There's no rocket science here. I just wanted to see how easy it was to build a secure home LAN using some of the commonly available 11Mbit/sec wireless gear now coming onto the market. It just so happened that I had WaveLAN/Orinoco and Apple Airport products. Hope my experience is of interest to others :-)
"802.11b" is the designation for the IEEE's 11Mbit/sec wireless Ethernet standard. Both Apple and Lucent have 802.11b gear on the market. Apple's goes under the name "Airport", and consists of two products - the Airport Base Station (a standalone DHCP server and NAT gateway between a wireless 802.11b network and a wired 802.3/Ethernet network), and the Airport Card (an 802.11b wireless NIC specifically designed for certain Apple computers). Lucent 802.11b gear is marketed under the name "ORiNOCO" (previously WaveLAN) by Lucent's Microelectronics business unit (now Agere Systems). Orinoco have a range of 802.11b bridges, gateways, and end-host NICs.
My goal was to use an Apple
Airport Basestation to support a small network of Windows boxes. Apple's
Airport NICs only work in certain Apple machines so I had to use the WaveLAN/Orinoco
PC cards (a PCMCIA 802.11b NIC). Apple's configuration tool for their Airport
Basestation is likewise only available on Apple machines, so I used a public
domain, java-based Airport
Configurator to manage the Airport Basestation from a Windows machine.
[As of 7/20/01 I've also run this configurator under FreeBSD4.3 and Sun's
Java 1.1.8 SDK - see comment added throughout this page.]
Apple's Airport Basestation is a small single board computer that uses an Orinoco Silver PC card to provide its 802.11b wireless connection. The Airport Basestation supports a wired 10baseT ethernet interface and a 56K modem interface for connection to your ISP. The Basestation provides a DHCP (Dynamic Host Configuration Protocol) server which can support hosts on both the 802.11b and 10baseT sides of the box. It also supports NAT/NAPT (Network Address Translation and Network Address/Port Translation) between hosts on the 802.11b side and the link to the ISP (either through the 10baseT or 56K modem links). Basically it has most of the components you need to share a single broadband ISP connection among multiple wireless-equipped computers.
Out of the box, the Basestation's DHCP server assigns addresses in the range 10.0.1.2 to 10.0.1.50 (with 10.0.1.1 being the basestation itself). The 10baseT port's IP address as seen by the ISP can be manually configured, or the Basestation can use DHCP to query the ISP for the necessary information each time the Basestation is powered up. I chose to manually configure the IP address, next hop (gateway) IP address, and DNS addresses.
The Airport Basestation supports 64-bit WEP (Wired Equivalent Privacy)
My installation used Airport software v1.2 (the latest as of Feb.2001)
Apple supply an Airport Admin
Utility for configuring the Basestation, unfortunately it only runs on
Airport-equipped Apple machines. For the rest of this discussion, I will
be referring to the Airport
Configurator instead (a public domain, java-based alternative to the
Admin Utility that runs on Windows and *nix boxes). I've sucessfully used
this configurator under Windows NT 4.0 and FreeBSD 4.3 (although there's
a small hack required to the default FreeBSD 4.3 installation - noted below.)
The Orinoco Gold PC Card
Orinoco's GOLD PC card is a PCMCIA card supporting 802.11b wireless connectivity and both 64- and 128-bit WEP encryption. Orinoco supplies drivers to support this card under Windows, and non-Orinoco drivers exist for other OSes (search under "WaveLAN"). I used the latest Windows-based software (release 6.4, winter 2001).
The PCMCIA card itself plugs directly into most laptops (I tried it successfully with a Toshiba Portege 7020, and an IBM Thinkpad 600, both running Windows NT 4.0). With the addition of a PCMCIA/PCI adaptor card, the Orinico GOLD card was also installed successfully in a Dell Dimension 8100 running Windows Millenium Edition (ME). In all three cases the installation was relatively painless.
FreeBSD 4.3 also supports
plug-n-play installation of the Orinico card in laptops. When an Orinico
card is installed, it appears as ethernet interface 'wi0'. Use 'wicontrol'
while logged in as root to set/modify encryption keys and WEP mode.
My basic network configuration is shown below - three machines, each using Orinoco GOLD PC cards to communicate with the Airport Basestation. Adding additional 802.11b-equipped machines is as simple as turning them on and bringing them within wireless range of the Basestation.
