[isf-wifidog] WIfidog client and non-authenticated user isolation

Max Horváth max.horvath at maxspot.de
Dim 19 Fév 12:55:45 EST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Rein,

Rein Petersen wrote:

> Hi All,
>
> I was performing a few tests with Wifidog client and found that a  
> non-authenticated user was able to ping authenticated users.
>
> Is OpenWRT capable of isolating all network activity of non- 
> authenticated users (by MAC address I suppose) to protect legit  
> users from war-drivers?

There is no filtering possible.

What you might do is setting the NVRAM variable wl0_ap_isolate to the  
value of 1. This will enable AP client isolation. It means that you  
hide clients from each other. Setting it to 0 (which is enabled by  
default) means that you allow clients to see each other.

So wl0_ap_isolate=1 will not only disallow any communication between  
unauthenticated users, but all. It is what we here at maxspot did.  
Just to meet security issue. Cause it turns out that you cannot just  
filter between authenticated and unauthenticated users.

> Another option might be to use super-classing (ip network masking)  
> to enforce logical networks such that each user gets their own  
> logical ip network and won't be able to reach other users.
>
> A subnet mask of 255.255.255.252 allows only networks of 4 ip  
> addresses, an unusable network address and broadcast address (the  
> first and last addresses of the network), a gateway address and  
> assignable user addres.
>
> This effectively limits a routers ability to support only 64 users  
> but isolates them (logically) within their own network. The router  
> would need to be able to answer on several (64) gateway addresses  
> which might not be possible with OpenWRT.
>
> A crafty hacker could still assign themselves an IP address and do  
> damage. Maybe using MAC address to isolate non-authenticated users  
> would be more effective.
>
> Another option might utilize a second vlan for authenticated users  
> so they are, again, isolated (logically) from non-authenticated  
> users. Again, crafty buggers will just assign their own addresses.
>
> I'm not sure how it could be done, but isolating non-authenticated  
> users would be a desirable security feature protecting valid users.

Well, all this is just much to complicated.

To filter between wireless clients using iptables would require that  
each wireless client is on a different VLAN, so that packets go  
through the Linux routing engine (and therefore also iptables). As  
far as I know, this is not possible. Any filtering you want to do  
would need to be done at Layer 2 (in the wireless ethernet layer),  
whereas iptables operates at layer 3 (in the IP stack).  There is no  
layer 2 filtering in the wireless hardware or software.

You should decide whether to turn on AP client isolation or not.  
Trying to filter *could* *maybe* be possible - but this will be a lot  
of ugly work. Which I don't think is worth to be done.

Cheers, Max!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFD+LEh+BKgC+eQ3ooRAtPuAKCFdLGYx6J9WnzC07+CFDnkMuA0mACfV7CX
O1yOg/9RF3eKgVZyVKQunaw=
=GuBc
-----END PGP SIGNATURE-----

More information about the WiFiDog mailing list