Securing open access points

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Securing open access points

Stephan Balmer-2
Hi list

We're operating a few wifi access-points that allow connecting without
any password/encryption.To tighten security a bit, I've added ebtables
rules on the individual AP. (The AP are Pc-engines Alix running Debian,
hostapd.) I'd appreciate feedback on the effectiveness of my approach
and whether there are other low-hanging fruit to further separate
clients.These are the rules:

# Flush
ebtables -F
ebtables -t nat -F

# Block packets from the wifi side that purport to be from a gateway address
ebtables -A FORWARD --in-interface wlan+ --protocol arp --arp-ip-src -j DROP
ebtables -A FORWARD --in-interface wlan+ --protocol arp --arp-ip-src -j DROP
ebtables -A FORWARD --in-interface wlan+ -s 02:ba:de:af:fe:00 -j DROP

# Block DHCP server responses and IP6 router advertisements from wifi side
ebtables -A FORWARD --in-interface wlan+ --protocol ipv4 --ip-protocol
udp        --ip-source-port 67 -j DROP
ebtables -A FORWARD --in-interface wlan+ --protocol IPv6 --ip6-protocol
ipv6-icmp --ip6-icmp-type 134 -j DROP

# Allow visitors to talk to the gateway only
# Just send all packets to the gateway at 02:ba:de:af:fe:00 regardless
of target address
ebtables -t nat -A PREROUTING --in-interface wlan0_+ -j dnat
--to-destination 02:ba:de:af:fe:00
ebtables -t nat -A PREROUTING --in-interface wlan1_+ -j dnat
--to-destination 02:ba:de:af:fe:00

#  Block STP on the wifi side
for T in OUTPUT FORWARD; do ebtables -A $T --out-interface wlan+
--source BGA -j DROP; done
for T in OUTPUT FORWARD; do ebtables -A $T --out-interface wlan+
--destination BGA -j DROP; done

Explanation of the interfaces:

wlan0, wlan1:   used for internal WPA-secured traffic
wlan0_0, wlan1_0:    are open for guests    Internal network (somewhat trusted)    Guest network (untrusted)
02:ba:de:af:fe:00:    MAC-address of the gateway interface in

The idea is to prevent guests from talking to each other. This improves
security and removes broadcast noise because broadcast traffic is only
seen by the gateway. In particular, I expect this approach to prevent
wifi-clients from impersonating the IP-gateway. This should prevent the
most common form of MitM attacks. I'm aware that it's not a total
separation and that there are still opportunities for client-address

Maybe you see areas where clients could be separated further?