....... Portege 7020
CableModem<--10baseT-->Airport Base Station -....... ThinkPad 600
....... Dimension 8100
When the Basestation and the end hosts are first powered up they do not use WEP encryption. This means all packets between the Basestation and the end hosts are being sent 'in the clear' and can be seen by anyone else nearby who has an 802.11b interface card. More importantly, it means your Basestation's DCHP server and NAT functionality will happily serve anyone else nearby - providing a very nice, and uncontrolled, entry point to the Internet through your private ISP connection. Hence, the first thing to do when installing this network is to activate WEP encryption (discussed in more detail further down this page).
Configuring the Airport Basestation
requires the use of non-Apple, java-based Airport
Configurator (freely available on the Web). I successfully used version
1.3 (January 2001) of this tool from my Windows ME machine, and was able
to configure the Basestation's external IP address information and the
WEP encryption key. [Note that this configurator also requires you to install
a recent java runtime environment - the intructions on the website worked
just fine for me.]
Having an un-encrypted wireless LAN is like hanging free Ethernet cables out your windows and inviting any passers-by to hook up to your in-house network. Especially in apartment and condo environments, there's a good chance your Airport Base Station can be 'seen' (and therefore utilized) by a number of your neighbors. Your ISP link becomes theirs too, especially if you're running with DHCP handing out IP addresses automatically and NAT happily sharing the ISP connection among whatever hosts appear on the wireless side. And most of the time you'd be none the wiser.
To create a more secure (not totally secure - see note) wireless LAN you must enable WEP - Wired Equivalent Privacy. WEP uses 64 bit or 128 bit RC4 encryption to hide the Ethernet traffic running over the wireless network - all clients and base stations must be configured with matching encryption keys before communication can occur. Because it internally uses a standard Orinoco Silver PC card, the Airport Basestation only supports 64-bit WEP (although there are reports that swapping the Orinoco Silver card with an Orinoco Gold card can allow the Basestation to support 128-bit WEP.) I configured all my Orinoco Gold cards to use 64-bit encryption to be compatible with the Basestation.
The Airport Configurator version 1.3 allows up to four WEP encryption keys to be configured into the Basestation, although only one may be active at any given time. The keys are entered as 10 digit hexadecimal values (actually they merely provide a 40-bit seed for WEP - a 24-bit sequence number is added to generate the unique 64-bit encryption key for each packet sent over the wireless link).
Orinoco's Client Manager (version 1.58) similarly allows a number of encryption keys to be pre-configured, although only one is used at any given time. The Client Manager allows keys to be specified as ASCII text or hexadecimal numbers. To keep things simple, I just entered the same 10 digit hexadecimal number as I'd chosen for the Basestation.
Naturally there's a catch-22 situation if the Configurator is using the wireless link to activate encryption on the Basestation. First you must install and activate an encryption key in the Basestation and then wait for the Basestation to reboot. Once it has rebooted, the local host's Orinoco card will report that it can no longer see any basestations. Now install and activate the same encryption key in your host's card, and the Client Manager should (within a few seconds) report that it sees the Basestation. With IP connectivity restored with the Basestation, you can continue using the Configurator to set up other parameters in the Basestation (such as SNMP password, port mappings, etc).
Finally, make sure the Basestation is set to block unencrypted traffic (there is an option to allow unencrypted traffic, which would leave your ISP link wide open to others even though your own traffic is encrypted over the air).
128-bit WEP Encryption
Orinoco GOLD PC cards support both 64- and 128-bit WEP encryption. 128-bit encryption is enabled through the Orinoco Client Manager by entering a 26 digit hexadecimal key instead of a 10 digit key. This 26 digit key provides a 104 bit seed - adding a 24 bit sequence number creates a unique 128-bit encryption key per packet. It has been reported that the Airport Basestation can be upgraded to use an Orinoco GOLD PC card, and thereby support 128-bit WEP encryption. A special version of the v1.3 Airport Configurator has been released to allow 26 digit hexadecimal keys to be configured into a Basestation. I have not tried this option. [Note that if you move to 128-bit WEP, you will not be able to use regular Apple Airport-equipped hosts on your network as they appear to be limited to 64-bit WEP.]
Access Control Lists
The Basestation allows you to configure an access list that restricts network access to specific MAC addresses (uniquely identifying other 802.11b nodes in your wireless network). This could also be used to prevent unauthorized users from accessing your ISP link through the wireless network, unless they could guess one of your 'allowed' MAC addresses and reconfigure their client to mimic one of yours. Ideally, this mode ought to be used in conjunction with encryption (otherwise neighbors could snoop your wireless network and discover a list of 'allowed' MAC addresses simply by watching your network's un-encrypted traffic for awhile.)
