How to secure an open wifi access point

Question

I have seen tremendous amounts of guides on how to protect yourself when using a public wireless internet connection, but nothing about how to protect your public access point from malicious users.

A bit of background. I had bought this raspberry Pi and still nothing useful to do with it, and a spare USB WiFi Dongle(with an antenna). So I decided to share my internet connection when I'm not using it. So i have installed hostapd, use dnsmasq for dhcp, a squid proxy server (transparent with iptables redirecting port 80 to 3128). Note here that i'm aware of how short the lifetime of my SD card will be. Another point you should not consider is bandwidth usage consumption, since I have setup QoS on my gateway and hve unlimited internet (standard here, in France)

What I'm concerned about is I have no idea of what kind of security policy I should setup to prevent, say, someone to inject a malicious program inside the raspberry pi which will then infect not only every new client on the Wireless subnet, but any computer I have plugged to the local LAN.

I also feel concerned about how to protect any connected host from another malicious wifi user. Having had the same concern once at work, all I thought about would be ARP poisonning every host saying them any MAC address different from theirs is the access point, but that seems overkill and inefficient.

Here are my ideas:

• Block port 443 on any connection
• Install SquidGuard to enforce authorized/unauthorized websites (I tried, too CPU-intensive for a RPi)
• Restrict interactions on the local network (except the internet gateway) to SSH from my computer and HTTP for my monitoring tools

What I already have as a security measure :

• non-standard passwords for local users
• sshd not listening on wireless interface
• httpd not listening on wireless interface
• Regular backups of my squid logs on an offline media in case any legal source asks for them ?

So, what else should I set up, according to you?

Answer 1

A public access point is public. This means that anybody can connect to it and use it. Thus, "protecting the access point against malicious users" is not a well-defined goal. The access point has no secret data to keep confidential, or a restricted service to offer only to authorized users. It is public.

What you might want is to protect users from each other: you don't want one user of the public access point to be able to eavesdrop on other users, or alter their data, or even simply disrupting communications. This is a problematic of big sites which really want to provide "free WiFi" for a lot of people but have a recurrent problem of antisocial users.

It turns out that you cannot. The cryptographic elements in the WiFi protocol are meant to:

1. Enforce authentication, keeping people out of the connection if the access point is not public, but requires authentication.

2. Prevent eavesdropping on the connection of duly connected users from people who are not connected.

However, nothing in the WiFi protocol was designed to prevent two connected users from spying on each other. With a public WiFi, everybody can connect (by definition), so everybody can spy on everybody.

Crippling your access point, e.g. by blocking port 443, won't bring any security, except in the following sense: if the access point is made unusable because of too strict restrictions, then people won't use it, and thus the spying issue disappears: there is no attacked user if there is no user at all. But for the remaining users, blocking port 443 just makes their situation worse: not only does it not prevent other users from spying on their traffic, but it also prevents them from defending themselves by using HTTPS browsing when possible.

---

You seem to be aware that "legal sources" may ask for logs. The legal situation is actually worse (for you):

• By willingly running an open access point, you have become a service provider, so you are bound by all the regulations attached to that state. The ARCEP could give you the relevant information, but be warned that this goes much beyond simple squid logs.

• Your own Internet access was provided to you based on a contract which explicitly forbids sharing beyond "home usage". If you act as a service provider (that's what you are trying to do), then you are in clear violation of the terms of that contract, and your ISP may lawfully shut your access down.

• If someone uses your access point to then engage in "illegal activities" (e.g. attacking other sites) then you could be considered as accomplice. That's the point of the ARCEP regulations: registered service providers can claim exemption, in the way that phone companies do not get into legal trouble when criminals plot crime by phoning each other. This exemption is not automatically granted to just any random citizen who plugs a WiFi access point.

Therefore, running your own public access point, just like that, really is a bad idea, however generous the basic principle might seem at first look.

Answer 2

If you want a secure access point, don't have a public access point.

A public access point is by definition insecure. Blocking port 443 will actually sabotage people's security on your public access point. You can't secure a public access point. All you can possibly do is setup an account creation service that is hosted, isolated on the public wireless network and have it produce users to allow them to connect to an enterprise WPA network. This would allow you to have different wireless keys for each user and thus keep them secure and isolated.

The hosts using your AP could use VPN connections and SSL to tunnel their traffic over the insecure network, but as the AP there isn't anything you can do. The traffic between the AP and the client has to be unencrypted since you are running an open AP and thus anyone could pick up or inject information in to the traffic.

Also, you want to physically place the public AP outside your network. Setup a public network outside your main router and then with your internal router, treat that public network the same as you treat internet traffic. You could accomplish the same thing with VLans if your hardware supports it, but simply putting the public AP outside the network is the safest bet.

Answer 3

As new technology appear I will add another answer to secure a public's access point.

• Now some routers they allow you to make your WLAN more secure between each device. As I agree with Tom Leek;

What you might want is to protect users from each other: you don't want one user of the public access point to be able to eavesdrop on other users, or alter their data, or even simply disrupting communications. This is a problematic of big sites which really want to provide "free WiFi" for a lot of people but have a recurrent problem of antisocial users.

The quote from SonicWall to show the feature;

By default, SonicWALL blocks inter-client communication on the Wireless Zone as a security measure. Therefore, wireless devices cannot communicate with each other.

You can see a KB there, to force you to edit some ACL to allow inter WLAN communication.

Other major's brand router surely have such feature too.

• The other point is I strongly suggest is to make a WLAN's VLAN, to isolate the traffic from your LAN completely.

• The last point I suggest is to use another public IP for that WLAN's zone. As in example if a user get infected and send a lot of spam, your public IP will not be blacklisted in RBL's list