Monday, April 11, 2016

"Guest" Wireless Access Point Security

More firewall information! As I wrote in my "Internet of Things" isolated networks entry several days ago, I have an open "guest" wireless connection at home. Much of the reasons are security-based: We don't need to give out wireless connection information to our guests, and anyone around looking for Internet access within range has an easy choice rather than trying to hack into our secure wireless connection.

But that wireless connection is limited to 1.5Mbits/sec (through my pfSense firewall) as well as blocked from many sites that could suck bandwidth from my Internet connection, or use it in ways that I do not want. It is also blocked from any internal or external equipment I manage over my connection, and devices connected to that "guest" wireless cannot change any of those settings. There is a reason it seems like it is a 1.5Mbit DSL connection, because in almost every way it is.




A VisionNet M505N DSL modem is repurposed as a Wireless Access Point ("WAP"). Rather than having a DSL connection, one port is configured as the WAN (Wide-Area Network) interface, and it authenticates to my pfSense firewall with a username and password. I then use features on the M505N modem to limit website access (yes, mostly pr0n sites, but also legitimate video streaming services like Netflix [this simplistic method doesn't work; I'll make a later blog entry on attempting this] that could take too much of that bandwidth; there are more entries than shown, the maximum of 100 sites is very sufficient).




First, I set up the open wireless connection (meaning that it doesn't require a passphrase to connect to it), and I enable "Client Isolation" (different devices connecting to the wireless are prevented from interacting with each other). In a separate configuration area (typically listed under "NAT", Network Address Translation, and "Port Forwarding") I turn off uPnP, the ability for a device to negotiate to open ports on the Wireless Access Point to the outside (although my pfSense firewall has all this covered, it's good practice to disable how uPnP could be used).




Next, I control which IP address range(s) can access the management interface of the modem through an "Access Control List" (ACL). On my networks, I use "reserved" IP addresses (the system is set to obtain an address automatically, but the DHCP function has been programmed to give a specific address only to the system). Note these entries on the table are for both the WAN and LAN sides.




Again note that all 'LAN' (Local-Area Network) configuration access is disabled in an additional table ("PING", or ICMP, can't be turned off for the LAN interface for this particular modem model). This even overrides any device on the Access Control List if it is originating from the LAN. Make sure you can access it through the WAN interface before you change this setting! A scan of the network would only show what wireless device you are using, and that the WAP responds to PINGs (but has interfaces that are inaccessible, with no LAN services running).




You should also change the default passwords to the management accounts, and can block specific MAC addresses from connecting as well if there is a need (from time to time you can look at the devices that have been assigned an IP address by the modem on the DHCP table). Just make sure you document your settings in a safe location, and be careful you don't adjust anything that prevents you from configuring the Wireless Access Point later with systems listed in the ACL (I save each configuration before making each critical change, and can reset and reload that configuration quickly). With all of these settings the Wireless Access Point is "locked-down" enough to prevent common security vulnerabilities.

I also want to discourage attempting to do this same functionality from the same Wireless Access Point that carries your main network. Many DSL modems (like this VisionNet model) and home wireless routers have a feature that allows up to three additional "guest" wireless networks (they will also run on the same wireless channel, increasing interference). DO NOT ENABLE THESE NETWORKS WITHOUT PASSWORDS. This would have the same effect as turning off the password on your main wireless connection, since everything else on the device is shared.


Physical security (the concept that someone may be able to handle the device directly, to remove security features) hasn't been addressed in this article, but if someone resets the unit they wipe out all settings (the username and password that authenticate to my firewall allowing Internet access). They would disable themselves. Since the Wireless Access Point connects to the "DMZ" (DeMilitarized Zone, in this concept an isolated area of advanced networks) interface of my firewall, using the connection for another system still is unable to do anything.

Other portions of my home networks (hint: I have more than one) will be in later topics, please stay tuned!

No comments:

Post a Comment