Inexpensive Security Gateway for Wireless and Guest Network Access
John Hernandez
Network Operations Center, OAR
A
Linux server is used as a gateway (router) between an untrusted
net (often charactarized by wireless connections) and a campus
network. In order to be routed, a user must authenticate via web
interface to the apache server on the gateway. LDAP and/or apache
dbm-style mechanisms are used for authentication. Successful authentication
results in a MAC/IP address pair to be entered into a firewall
ruleset for as long as that host remains on the network or until
a daily automatic flush time is reached, whichever comes first.
A TCP/80 firewall redirect will direct all unauthenticated attempts
at web access to the authentication server.
WARNING:
The security mechanism used here is not very strong and could
be subject to connection hijacking, but it is generally sufficient
to thwart unwanted access in cases where some degree of risk can
be tolerated.
DHCP
can be run on the gateway (or anywhere else on the untrusted net)
to assign client IP addresses. A caching nameserver should be
run on the gateway (or anywhere else on the untrusted net) to
provide name resolution, which is particularly important for clients
who have not yet authenticated and thus cannot reach external
nameservers. Incoming (new or unrelated) connections to the untrusted
net of any kind are generally not allowed, offering protection
from potential worms and other remote exploits.