Securing wireless on a dedicated laptop/netbook
Suppose I have a "black box" (which is Ubuntu Server 8.10) running in a cupboard and accessible via a web interface from the local network. Suppose also that they want some kind of access in the event of the local network going down. One idea I had was to add a USB wireless dongle to the black box and supply a small laptop or netbook, and set up the laptop so that it can access the web interface on the box. However, I need to make sure that this access is reasonably "secure" in that only that laptop can access the box. I can set the laptop up using wireless security passwords/keys which are not disclosed to the end user, however the end user will of-course have access to the settings from the laptop which they could duplicate on another laptop should they choose to, and we've been asked to tie it to the laptop that's supplied as far as possible. Presumably: (a) I should be able to find a USB wireless dongle with suitable drivers to make the initial connection work on Ubuntu, in ad-hoc mode (I have very little experience of wireless under Linux having had little need for it), (b) I should be able to restrict connections to specific MAC addresses? Is there anything else I should be able to do that would make it hard to duplicate the connection to other hardware? Is there any reason why something like an EEE or any other Linux based netbook wouldn't be ideal for the laptop end? In case it's not obvious, keep in mind that the black box has no GUI installed. -- Mark Rogers // More Solutions Ltd (Peterborough Office) // 0845 45 89 555 Registered in England (0456 0902) at 13 Clarke Rd, Milton Keynes, MK1 1LG
On Mon, 02 Feb 2009 12:01:11 +0000, mark@quarella.co.uk said:
I can set the laptop up using wireless security passwords/keys which are not disclosed to the end user, however the end user will of-course have access to the settings from the laptop which they could duplicate on another laptop should they choose to, and we've been asked to tie it to the laptop that's supplied as far as possible.
Install OpenVPN on each end and secure it with X.509 certificates (not too hard to do, and good documentation on the OpenVPN website). Firewall the black box to only allow remote incoming access via the VPN. Now only PCs with a valid certificate will be able to connect to the black box. OpenVPN runs on Windows, Linux and MacOS, so any client that runs any of them would be suitable. If the laptop user has root access to either the laptop or the black box, they'd be able to set up another laptop to access the black box (assuming sufficient skill), but it would not be possible to prevent that (so don't give them root access). hth, Keith -- Keith Edmunds +-------------------------------------------------------------------------+ | Tiger Computing Ltd | Helping businesses make the most of Linux | | "The Linux Specialists" | http://www.tiger-computing.co.uk | +-------------------------------------------------------------------------+
Keith Edmunds wrote:
Install OpenVPN on each end and secure it with X.509 certificates (not too hard to do, and good documentation on the OpenVPN website). Firewall the black box to only allow remote incoming access via the VPN. Now only PCs with a valid certificate will be able to connect to the black box.
Thanks, I'll look at that. I played with OpenVPN some time ago but I would think it's moved on a bit now (or at least hopefully the docs have!) Presumably I'll be able to do all this whilst leaving the LAN connection open as at present?
If the laptop user has root access to either the laptop or the black box, they'd be able to set up another laptop to access the black box (assuming sufficient skill), but it would not be possible to prevent that (so don't give them root access).
Limiting to specific MAC addresses would help (albeit not hard to spoof a MAC address). -- Mark Rogers // More Solutions Ltd (Peterborough Office) // 0845 45 89 555 Registered in England (0456 0902) at 13 Clarke Rd, Milton Keynes, MK1 1LG
On Mon, 2009-02-02 at 12:01 +0000, Mark Rogers wrote:
Presumably: (a) I should be able to find a USB wireless dongle with suitable drivers to make the initial connection work on Ubuntu, in ad-hoc mode (I have very little experience of wireless under Linux having had little need for it),
I have never tried in adhoc mode. I have a USB wireless dongle working under Debian with WPA-PSK.
(b) I should be able to restrict connections to specific MAC addresses?
