Flying Racoons: WEP is for Wusses
22 February 2003
Part Six: WEP is for Wusses
So you have yourself a little wireless network, 802.11b or maybe you’re really cool and have an AirPort Extreme. You were a good system admin and enabled a closed network with 128-bit encryption. Your users were happy. You made your weekly Thursday afternoon golf date. Life was good.
Then the boss' kid downloads a WEP cracker. In a matter of minutes he’s able to find your network, listen for a few minutes to gather enough sample data to crack the key, and start sniffing packets.
You and I both know that this snot-nosed little brat doesn’t have a clue what the difference is between a multicast and a unicast, but that doesn’t matter. He’s now screaming at the top of his lungs that he “haxored” you ’cause he’s so “733t.” You don’t have the foggiest what he means. You just want the noise to stop.
Knowing that the WEP (Wired Equivalent Privacy) algorithm that protects your wireless network isn’t that secure, you search for a better alternative. It’s going to be OK. You have a couple of options.
First off you know you’re pretty safe because all of your e-mail, both IMAP and SMTP, is wrapped in an SSL layer, so the brat isn’t getting passwords. Also your wireless users are set up to use AppleShare over SSH since you checked the box on the server and on the clients to use a secure connection. You’ve protected yourself well, but now the boss is involved and want’s everything secure from the kid.
Your first thought is to put all of the wireless machines on a stub network hanging off of your DMZ on your firewall. This way you can force all of your wireless users to use a VPN client to get through the firewall. Now all company traffic will be secure through the VPN. Problem is you don’t have enough VPN licenses, and this still doesn’t secure your users when they use iChat or go out to the internet.
So, you put on your thinking cap and roll your own solution. A beautiful IPSec solution so incredibly secure that even the NSA and the Office of Homeland Security would feel at ease using your wireless network. Not that you would want them doing that, but you get the idea.
To set this up we’re going to take an old Blue and White G3 that you have lying around. Pop in a second NIC card, a 10 Mbps one will do. Install Mac OS X 10.2 on it and we’ve got all the pieces.
The Blue and White—which happens to be called Biggie by the way—is going to act as a wireless security gateway for the rest of the network. This machine will encrypt and decrypt all communication between the wireless users on the network. Now even if some pimple-faced degenerate is rude enough to crack your WEP encryption, he’ll be served up a big steaming plate of IPSec letting him know he’s out of his league.
Set up the stub network
We need to get Biggie running as an actual gateway. This means setting up NAT. Connect the machine up to the office network on the built-in ethernet port. Then connect the PCI NIC, the 10 Mbps one that you installed yourself, into the AirPort Base Station.
A quick and dirty way of doing the NAT setup is to use the Internet Sharing option in the System Preferences. Although if you have read our article on setting up NAT that should work also.
Incidentally, if you don’t have a wireless gateway you can set this up on a machine with a wired and a wireless connection and then run a software base station on that machine.
Then you’ll want to put the base station into bridging mode. This means it just acts as a conduit for the wireless packets between the air and the wired network. It also means that it won’t try to do DHCP since Biggie will be taking care of that.
Set up IPSec on Biggie
This gets a little bit involved—and we hope to eventually roll this into VaporSec—but you’ll be be able to do it. You’ve already read the rest of our “Flying Racoons” series on setting up IPSec, so this will all be familiar.
We need to set up a policy for every wireless machine. This is the tedious part. Once you do this it would be wise to put all of the parts into a startup script so you’ll never have to do this again.
In our setup the secondary ethernet card in Biggie is 10.0.42.1. Biggie is giving out DHCP leases to all of the wireless machines on the network starting at 10.0.42.100 and ending at 10.0.42.149. Fifty potential machines means 50 spd entries. We’re working on some simpler ways of doing this that don’t require all that typing. We’ll update this article when we find them, but we know this way works.
For our example here we’ll only go over one of these entries. For all of the others that you need you can swap 10.0.42.100 with the appropriate number. So off to the Terminal we go:
sudo setkey -c <<EOF spdadd 10.0.42.100/32 0.0.0.0/0 any -P out ipsec esp/tunnel/10.0.42.100-10.0.42.1/require; spdadd 0.0.0.0/0 10.0.42.100/32 any -P in ipsec esp/tunnel/10.0.42.1-10.0.42.100/require; EOF
For each wireless machine you’ll now need to add a shared secret. Add this to /etc/racoon/psk.txt. It would be advisable to use the same secret for all IP address just to avoid confusion.
Now start up racoon:
sudo racoon
You’re done with Biggie. Easy enough, eh?
Set up the clients
If you really want to keep things really easy you can use VaporSec to do this—or at least you will be able to in an upcoming version. The problem is right now VaporSec uses a slightly different racoon.conf file than the standard Mac OS X installation. If you want, you can swap /Library/Application Support/VaporSec/racoon.conf with /etc/racoon/racoon.conf and then this will work now, but potentially break connections to other devices. If you do that then you can create a new connection using “10.0.42.1” as the remote device and “0.0.0.0/0” as the remote network.
Othewise you can do essentially the same thing as you did on Biggie. For these examples we’ll assume that we are using 10.0.42.100 as our IP address for the wireless machine.
sudo setkey -c <<EOF spdadd 0.0.0.0/0 10.0.42.100/32 any -P out ipsec esp/tunnel/10.0.42.1-10.0.42.100/require; spdadd 10.0.42.100/32 0.0.0.0/0 any -P in ipsec esp/tunnel/10.0.42.100-10.0.42.1/require; EOF
Again set up the shared secret for 10.0.42.1.
Finally start up racoon. Note that this may take a while—I mean like 2-3 minutes. I don’t know the reason for the delay, but don’t be alarmed.
sudo racoon
Once the connection is made everything the wireless node sends will be IPSec encrypted and routed through Biggie. Even if the node is talking to another wireless node or the rest of the world. Exactly what you wanted to do with very little burden on the user and minimal cost to the company.
To better illustrate the point, and because I’m kind of fond of OmniGraffle here’s a diagram of what you actually have running. Our more astute readers will note that Biggie is actually modeled by a Quicksilver since it looked better than the icon I have for a Blue and White.
