Privileged and Unprivileged WiFi Segments

Here’s a recipe for disaster:

  • Least common denominator encryption.
  • Access points which bridge WiFi and wired Ethernet
  • The fact that WEP can be pwn3d in 60 seconds.

So lets imagine you just bought a Nintendo DS, and you have a Linksys WRT54G at home. The WRT54G bridges your wired and wireless networks — which means that anyone who gets on your wireless network is behind your firewall. The DS only supports WEP, which leads to the least common denominator problem. Forced to choose between multiplayer Mario Kart and a secure network, we all know what choice will be made. As Mario himself says, “Here we go!”

I’ve discovered a great solution to this problem.

My homebrew Linux access point is based around the MADWiFi driver, which allows me to create virtual access points out of a single card. I created two virtual access points with two SSIDs:

  • Santaniello-WPA2, my privileged WiFi segment. I bridge it with the wired LAN and use WPA2-PSK to keep the neighbors out. Heavyweight WiFi clients, like our laptops, use this segment. Because it’s bridged with the LAN, things like Samba and mt-daapd just work.
  • Santaniello-WEP, my unprivileged WiFi segment. Here I use weak WEP that my Nintendo DS supports. WEP is insecure, but that’s OK because this segment isn’t bridged with anything. Instead I assign it a whole separate subnet and apply the same strict netfilter firewall policy that I use on my incoming DSL.

Pretty cool, eh? Do that with your WRT54G. 🙂

It turns out to be important to expressly disallow routing between the unprivileged wifi and the rest of the world. My box was routing between them by default, and I didn’t realize this. I’ve added the following lines to my iptables setup script:

# default DROP
iptables -P FORWARD DROP
# don't allow unpriv wifi to access adsl modem
iptables -A FORWARD -i $WEPWIFI_IFACE -d -j DROP
# don't route unpriv wifi except to the external world


%d bloggers like this: