Inexpensive Security Gateway for Wireless and Guest Network Access

John Hernandez
Network Operations Center, OAR

A Linux server is used as a gateway (router) between an untrusted net (often charactarized by wireless connections) and a campus network. In order to be routed, a user must authenticate via web interface to the apache server on the gateway. LDAP and/or apache dbm-style mechanisms are used for authentication. Successful authentication results in a MAC/IP address pair to be entered into a firewall ruleset for as long as that host remains on the network or until a daily automatic flush time is reached, whichever comes first. A TCP/80 firewall redirect will direct all unauthenticated attempts at web access to the authentication server.

WARNING: The security mechanism used here is not very strong and could be subject to connection hijacking, but it is generally sufficient to thwart unwanted access in cases where some degree of risk can be tolerated.

DHCP can be run on the gateway (or anywhere else on the untrusted net) to assign client IP addresses. A caching nameserver should be run on the gateway (or anywhere else on the untrusted net) to provide name resolution, which is particularly important for clients who have not yet authenticated and thus cannot reach external nameservers. Incoming (new or unrelated) connections to the untrusted net of any kind are generally not allowed, offering protection from potential worms and other remote exploits.