http redirect (returning a 302 code). â IP redirect ... Coding your own portal is possible and not all that difficult.
Wireless Security, Authentication & Captive Portals
Sebastian Büttrich, wire.less.dk edit: March 2010
http://creativecommons.org/licenses/by-nc-sa/3.0/
Reminder: Aspects of IT Security • Confidentiality • Integrity • Availability • Authenticity • Non-repudiation • Risk management
“Wireless Security” • The term “wireless security” is most often used as synonym for “keeping unwanted users out of your network” & “encrypting traffic” • This addresses to some extent (!) – Confidentiality – Integrity – Availability • However, none of these are fully secured by “wireless security”!
“Wireless Security” • A healthy way of looking at security on the network level: – The network is the streets and roads – Many people and vehicles travel on these roads – Streets and roads are open, or mostly open – we dont lock people into their houses – If we need to transport money from A to B – we use a protected vehicle (= “end-to-end security”)
General Security / Authentication Methods for Wireless Hidden / Closed networks • May be found by passive sniffers anyway • Misleading “Security by Obscurity”
General Security / Authentication Methods for Wireless Key based encryption of wireless network (WEP/WPA) • WEP is easily crackable • WPA takes longer, but is crackable • If anything, use WPA2 • WPA might force you to offer a lot of user support
General Security / Authentication Methods for Wireless MAC (hardware address) based ACL • MAC black/whitelisting on AP or gateways • Might be useful for stable user groups, registered equipment • Difficult to maintain
General Security / Authentication Methods for Wireless Summary of key based and ACL methods • While none of those offers 100% security, appropriate combinations may give reasonable protection • All of these are hard to maintain with fast changing, large usergroups • All of these pose communication challenges – how to hand out keys? How to keep MAC lists up-tp-date?
Captive Portals
Captive Portals
Captive Portals: Principle • Browser as authentication tool • Until authenticated, the users http request is intercepted and redirected by either – http redirect (returning a 302 code) – IP redirect – DNS redirect / DNS poisoning • You can whitelist, based on URL, IP, MAC etc
Captive Portals: Elements • The front end: a (set of) web page(s) (“splash page”) for login and feedback, payment. Resides on AP. • The captive portal engine: manages redirects based on front end input, communicates back to front end. May reside on AP or server behind. The captive portal engine might communicate with the ... • Back end user store: LDAP, RADIUS or similar. May also reside locally on AP, in smaller systems. The three elements are independent in principle.
Captive Portals: Downsides • What if the device does not have a browser? • IP redirect: URL does not match IP for user • DNS poisoning: DNS info might get cached at client • Pure DNS implementation easy to circumvent • In addition to these downsides, there are also circumvention tricks for all of these methods
Captive Portals: Security • IP/MAC based sessions can be compromised via passive monitoring combined with spoofing • Pure DNS implementations can be overwritten, or tunneled through • In addition to technical security issues, do not forget the human factor and management challenges
Captive Portals: Beyond tech • The success of a portal depends on much more than technology … communication! • Acceptable Use Policies • Communication of AUP • Wording, contacts • Social engineering
Captive Portals: Security • IP/MAC based sessions can be compromised via passive monitoring combined with spoofing • Pure DNS implementations can be overwritten, or tunneled through • In addition to technical security issues, do not forget the human factor and management challenges
Popular Captive Portals • Coova (integrates the discontinued Chillispot) • WiFidog • M0n0wall • NoCat (discontinued, but still in use) • Vendor supplied portals, e.g. Microtik • Cisco • Aruba • Aptilo
Homegrown Captive Portals • Coding your own portal is possible and not all that difficult • For example, a combination of – php pages, – mysql/RADIUS – iptables
Example: Coova on Ubiquiti & Linksys • Coova combines several Open Source elements, closed extensions and web based services (part free, part commercial) • Coova firmware (OpenWRT based) exists for Linksys WRT54, and can be made to work for Ubiquiti in different ways • Binary firmware for Ubiquiti still missing (status: March 2010)
Example: Coova on Ubiquiti Options: • Build it into Ubiquitis AirOS via SDK http://coova.org/node/3685 or use the binary: https://www.coova.net/Controllers/UbiquitiAirOS
• Flash OpenWRT onto the Ubiquiti, add Coova-Chilli packages • Use open-mesh / ROBIN firmware - see: http://dev.open-mesh.com
More options to come!
That was it ... Thank you!
[email protected] http://wire.less.dk Sebastian Büttrich, wire.less.dk edit: March 2010
http://creativecommons.org/licenses/by-nc-sa/3.0/
