PCCITIZEN.com - SAFE COMPUTING/HOME NETWORKING/COMPUTING TIPS/CLEANUP-FIXUP-ADDUP
A MUCH SAFER WAY TO DO WIRELESS?
I have struggled over the past year [summer of 2003, and into 2004] with addressing some of the security problems of wireless home networking. Besides the obvious problems of default installs being completely open, and even the "closed" installs of the 802.11b and 802.11g being liable to hacker intrusion, [see other sections of my site for discussion of these problems] there is the very serious problem that this access takes place behind the installed NAT/Router that most users now install. And this network tends to be very open, since we have gone to all the trouble to "protect" our network by the install of the NAT/router, and we want the internal network to be open so as to give us all the benefits of file and print sharing, using all those wonderful Windows capabilities.
But the moment we let someone into our precious little home network using the wireless capabilities, we are completely open to attack again. This is the additional security nightmare that wireless access presents - all wireless access to a home network is usually behind the firewall! To be sure, to guard against hacker intrusion, we can enable the XP ICF (or Windows firewall with SP2), or install zonealarm on each PC. But this completely defeats the purpose we setup the NAT/router and our home network in the first place - we can no longer do any file and print sharing! Now there is a catch 22 if I ever heard of one!
So what is a person to do? The essential concept here that we need to introduce is authentication at the wireless layer, the physical layer. This was performed initially by the WEP protocol, and by its much improved cousin WPA. This was not necessary on wired networking, in general (etherent), because the physical wires were themselves largely secured in the building infrastructure and not subject to hijacking. In a wireless environment, unfortunately, the "wires" are subject to hijacking. So we must authenticate anybody who wants to use our "wires." In more open networks like college dormitories e.g., there is usually authentication of some sort on the wired medium. Students either acquire IP addresses only if their MAC address is registered, or maybe they are required to login using 802.1x techniques. The wireless medium of course means that our physical network is even more open.
Beyond the important chore of enabling WEP and WPA [see below], I believe there is an approach we can take which obviates most of the concerns we have, while still preserving the open network we have setup behind our original wired NAT/router. Since the cost of these routers has been plummeting faster than anything I have ever seen, it is even a very cost effective solution. What we are going to do is put the wireless network on a completely different network behind our NAT/Router. We can do this simply by plugging the WAN [ethernet] port of our new little wireless router into one of the LAN ports on our NAT/router. We will then set the WAN port of the wireless router to run DHCP, much like all our precious little PCs run, to the wired NAT/router [for the nerds out there... you could certainly run static IP if you know what you are doing!]. This is demonstrated in the following figure:
In order to pull this off correctly, we must insure that the wireless network is different than the wired network. Sometimes this is simple because different vendors will use different networks for the LAN side. I have a 2wire for the wired NAT/router, and I have set it for 192.168.1.0 network [I had to change from the 172.16.0.0 default for other reasons]. I have purchased a Linksys BEFW11S4 and have reconfigured its LAN side for 192.168.2.0 - thus a different network. I have also purchased a Netgear MR814 and set it for 192.168.0.0. On both wireless routers, I have set the WAN side for DHCP and plugged them into my 2wire [well, actually a hub added to that network].
Now this approach has some obvious benefits, and some disadvantages.
1. Wireless clients are on a completely different network than the wired clients. All the Windows file and print sharing conveniences are much less accessible, because the wired and wireless networks are on separate broadcast networks, and safe from most of the software that discovers these shares on a broadcast network. Thus the wireless clients will not be able to see any open file or print shares by simple browsing. This allows you to retain the openness of the wired network, which you setup in the first place.
2. Wireless clients can perform most normal operations of email, browsing, even through the "double NATing." I think any service which depends on the client first doing a TCP connect will probably work. The two NAT/routers will each do their port mapping to enable the exchange of TCP data. Outgoing UDP should function just fine thru both NAT/routers. Incoming UDP in response to outgoing UDP also seems to work - such as the DNS response. This is after all, simply a simple routed network we have in our home now. The Internet is built of routed networks pretty much just like this one. [well...... of course the core Internet is not built of routers performing "NAT."]
