • VPNs are used for encrypted communication - IPSec or L2TP/IPSec - depending upon client type.
  • An authenticated device (guest, or known MAC address) does not have access to addresses on the LAN when using plaintext; LAN traffic is only passed by PF when using IPSec.
Is this totally secure? No. The easiest way to exploit this system is to spoof a known MAC address, then access to the Internet is possible. Eliminating DHCP access would not eliminate the hole, anyone who can set a MAC address can certainly set an IP address too.
Reply With Quote
  #7   (View Single Post)  
Old 8th January 2013
pcronin pcronin is offline
Port Guard
 
Join Date: May 2012
Posts: 11
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jggimi View Post
Eliminating DHCP access would not eliminate the hole, anyone who can set a MAC address can certainly set an IP address too.
This is kind of my attitude towards hidden ssids as well. I usually run my "real" ssid as hidden, and then have a "guest" ssid broadcasting. The guest gets 'net access, but is on a separate subnet from the "real", and is also throttled. If someone runs a scanner and sees my "real" ssid, then likely they can spoof the MAC and set a static IP with DNS and GW.

I haven't found a decent wifi usb or pci adapter locally, so I'm running my wireless on a dlink $30 "router" plugged in to a standard NIC. I want to upgrade this ASAP.
Reply With Quote
  #8   (View Single Post)  
Old 21st January 2013
EverydayDiesel EverydayDiesel is offline
Fdisk Soldier
 
Join Date: Jan 2009
Posts: 67
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jggimi View Post
As an example, EverydayDiesel, I manage two WiFi networks at my home. One network uses WPA2 with pre-shared keys, the other is an "open" WiFi subnet where the 802.11 frames are sent in plaintext. However, it is not "open" to other subnets or to the Internet - security is managed by IPSec and PF:
  • DHCP is the only service permitted to unauthenticated devices.
  • Static IP addresses are assigned by MAC address in dhcpd.conf to pre-authenticated devices, and permitted by PF table.
  • Dynamic IP addresses are permitted access only via addition to another PF table. (e.g.: # pfctl -T add -t guests pool-112)
  • Unauthenticated devices that attempt access to any IP address with destination port 80 (HTTP) are redirected to a virtual host that displays a static web page telling them they can't use the network.
  • VPNs are used for encrypted communication - IPSec or L2TP/IPSec - depending upon client type.
  • An authenticated device (guest, or known MAC address) does not have access to addresses on the LAN when using plaintext; LAN traffic is only passed by PF when using IPSec.
Is this totally secure? No. The easiest way to exploit this system is to spoof a known MAC address, then access to the Internet is possible. Eliminating DHCP access would not eliminate the hole, anyone who can set a MAC address can certainly set an IP address too.

I REALLY like this methodology and will revisit some of these items later. For now I have to get my current up to speed
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Wireless Troubles divadgnol67 OpenBSD General 6 23rd September 2010 12:12 PM
wireless not working. bsdnewbie999 OpenBSD General 17 19th July 2009 03:06 AM
BSDAnywhere wireless Q tony333 OpenBSD General 12 5th April 2009 02:15 AM
Wireless Card on T61 disappearedng FreeBSD General 1 13th July 2008 12:54 AM
Gui for Wireless LAN? PatrickBaer FreeBSD General 2 13th June 2008 12:25 AM


All times are GMT. The time now is 08:13 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick