Software, technology, sysadmin war stories, and more. Feed
Tuesday, April 10, 2012

My horrible wireless "security" scheme with no budget

I've done some evil things to try to keep my networks secure when I had no budget to do them properly. One of them was a multi-location, multi-access-point wireless network. We had a bunch of users running Windows, and there was no money to buy proper VPN software or any other "real" crypto. WEP was already known to be broken and easily cracked even way back then, but our access points didn't support anything else. We had boxes and boxes of these things and couldn't replace them. I had to use them somehow while coming up with some other solution.

We were fortunate enough to have access points which did their own spanning tree stuff, so it was one big wireless network which did proper reassociations and all of that. It wasn't like where you have two networks with the same name but different ESSIDs and it's not seamless.

I decided to first wall off the access points into their own little network with VLANs. This way, even if you found out the laughably-weak WEP password that we were using as a placeholder, you'd only be able to get into that network. The only things on that network were other access points, the bare interfaces of other clients, and a lone Linux box.

That lone Linux box just had a single physical Ethernet interface because cheapness was the order of the day. It had to do all of this "inside" and "outside" business across that one port. I set it up to run 802.1q VLAN tagging and had it join the virtual network where all of the access points were running. It was also configured for untagged operation in the normal physical network at the site.

On the box, I had it run a DHCP server and a PPTP server called PoPToP. This required some ugly kernel mangling to support MPPE encryption. Once all of that was in place, clients could get a RFC-1918 IP address like 172.16.x.x from the gateway box in that dead-end network, and then they could open a PPTP connection to, which was my gateway. If they gave it a valid login and password, it would then stand up a VPN connection to them and start allowing them to see the outside world.

There's just one problem, though: there was no way I was going to manually manage a bunch of usernames and passwords. Also, I was given the requirement that anyone with a valid NT account needed to be able to use this thing. Even though I had a Unix machine with similar but not identical username/password combos (grumble grumble, I was there first), that was not how it was to be run.

This was well before the days when Samba had winbind and could just be a full-fledged member of a NT domain. They had this really crazy thing which used to take the login/password you presented and would then try to log in as that user to some random NT box you selected. If that worked, then it would assume it was a good account and would let them into Samba as that user.

I figured, if it was good enough for them, it was good enough for me. I chopped that code out of Samba and made a new module for pppd which I called "msnt_auth". It just took whatever pppd had provided and did the same call-out to some NT machine. If it worked, then it said "looks legit" to pppd and got out of the way.

So now we had this thing where someone running a stock install of Windows 95 could just configure their wireless, then add a new connection, use their usual domain credentials, and get online. Since it was an identical configuration at all of the schools, they could just turn it on and use it anywhere they went. Also, while they were at a site, they could walk around and roam from one AP to the next to keep a good signal.

It was a horrible combination of really bad hacks. WEP security is broken, PPTP is either broken or very badly challenged, and the whole thing with replaying a user's login/password to attempt a login as them is just a disaster.

But... it didn't cost them anything more than my time, which they already had for a song and a dance. It also kept most casual interlopers out of the network. Even now, I still feel a little dirty having done it.

Of course, none of this mattered when I'd visit a site and find an access point plugged straight into the normal network, thus opening it to anyone in range.

"Network engineers", indeed.