When is WEP not secure?
The simple truth is that
WEP encryption can be broken. A group at University of California, Berkeley,
published a short paper detailing how the basic RC4 encryption scheme can
be broken by passive monitoring, and/or active probing, of a WEP-enabled
802.11b network. Read their paper here.
For really secure networking you should also use IP or application level
encryption whenever possible (ssh instead of rlogin or telnet,
IPsec-based VPN solutions, etc...).
If you have mis-matched WEP keys in the Basestation and host(s) the Orinoco Client Manager might give the appearance that it 'sees' the Basestation but still cannot achieve communication. Under these circumstances the Client Manager will detect the Basestation's wireless transmissions and display the Basestation's "Network name". However, the "Access Point name" will be blank (the Client Manager may even complain about not being able to communicate with an 'AP' - the Orinoco term for a Basestation).
If WEP is on at the Basestation, but off at the end host, the Client Manager will report that there is no available network and no radio connection. To see if the host is even within radio range of a WEP-enabled Basestation, turn on WEP encryption at the host (with some arbitrary 10 digit key) - the Client Manager should then be able to detect the existence of a WEP-enabled Basestation even if it cannot completely establish communication.
If you only have one Basestation I suggest configuring each host to look for the network "ANY" - the end hosts will connect to the Basestation regardless of what it thinks its network name is. (Naturally I assume you have WEP enabled, which acts as moderate deterrent to keep out opportunistic freeloaders.)
The Airport Basestation is not a firewall. Although running NAT does provide some security-through-obscurity, it isn't really an alternative to a true firewall. If you have Cablemodem or DSL service, an external firewall would sit between the ISP access device (e.g. CableModem) and the Airport Basestation. (You can run the Basestation as a simple Ethernet bridge if the firewall provides a DHCP server and supports NAT itself.)
Additional Basestation features
In theory an Airport Basestation can also:
Also, the Basestation does not (as of version 1.2) support ISP's who insist on using PPP over Ethernet (PPPoE) to create the primary IP link through the Cable or DSL modem. In this case, you'd simply use the Base Station as an Ethernet bridge between the wired (ISP) side and the wireless (in-house) networks. PPPoE would then just run directly between your in-house wireless host and the ISP's remote PPPoE server - the Airport Base Station's NAT function provides no utility in this scenario. However, I have not tried this to confirm whether it works.
[Note that some residential
router/gateways today do support PPPoE by implementing a PPPoE client on
the WAN (ISP) side, setting up an IP link over PPPoE to the ISP, and the
acting as a NAT gateway between the local (in-house) network and the IP/PPPoE
link. Who knows when/if Apple will issue a new Airport software release
to do PPPoE in the near future.]
The default FreeBSD 4.3 ports tree includes an installation makefile for version 1.3 of the java configurator. However, when I installed the configurator (do 'make install' in /usr/ports/net/airport) it would not work. The solution (although I don't know if it is the elegant solution) is to hack the startup script that gets installed in /usr/local/bin/airport.
The /usr/local/bin/airport script initially contains the following line:
exec /usr/local/bin/javavm -cp "/usr/local/share/java/classes/jfc-1.1.1/swingall.jar:/usr/local/share/airport/AirportBaseStationConfig.jar" AirportBaseStationConfigurator
I found that I needed to change the '/bin/javavm' to '/jdk1.1.8/bin/jre' for it to work, i.e.
exec /usr/local/jdk1.1.8/bin/jre -cp "/usr/local/share/java/classes/jfc-1.1.1/swingall.jar:/usr/local/share/airport/AirportBaseStationConfig.jar" AirportBaseStationConfigurator
No doubt this has something to do with my vanilla 1.1.8 java installation, but it worked either way. I was then able to upgrade to version 1.5 of the java configurator by simply unzip'ing the 1.5 version configurator's zip file into /usr/local/share/airport (overwriting the 1.3 configurator files).
The configurator can be run on a machine with a wireless port, or on a machine that is connected via regular wired Ethernet to the 10baseT port of the Apple Airport.
As mentioned above, Orinoco's
GOLD card works fine under FreeBSD (the 'wi' device driver handles this
card). My test platform was an IBM ThinkPad600 running FreeBSD 4.3.