Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Setup Ubuntu Server as WAP
1. Ubuntu Server based WAP
(Wireless Access Point)
What is WAP? Security
Why bother? Firewall
Router setup DHCP
Setting up NIC DNS
Setting up Resources
bridge
2. What is WAP?
In computer networking, a wireless access point (WAP
or AP) is a device that connects wireless comm.
devices together to form a wireless network. The
WAP usually connects to a wired network, and can
relay data between wireless devices and wired
devices. Several WAPs can link together to form a
larger network that allows "roaming". (In contrast, a
network where the client devices manage
themselves - without the need for any access points
- becomes an ad-hoc network.)
3. Why bother?
Cheap consumer WAPs under $100 as a rule has a
slow CPU about 150 MHz and low RAM – about 8-
16Mb, this causes low performance on huge traff c i
and peer-to-peer traff c, possible glitches, etc.
i
With a custom-build Linux based WAP we are getting
carrier grade device that could cost up to $1500 retail
for under $400 only. It is flexible and
customizable. Want a firewall? No problem.
Custom routing? NAT? Bridges? VLAN? All
easily managed. Custom Web-based
configuration, etc. and finally it's fun :)
4. Router setup
We have a box with two wired interfaces eth0 and eth1
and one wireless ath0. eth0 is WAN, eth1 and ath0 - LAN
5. Setting up wireless NIC
There are three main operation modes for wireless NICs
- Managed, when a NIC is bind to WAP that manages it
- Ad-hoc, when a NIC is one level peer-to-peer network
- Master, when a NIC acts as WAP to manage others
#Wireless Setup at /etc/network/interfaces
auto ath0
iface ath0 inet manual
wireless-mode master
wireless-essid pivotpoint
wireless-key s:tolik
6. Setting up bridge
Network bridge connects multiple network segments at
the data link layer (layer 2) of the OSI model, and the
term layer 2 switch is very often used
interchangeably with bridges.
#Bridge interface at /etc/network/interfaces
auto br0
iface br0 inet static
address 10.1.1.1
network 10.1.1.0
netmask 255.255.255.0
broadcast 10.1.1.255
bridge-ports eth1 ath0
7. Security
There is a number of security algorithms for WAP:
WEP-40 and WEP-104 (deprecated), WEP2,
WEPplus, Dynamic WEP, LEAP and f nally WPA and
i
WPA2 (IEEE 802.11i standard). WEPs are very weak
and WPA is crackable. To secure wireless network
you should use WPA2 in combination with other
security approaches like static DHCP(forbidding
unknown clients), ACLs, etc.
For our simple proof-of-concept project we had used
WEP-40 algorithm with the key given as passphrase:
#Wireless Setup at /etc/network/interfaces
wireless-key s:tolik
8. Firewall
We need to set up masquerading and forwarding on
the WAN interface for our bridged network to allow
Internet or Intranet access:
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -s 10.1.1.0/24 -o eth0 -j ACCEPT
iptables -A FORWARD -d 10.1.1.0/24 -m state --state
ESTABLISHED,RELATED -i eth0 -j ACCEPT
Save and restore our frewall rules over reboot:
#Gateway interface config /etc/network/interfaces
auto eth0
iface eth0 inet dhcp
pre-up iptables-restore < /etc/iptables.rules
post-down iptables-save > /etc/iptables.rules
9. Firewall: Packet forwarding
Enable packet forwarding in the kernel (over reboot):
# set it in /etc/sysctl.conf
net.ipv4.ip_forward = 1
Immediately allow the forwarding of packets:
echo 1 > /proc/sys/net/ipv4/ip_forward
11. DNS
Domain Name Service (DNS) is an Internet service that
maps IP addresses and fully qualifed domain names
(FQDN) to one another:
zone "home.tolik" {
type master;
file "/etc/bind/home.tolik.db";
notify no;
};
zone "1.1.10.in-addr.arpa" {
type master;
file "/etc/bind/rev.1.1.10.in-addr.arpa";
};
12. DNS:Forward
Setting up the forward zone tolik.home:
$TTL 3D
@ IN SOA ns.tolik.home.
acidumirae.gmail.com. (
200903231 ; serial, today + #
2H ; refresh, seconds
1H ; retry, seconds
4H ; expire, seconds
1H ) ; minimum, seconds
NS ns ; name server
MX 10 mail ; Mail Exchanger
ns A 10.1.1.1
gw A 10.1.1.1
TXT "Network gateway"
mail A 10.1.1.1
13. DNS:Reverse
Setting up the reverse zone to resolve 10.1.1.*:
$TTL 24h
; 10.1.1.rev
@ IN SOA home.tolik
acidumirae@gmail.com (
2007052500
10800
3600
604800
86400 )
IN NS ns.home.tolik.
1 IN PTR gw.home.tolik.