3. Depending on the individual wireless NAT/router, you may be able to do some additional "access control list" type functions. For example, you do not [typically] want any TCP connection, or UDP packet from the wireless network, for that matter to be directed at any wired network address. Any packet exiting the wireless NAT/router had better have a MAC address of the wired NAT/router - the gateway!
4. Your PCs which contain your important functions can easily be separated on the wired network. Keep your income tax programs, your investment programs, your business papers on that. The wireless network which you provide for your convenience you should only use for "recreational," or "casual" use. It may be safe to put your kids on this network. If your kids are hard gamers, and want ports opened up, then you may have problems.... Probably be better to run a cable to them from your wired network! Of course your considerations may be dominated by accessibility considerations. If possible put the wired NAT/router in the room with your important PC, and connect ethernet to it, and connect the wireless NAT/router in the same room. Your kids can connect wirelessly from the other rooms. Your layout of course must be planned according to your situation.
There are certainly some disadvantages as well. I have discovered a few, and there are probably others.
1. Wireless clients can unfortunately still connect to shares on the wired network, but they would have to know in advance the share PC name [or the IP address] and the share, such as "\\192.168.1.10\MyFiles" in order to connect to it on the other network. You might want to move your wired network to a non-standard one, one completely off the wall, such as 188.8.131.52/16. Any valid network will work, even an illegal one, since it is behind the NAT/router, and not visible to the Internet. This is where an access list which only allows wireless clients to connect to the wired gateway would be nice! You could also have an access list entry to allow certain clients, like your personal laptop, to other wired shares.
2. There are most likely some applications which will not work through double NATing. Services where you have to setup static IPs, and map services [ports] through to the static IPs may get a little tricky through two NAT/routers! Maybe there is a way to set some of these up with appropriate port mapping in the two routers. This is certainly a field for some investigation! SIP devices will certainly have trouble with the double NATing. They have trouble enough with the single NAT!
3. If the wireless router actually comes with a "firewall," as opposed to a simple NAT, you may just want to turn it off if possible, keeping the NAT function on. The firewall may not like the private address being sourced from the Internet. Even if this is the case, you can change the inside NAT'd address of your main router to an "illegal" IP, which will work perfectly well. See here. Beware that the use of the term firewall by all our friendly vendors is a very non exact science! See here.
I also seriously doubt Microsoft's Universal Plug and Play would work through double NATing, but then most security conscious people recommend that this be first thing that you turn OFF.
There are some special considerations you should allow:
1) Be sure to allow the wireless NAT/router to be managed from the WAN side, so that you can access it from your wired network. In a normal situation of course, you would only enable access from the LAN side. It would be beneficial in this case to disable management LAN access to the wireless NAT/router. I am not sure many NAT/routers would allow you to do this. You better put a pretty good password on it in this case! If you use the default password, any uninvited guest can reconfigure your wireless NAT/router! - from the wireless side!
I would expect vendors to start offering wireless NAT/routers with some special capabilities to be used in this situation. The "LAN" side of the wireless NAT/router is the "untrusted" side in this case, but we still want the "untrusted" side to be able to do TCP connects into the "trusted" side. There are certainly some unique situations that could be addressed. It would certainly go a long way to help address some of these wireless security concerns!
You must be aware that this approach does not make your wired network secure. It just makes it slightly more secure than it was if you are running a completely open wireless network, or if you installed a wireless Access Point instead of a wireless router. You are thus making it a little tougher for the hacker to penetrate your network. It is a little like using WEP when you cannot use WPA. It only keeps out the riff raff. The real bad guys can still get in, but if you are like me, there is not that much around here to steal - I practice other safe computing techniques to help combat evil!
To make your network as secure as possible, you should enable WEP, and see if you can upgrade to WPA for your router and NICs. This is discussed in other sections of this site. Unfortunately this upgrade is just starting to make an appearance, albeit only on the 802.11g products so far. Pray that they make it available to all the 802.11b networks already in place.
There is another trick you can try, if you are an advanced user. You can actually make the wireless network, the same exact network as the wired network, and then there is no way for PCs on the wireless network to access the wired network!! This may take some special work, because it would involve giving the WAN adapter and the LAN adapter the same network address, so it may not work. Remember that we are still doing NAT/router, NOT a bridge, so it should work, but the NAT/router may not like giving the same network to both the WAN and LAN sides. Be careful!
Copyright John D Loop Wednesday October 26, 2005