[isf-wifidog] WIfidog client and non-authenticated user isolation

Rein Petersen rein.petersen at gmail.com
Dim 19 Fév 08:28:57 EST 2006


Hi All,

I was performing a few tests with Wifidog client and found that a
non-authenticated user was able to ping authenticated users.

Is OpenWRT capable of isolating all network activity of non-authenticated
users (by MAC address I suppose) to protect legit users from war-drivers?

Another option might be to use super-classing (ip network masking) to
enforce logical networks such that each user gets their own logical ip
network and won't be able to reach other users.

A subnet mask of 255.255.255.252 allows only networks of 4 ip addresses, an
unusable network address and broadcast address (the first and last addresses
of the network), a gateway address and assignable user addres.

This effectively limits a routers ability to support only 64 users but
isolates them (logically) within their own network. The router would need to
be able to answer on several (64) gateway addresses which might not be
possible with OpenWRT.

A crafty hacker could still assign themselves an IP address and do damage.
Maybe using MAC address to isolate non-authenticated users would be more
effective.

Another option might utilize a second vlan for authenticated users so they
are, again, isolated (logically) from non-authenticated users. Again, crafty
buggers will just assign their own addresses.

I'm not sure how it could be done, but isolating non-authenticated users
would be a desirable security feature protecting valid users.

Rein
-------------- section suivante --------------
Une pièce jointe HTML a été enlevée...
URL: http://listes.ilesansfil.org/pipermail/wifidog/attachments/20060219/1497ccfd/attachment.htm


More information about the WiFiDog mailing list