Many network cards these days can have the MAC address set via software though there is obviously a default which is the proper, unique ID assigned by the manufacterer. I suspect this may apply to wireless adapters too. I can not think at the moment of anything that is 100% secure using the hardware you describe. The laptop could be set up in such a way as a normal user could not obtain any keys used (for WEP, WPA or a VPN) or alter the MAC address of the wireless card and, as long as the user doesn't have the root password it would be secure against some kinds of user. For a really determined and expert user you have to make sure they can not boot it from any alternate media or encrypt the hard disk so that when they do manage to boot it from something else they still can't get the keys. If the above is not secure enough I suspect you need one of those one time password tokens that give the user a number to type in which is checked by the black box. As these are sealed up devices it would be very hard indeed for the user to get the necessary random number sequence out to program into something else. Regards, Steve.
Steve Fosdick wrote:
I can not think at the moment of anything that is 100% secure using the hardware you describe.
I cannot think of anything which is 100% secure with any hardware! Just best efforts is good enough for this application, although...
If the above is not secure enough I suspect you need one of those one time password tokens that give the user a number to type in which is checked by the black box. As these are sealed up devices it would be very hard indeed for the user to get the necessary random number sequence out to program into something else.
... this would be very effective, I think. (Still wouldn't stop the key being migrated to a different laptop but that's probably sufficient for this application.) I know they exist but have no idea what they're called, can anyone enlighten me? Would make Googling a lot easier! -- Mark Rogers // More Solutions Ltd (Peterborough Office) // 0845 45 89 555 Registered in England (0456 0902) at 13 Clarke Rd, Milton Keynes, MK1 1LG
On Mon, 02 Feb 2009 15:29:31 +0000 Mark Rogers <mark@quarella.co.uk> allegedly wrote:
I know they exist but have no idea what they're called, can anyone enlighten me? Would make Googling a lot easier!
RSA SecurID Mick --------------------------------------------------------------------- The text file for RFC 854 contains exactly 854 lines. Do you think there is any cosmic significance in this? Douglas E Comer - Internetworking with TCP/IP Volume 1 http://www.ietf.org/rfc/rfc854.txt ---------------------------------------------------------------------
mbm wrote:
RSA SecurID
Excellent, thanks. A Google has given me loads of marketing info, or "how it works" info, but not a lot else in terms of implementation in my environment. I'm not clear, for example, whether or not the "black box" needs an internet connection to a third party in order to authenticate? -- Mark Rogers // More Solutions Ltd (Peterborough Office) // 0845 45 89 555 Registered in England (0456 0902) at 13 Clarke Rd, Milton Keynes, MK1 1LG
On Mon, 02 Feb 2009 16:51:34 +0000 Mark Rogers <mark@quarella.co.uk> allegedly wrote:
A Google has given me loads of marketing info, or "how it works" info, but not a lot else in terms of implementation in my environment. I'm not clear, for example, whether or not the "black box" needs an internet connection to a third party in order to authenticate?
Caveat - I've never done this, so you are trusting a blind man.... I just use SecurID in my daily life. Take a look at http://www.debian-administration.org/articles/508 or http://discord.ensued.net/install_rsaauthmgr_with_etch_en.txt which This looks like a lot of work (and expense) to solve your problem. Since "good enough", rather than the impossible goal of 100% security, is going to be, well, good enough, you may care to rethink this. Mick --------------------------------------------------------------------- The text file for RFC 854 contains exactly 854 lines. Do you think there is any cosmic significance in this? Douglas E Comer - Internetworking with TCP/IP Volume 1 http://www.ietf.org/rfc/rfc854.txt ---------------------------------------------------------------------
On Mon, 2009-02-02 at 16:51 +0000, Mark Rogers wrote:
mbm wrote:
RSA SecurID
Excellent, thanks.
A Google has given me loads of marketing info, or "how it works" info, but not a lot else in terms of implementation in my environment. I'm not clear, for example, whether or not the "black box" needs an internet connection to a third party in order to authenticate?
There is also ActivID from ActiveIdentity. Regards, Steve.
participants (4)
-
Keith Edmunds -
Mark Rogers -
mbm -
Steve Fosdick