goldfish

Hey

At the moment, I'm helping my school set up an AP for the sixth form common room (I'm part of the student council). What we are trying to achive is set up an AP which we can monitor easily, and work out who has paid their share to use the AP (we're organising it so you must give a donation in order to use the wireless Internet access... just so we can pay the ISP's bills).

In other words we want to make sure that unauthorised users cannot use the connection (isn't that the whole point of network security?).

I saw an article in .net mag a while ago involving AirSnare, or somthing like that, to prevent people from using an AP.

We don't have any gear yet, so all suggestions are welcome as to the sort of setup we should think about. We're getting an ADSL line installed, so I think its probably better value getting a router with modem, rather than a PC with modem and a wireless card with NAT running on it.

MAC filtering is certainly an option, as is WEP, but that would mean someone could spoof the MAC address of a legit user, or possibly use an ARP inject. Appart from anything, people might get new cards.

Sorry about the long-ness!

streaker69

Airsnare will help you detect who is attempting to connect to the network, but will not prevent them from doing so.

MAC Filtering and WEP should be enabled on your AP. Anyone that pays their dues should be required to give you their MAC address of the card they're going to connect to. Subscription should probably be based per MAC, not per user. If someone wants two MAC's listed, they should pay two subscriptions. That will keep some weenies away.

Someone could spoof a MAC and crack the WEP, but you also have to realize that there are easier targets for people that are prone to do that kind thing to hit. If you make it difficult for them to get in, they'll probably just move on to the neighbor with LINKSYS as their SSID on Channel 6 with the Router IP Of 192.168.1.1.

__________________
Treat your gun like your genitals, only whip it out when it's absolutely necessary.

Thorn

What you really want is something like noCat. Go to: nocat.net. It requires linux knowledge, however.

__________________
Thorn
"Read Altas Shrugged. Compare it to today. Repeat as necessary"

Barry

Also run it past the school's or school district's it department. Our policy is if we find an access point we didn't install we keep it. We're getting quite a collection.

__________________
Never do anything you don't want to explain to the paramedics.

streaker69

A friend of mine works for a large Corporation (10,000+) on the main campus. They roam through the halls on a regular basis looking for rogues. Execs seem to think that they can put an AP in their office so they can move their desk to another are without having the Cat5 strung across the floor.

__________________
Treat your gun like your genitals, only whip it out when it's absolutely necessary.

rjdenver

That's hilarious.

Also, Goldfish, though I'm no expert, I've seen some places use various authentication screens when someone tries to connect to the WAN (my local Panera for instance). Maybe they do this through DHCP and proxies, so that might be another place for an authentication layer.

Rj

The Others

That's called a captive portal. It's achieved through DNS trickery. NoCat features such wonderful technology.

__________________
all good ends all

goldfish

Thats just the sort of thing I think would work. Similar to what you get in some airports and a lot of coffee shops.

Of course, we will be using WEP, as a matter of course.

Funnily enough that you say about the linksys router next door, I was surveying the area with netstumbler, (war-walking, if you want to put it like that ) and there is in fact a good signal from an AP a few meters away from the school, with no WEP, broadcasting its SSID like nobodies business to the whole world. Even though I did not attempt to gain access, the SSID was the default (I assume) and I expect the root password would also be default

Anyway. I'm going along two trains of thought here. Either a per hardware or a per user. Per hardware would be much much easier to setup (its just MAC filtering), but that also requires that the user always uses the same card, OR someone could steal someones network card and gain access. Per user means that only the PEOPLE that have paid get access, not their machines. But also, if someone leaks their password ....

Or maybe a combination of both? They are required to register their MAC with us, and we then give them a username and password. Is that overkill? We would have to put the WEP key on the wall somewhere, so if we change it people will know about it.

NoCatAuth seems like a perfect solution BUT... it requires we have a standalone machine acting as a gateway. $$moola$$

A dilema.

Thanks for all the suggestions

EDIT: Oh yes and Access Point Collectors : this isnt a rogue AP, we've been talking with the IT department for ages trying to get it set up, and they basically said "go on then"... so we are

The Others

Nocat can be run on a linksys WRT54G router, as can the chillispot captive portal functions of wolfs firmware, see here:

http://slashdot.org/~TheIndividual/journal/

As for using WEP and posting the key on the wall... Why bother? That rather does remove the point of using WEP. I wouldn't use WEP or MAC filtering (not simple type in MAC address filtering anyway). You could always investigate some sort of RADIUS server or something. I wouldn't bother, however, I'd just run chillispot.

I think running too many security precautoins is un-neccessary for a public access point such as this. You are also making a lot of work for yourself in the process.

EDIT=

You should definatly look at this:

http://www.portless.net/menu/ewrt/

And this:

http://www.tinypeap.com/index.html

__________________
all good ends all

goldfish

As much as I detest Linksys hardware, that RADIUS server with PEAP authentication would be absolutley perfect!

Thanks for that!

King_Ice_Flash

The Linksys stuff used to be junk, with the power supplies frying and capacitors exploding. I think they got them straightened out. I have the Linksys Wrt54G. If you have any amount of nerd in you, this AP is absolutely AWSOME. The most fun I have had in a long time.

__________________
"Yeah," said a voice from under the table, "you go to pieces so fast people get hit by the shrapnel."

goldfish

Even better, its reletivly cheap too Gotta love January Sales

King_Ice_Flash

I got mine from amazon.com for like 45 with shipping and tax... And I got a $10 mail in rebate.

__________________
"Yeah," said a voice from under the table, "you go to pieces so fast people get hit by the shrapnel."

The Others

Ohhhhh... Share the URLs

__________________
all good ends all

goldfish

Well, for USAers its pretty useless, and wouldn't seem that cheap, but to brits its damn cheap for a wireless router

http://www.dabs.com/uk/Search2/Produ...ksys%20WRT54GS
http://www.expansys.com/product.asp?code=116773
http://www.amazon.co.uk/exec/obidos/...879902-0436407

Amazon.co.uk is t3h coole5t

EDIT: Oh no, the big A-Z has been beaten!
http://www.simply.co.uk/kelkoo/47997...ters/index.htm