Hi, folks,
We're (I use the anonymous "we" here with apologies) in the process of
setting up a Wi-Fi access point here. Bear in mind that we have little
control over client configuration or consistency--personal computers
would be used, with any OS--and don't want to spend a lot of time
providing technical support.
One of the other groups here went with a product called ReefEdge to
provide Wi-Fi authentication to prevent unauthorized usage; as far as I
can tell from chatting with them, it does pretty much the same as what
we were thinking; however, due to cost, we'd prefer to develop something
in-house or use something open source.
So the plan I had was this:
Set up the gateway with a firewall which would by default redirect all
outgoing tcp/80 traffic to some the local machine, which would have a
"sign-in" page. Users authenticate with their username/password, and a
ruleset is temporarily added to the firewall allowing them full outgoing
traffic. When they are done, they log out, deleting the ruleset (or we
time out their connection after a certain amount of inactivity).
The real question I have is, even if we were to use MAC address matching
instead of IP (iptables has an option in the 2.4 kernel for MAC
matching, as I recall) anyone can grab all the information he needs to
spoof a valid connection from a single captured packet. Now, assuming we
close or timeout connections when the user logs out, he'd have to take
over a connection still in use. There is no guarantee, though, that the
victim client would even notice (nor would we), especially if it is
running something like ZoneAlarm and simply drops, with no ICMP reject,
all unexpected packets. This would mean the attacker could simply pick
up all the responses to his spoofed connections without the victim
noticing.
So how can you prevent this without using something which would require
client-side support, like VPN? VPN is not much of an option for us, I've
been told that a Mac VPN client costs money, and regardless, we don't
want to have to support user configuration. Do I have to simply hope no
one will be able to hijack a connection which is in use?
I've seen software which claims to detect attempts to hijack Wi-Fi
networks, but most appear to just detect brute-forcing on the IP
address, etc. Any attacker could merely passively capture a single
packet and bypass this detection in a snap.
Thanks for any help.
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
- Re: Wi-Fi User Authentication N407ER
- Re: Wi-Fi User Authentication Tiago Filipe Dias
- RE: Wi-Fi User Authentication David Gillett
- Re: Wi-Fi User Authentication N407ER
- Re: Wi-Fi User Authentication Tiago Filipe Dias
- What to look at, source or destination ... Nathan
- Re: What to look at, source or des... Jude Naidoo
- Re: Wi-Fi User Authentication Tiago Filipe Dias
