[MLUG] Is this network configuration secure?
Nick Nobody
me at nikosapi.org
Sat Mar 8 23:27:40 EST 2008
Hello mluggers,
Today I had some free time so I decided to set up a WEP encrypted
access point. (I need a WEP AP so I can use my nintendo DS and some
old network cards) Obviously I'm aware of the minimal security that
WEP provides so I tried to create a "secure" subnet. Here's what it
looks like:
Internet --> router + wireless AP (WPA encrypted) --> PC running
Debian --> wireless AP (WEP encrypted)
The box running Debian has two NICs, each with an IP address on a
different subnet. The WPA subnet runs on 192.168.0.0/24 and the WEP
subnet runs on 192.168.9.0/24. This is achieved using NAT (iptables).
To make this secure I drop all packets that come from the WEP side
that are destined for the WPA side. The reason for this is because all
of the important PCs are on the WPA side of the Debian box. So in the
event that the WEP side is compromised I won't have to worry that my
whole network will be available to the attacker.
Here is what my iptables config looks like (eth0=WPA-side, eth1=WEP-side):
*nat
:PREROUTING ACCEPT [5716:293038]
:POSTROUTING ACCEPT [11:804]
:OUTPUT ACCEPT [22:1505]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [5808:530768]
:FORWARD ACCEPT [26040:3008139]
:OUTPUT ACCEPT [4259:244036]
-A INPUT -d 192.168.0.0/255.255.255.0 -i eth1 -j DROP
COMMIT
So I guess the question is: How would you break into the WPA subnet of
my network? :)
Thanks,
nick
More information about the mlug
mailing list