Isolation Access Point with CentOS 7
A bit context: being the family’s IT guy
If you’re reading this article, you’ve probably already been there at some point: when you’re the guy that’s comfortable with computers in any social circle, you end up with people asking you to fix their computers. Following that, and granted the person who’s asking you this is not a complete asshole, you gently accept and try to see how you can help. Well, at least, that’s what I do.
Now, with the malware ecosystem becoming more and more aggressive as days go by, I’m becoming very cautious when it comes to connecting these computers to my wireless network. What if there is some ransomware lying around and my machines get caught in the crossfire ? You definitely don’t want that to happen.
To solve this errand, what I’ve decided to do is set up a separate wireless network. The only common point will be the access to the Internet, but that wireless network won’t have any way to reach the rest of the network. There are several ways to acheive this, which I will describe in this article as I implement them in my own network.
This article was written using elements from [1], [2], [3] and [4]. It’s a big mix of everything put together in the most sensible way security-wise, so I can’t pinpoint exactly which link helped where.
Integrating our access point in the router
If you’ve followed my previous articles about setting up a virtualized router and adding an IDPS, you have a pretty solid routing machine which good traffic segregation abilities thank to the Linux kernel efficiency at working with network streams.
Let’s now add into the mix a wireless adapter. I strongly recommend using a PCIe card, as the USB cards won’t provide you with good coverage. The resulting situation is an additional network adapter of its own. In our case, it’s name is wls10. You can find yours under the /sys/class/net folder once the device is added to the VM.
If we translate this into a forwarding table, we get this:
Destination → ↓ Source |
WAN interface ens4u1c2 |
Wireless interface wls10 |
Endpoints eth0 |
Server virtual machines eth1 |
WAN interface – ens4u1c2 | – | PASS | PASS | PASS |
Wireless interface – wls10 | PASS | – | DROP | DROP |
Endpoints – eth0 | PASS | DROP | – | PASS |
Server virtual machines – eth1 | PASS | DROP | PASS | – |
Remember, I have a separate VLAN for server virtual machines. I haven’t really covered that topic yet, but it will come in due time. However, even without it, everything said in that article remains valid.
Important note: If you don’t host the AP directly on your router but have a physical appliance, the principle is exactly the same for the firewall. Of course, the rest of the article doesn’t apply. I would however, in that case, recommend that you use VLAN Tagging to distinguish the AP management interface and the actual WiFi traffic.
Setting up the wireless access point
The reference software to setup a software AP on Linux is hostapd. Let’s install it:
# yum install hostapd iw
The wireless network we’re about to setup will be used to house potentially compromised hosts. We want to limit as much as much interactions with other nodes. As such, we’ll configure hostapd to isolate hosts from each other on the wireless side.
My /etc/hostapd/hostapd.conf file is given below. I’ve included a good lot of comments to explain how it’s built. I recommend reading through the hostapd reference configuration given in /usr/share/doc to understand the role of each file.
# ---------------------------------------------------------------- #
# - hostapd configuration file for the Guest WiFi, with WPA2-PSK - #
# ---------------------------------------------------------------- #
#### hostapd process general section ##########################################
# Interface to use
interface=wls10
driver=nl80211
# Control interface for interaction with other programs
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
##### IEEE 802.11 related configuration #######################################
ssid=xxxx
# Radio regulations: advertise country
# 802.11h (DFS) only makes sense in 802.11ac
country_code=BE
ieee80211d=1
# Use 802.11g (n is an addition of g) on channel 3
# ACS is not available in the EPEL build
hw_mode=g
channel=3
# Security:
# - No MAC ACL
# - WPA2-PSK in CCMP (TKIP has known security issues)
# - Isolation on: clients cannot communicate with each other
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
ap_isolate=1
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
rsn_pairwise=CCMP
wpa_passphrase=xxxx
# 802.11n
wme_enabled=1
ieee80211n=1
ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40]
This configuration file calls for some comments:
- I don’t use MAC-based ACLs because they bring little to none added value. It’s very easy to spoof a MAC address as soon as you know who to attack…
- One security setting is a key: wpa_pairwise=CCMP. If you take the settings as a whole, they enforce WPA2-PSK and ensure TKIP (WPA1 mechanism) is fully disabled. It has been proven to be a poor mechanism easy to broke through target brute force attacks.
- The ht_capab line is deduced from the wireless card capabilities. Refer to the links at the bottom of the article to understand how to build this line.
- Don’t forget to set your passphrase in the wpa_passphrase field.
- My card (TP-Link TL-WDN4800) only handles 802.11n, so there are no settings related to 802.11ac. See the documentation for these, I don’t have any hardware lying around for that yet.
- I don’t use automatic channel selection for two reasons:
- The hostapd version provided by EPEL on CentOS 7 doesn’t provide the necessary mechanisms.
- Even if it was present, in our heavily crowded 2.4 GHz channel, there is no point using it, as there is no really good solution. Taking into account the use case (guest network for computers to fix), using 5 GHz doesn’t make sense as there are still lots of computer around without 5 GHz radio support.
Before starting hostapd, we also need to configure our wireless interface network stack:
# cat /etc/sysconfig/network-scripts/ifcfg-wls10 TYPE=Wireless MODE=AP BOOTPROTO=static ONBOOT=yes DEVICE=wls10 NAME=wls10 IPADDR=192.168.12.254 NETMASK=255.255.255.0
Set the IPADDR field to the IP address you want your router to have in the Guest Wireless network subnet. Next step is to adapt the firewall:
- Allow forwarding as per the table given at the beginning of the table;
- Allow queries to ports UDP:53,67,68 (DNS & DHCP) from the guest wireless network to the router.
If you’ve followed the previous articles, that part is pretty obvious and I won’t cover it here as I plan to make a dedicated article for a more optimized firewall on a Linux router. Two more things are needed, which I won’t cover for the same reasons:
- Add the wireless interface is the ones served by dnsmasq and, if you wish, define a dedicated DNS subzone;
- Add the guest network IP subnet in Suricata local networks definitions.
It’s now time to set everything up: we’ll reload all the impacted services. The order is important: if we don’t bring up the network, hostapd won’t be a happy guy.
# ifup wls10 # /opt/firewall.sh # systemctl enable hostapd # systemctl start hostapd # systemctl restart dnsmasq # systemctl restart suricata
You should now have a working guest wireless network that can be used for computers fixing without risking any compromise on your own network.
References
- create_ap source code, https://github.com/oblique/create_ap/blob/master/create_ap
- hostapd (kernel.org), https://wireless.wiki.kernel.org/en/users/documentation/hostapd
- Implement strong WiFi encryption the easy way with hostapd, https://www.ibm.com/developerworks/library/l-wifiencrypthostapd/
- hostapd (ubuntu-fr.org), https://doc.ubuntu-fr.org/hostapd#configuration_d_un_point_d_acces_en_wi-fi_80211n_support_mimo