the evilgate structure, and 802.1X



I told you about the Linksys WRT54GS-DE router I’ve bought to put an OpenWRT on it. So what’s it all about? Why would I want to have such a firewall-detour-device. And whats a firewall-detour-device anyway?


So let’s take the following situation: You are in a network that allows you to access parts of the internet. Lets say you can access every TCP Ports 21,22,80,119,139,143 and everything above 1024 (list is incomplete!). And this network you are in blocks every UDP data transfer you would like to do. Unfortunately all the interesting things want to have UDP or at least some lower TCP ports. – What to do? That’s why you need the firewall-detour-device. It passes you unfiltered internet through the filtered network.


In our case it would look like that:



As you can see there are two ways to use the firewall-detour-device (the little linksys in the picture). By standard RJ45 ethernet and by 802.11g WLAN. The most interesting case is the WLAN-use-case. But lets’s start with the OpenVPN tunnel: The first thing you need is a machine that has unfiltered internet. You now determine on what ports you can connect through your firewall to that particular server. TCP port 80 for example…now take OpenVPN and with a few lines of configuration the server is set-up. (OpenVPN gives you the ability to connect through virtually every port either UDP or TCP – you even could tunnel through a HTTP/S proxy but that’s not a subject of this article)


The client-side has to be configured accordingly – which means installing OpenWRT on the Linksys and getting OpenVPN ipkg’ed…


The last question would be how you would secure your WLAN access to the firewall-detour-device. You have heard about WPA? In our case we implemented a 802.1X Authentication System: The authentication is done by a radius server which runs on the linksys. The client (the users notebook/desktop pc) has a certificate issued by the same CA that issued the access-points certifcate, with just some XP_EXTENSIONS in the certificate (additional OIDs). On the linksys additionally runs a daemon that changes the WPA key every 3600 seconds (configurable).


So at the end you have a certificate based authentication with a radius server combined with a WPA Implementation which changes the WPA keys in a configurable interval.


A typical OpenVPN config file looks like this:

dev tun
proto udp

# TLS parms
client
ca [ca-certificate-PEM-format]
cert [client-certificate-PEM-format]
key [client-key-PEM-format]
dh [diffie-hellmann file]

remote [the-OpenVPN-server]
pull


There are some how-to manuals available at the OpenWRT homepage – so I do not copy-paste them here. But there are some misconceptions about the things you have to do on a Windows Client to use a 802.1X WLAN:


You need the root-certificate (the same you used at the accesspoint the only difference is that it has to be in the DER format) and you need a client certificate with XP-Extensions in PKCS#12 format. When you have both you just have to double-click to import them. When you now connect the the 802.1X WLAN you are asked to approve the root-certificate. After that you’re probably asked to choose which client-certificate you would like to use – select your client certificate and voilá. You should be connected to the WLAN authenticated with 802.1X.


Source 1: Linksys Router is now “evilgate”
Source 2: What is WPA?
Source 3: What is 802.1X?
Source 4: http://www.freeradius.org/

Comments are closed.