Mac Security 101

http://www.applemacpunk.com applemacpunk at applemacpunk dot com

Protected Airspace: Securing Your Home Wireless Network, Part II

by Kale Feelhaver

This begins part II in the series on securing your home wireless network. Part I focused on ways to configure your Airport base station to protect your airspace. This article will focus on ways to add hardware to your network to further secure your wireless network from intruders. Adding hardware to any network always has a dollar value attached, but can be the difference between a fairly secure network, and a very secure network. This article requires a little background in TCP/IP and networking. This is for more advanced users, and users with a knowledge of general networking.

6. Segment the Networks

The best way to secure your wireless network is to segment it from your wired network. Segmenting is the process of creating separate networks inside of a larger network. You use a firewall (or router) to segment the individual networks and define exactly what traffic is allowed to pass from one network to the other. For instance, if you had a development network that needed to be secluded from a production network, you could use a firewall to separate the two networks. Then you could configure the firewall rules (See Mac Security 101, October 2006) to allow all traffic from production to development, and deny all traffic from development to production. That way, the production systems could access the development systems, but the development systems would have no access to production systems. This is a common tactic in many enterprise networks. The firewall rules can even be configured to allow development systems access to the Internet, without allowing access to the production systems.

Building on this example, let’s think of the wireless network as development, and the wired network as production. The wireless network can be segmented so it has no access to the wired network. However, the wired network has access to the wireless network, and both networks have access to the Internet. For the sake of explanation, we’ll refer to the wired network as Zone A, the wireless network as Zone B, and the Internet as Zone C. Both A and B can access C. A can access B, but B can not access A. The example below illustrates this.

Again, this kind of segmentation takes a fair amount of TCP/IP and networking knowledge, so if you’re confused right now… you might not want to try this. However, if you’re tying to learn more about firewalls and segmentation, this may be a good way to increase your knowledge.

7. What hardware do I need?

Any firewall device should be able to segment a network, many routers can also be configured with ACL’s (Access Control Lists) to act as firewalls, so if you’ve got an old router laying around, you might be able to put it back to work. There are several small office/home office firewalls on the market like SonicWall’s TZ170 and WatchGuard’s Firebox SOHO 6. Either of these firewalls are equipped with multiple ports for segmenting networks, so setup should be rather easy.

If you have an old Windows PC lying around, you might want to put it back to work as a firewall. You can download and install IPCop (http://www.ipcop.org) for free and turn any Windows-capable system into a firewall. IPCop is a totally self-contained Linux distribution that acts strictly as a firewall. You’ll need a monitor, keyboard, and CD-ROM to install IPCop, but once installed you can disconnect everything from the system and manage it through a web interface, just like the average home router. IPCop only takes a few minutes to install and has minimum system requirements of a 386 processor, 12 MB of RAM, 250 MB of hard drive space, and 3 NIC's (Network Interface Cards). The last one might be a little bit of a problem, but keep in mind most computer stores sell brand new NIC's for about $10. A quick search of eBay may land your 2 or 3 NIC's for $10. IPCop is currently not offered in a PowerPC version. However the IPCop developers are currently creating a PowerPC version, which should be out later this year. Once the PowerPC version is out, you’ll be able to take an old Mac out of the closet and put it back to work as a firewall.

8. How do I configure the firewall?

Once you have procured your hardware, it’s just a matter of hooking everything up and configuring the firewall rules. Of course… that’s the hard part. Using the example above, you would want to configure the firewall to allow both segment A and B to access segment C. For arguments sake, we’ll say Segment A has an IP address of 192.168.1.0/24 and Segment B has an IP address of 192.168.2.0/24. There are 3 interfaces on the firewall; one is connected to segment A, one to segment B, and the third to segment C. The rules for the interface connected to segment C would look something like this.

Allow ip 192.168.1.0/24 any

Allow ip 192.168.2.0/24 any

This configuration would allow both segments to access the Internet, but not deny the Internet from accessing either segment. To properly secure this network, you would want to get a lot more granular, and lock it down to a port level, rather than just “any”, but for the sake of the example, this configuration would work. To segment the wireless from the wired networks, the firewall rules for the interface connected to segment B would look something like this.

Deny ip 192.168.2.0/24 192.168.1.0/24

Allow ip 192.168.2.0/24 any

This configuration would deny segment B from accessing segment A, but allow them anywhere else, including the Internet. Again, this configuration is oversimplified and to properly secure everything you could add a lot more rules, but this is the basic theory. Building on this theory, the configuration for the interface on segment A would look something like this.

Allow ip 192.168.1.0/24 any

Basically, you are allowing segment A to reach segment B and segment C, but traffic coming from the other direction will be blocked. This is not always an easy topic to grasp, but to process of setting it up will clarify things.

This is a brief overview of the segmentation process and this article is meant to be informative and is not an ‘end all be all’ solution. Network segmentation is a skill that can take years to master, and may require an advanced knowledge of networking. If you are further interested in segmenting your network and want to know more, feel free to contact me directly using the email address above.