Detecting Wireless Ethernet Frames

Detecting Wireless Ethernet Frames

Post by Dan Smit » Fri, 27 Jun 2003 02:28:39



I was wondering if there is a way to detect (hopefully through iptables)
ethernet frames that originated from a wireless client.  I would like to
be able to have sensitive machines block access to specific ports if
they're coming from the wireless LAN.  I have a normal wired LAN with
many computers, and a wireless segment (using a Linksys AP) for a few
mobile units.  I thought maybe there was some way of checking a flag on
the frames to determine if they originated from a WLAN machine (and / or
traversed the AP).

Is this possible?  It would give me a little more security than WEP
alone, as I could prevent someone from attaching to my WLAN from outside
my house, and exploiting services like NFS.

TIA...

--Dan

 
 
 

Detecting Wireless Ethernet Frames

Post by s.j.cliffordS.. » Sun, 29 Jun 2003 00:23:24



> I was wondering if there is a way to detect (hopefully through iptables)
> ethernet frames that originated from a wireless client.  I would like to
> be able to have sensitive machines block access to specific ports if
> they're coming from the wireless LAN.  I have a normal wired LAN with
> many computers, and a wireless segment (using a Linksys AP) for a few
> mobile units.  I thought maybe there was some way of checking a flag on
> the frames to determine if they originated from a WLAN machine (and / or
> traversed the AP).

I don't think there's any way of distinguishing wireless packets from
(er) wired ones.  Particularly since it is not difficult to change the
MAC on a wireless interface.

Can you tell the Linksys AP to only accept certain MACs?  Then you can
subject any packets on the wire that claim to come from one of those
MACs to your rules.

Better, though, would be to put the AP on its own ethernet segment and
bridge or route traffic from it through a firewall.  You could achieve
this by putting an extra ethernet card into a spare Linux / *BSD
machine:

--LAN---[eth0:Firewall:eth1]--X---WirelessAP   (X = maybe crossover cable)

This way you can treat any packets that come in on the eth1 interface as
suspicous, neatly sidestepping any issues of spoofed packets, etc.
Unless you're running 802.11g or something fancy like that the load on
the firewall will be minimal.  

S.

 
 
 

Detecting Wireless Ethernet Frames

Post by Dan Smit » Sun, 29 Jun 2003 00:59:44


Quote:> I don't think there's any way of distinguishing wireless packets from
> (er) wired ones.  Particularly since it is not difficult to change the
> MAC on a wireless interface.

Well, that's one of the problems.  I think I could limit all MACs other
than the ones I know about, but since MAC spoofing is easy, it'd be useless.

Quote:> Can you tell the Linksys AP to only accept certain MACs?  Then you can
> subject any packets on the wire that claim to come from one of those
> MACs to your rules.

Apparently I can, although it would be very difficult to administer that
list.  I was hoping to be able to blanket any wireless ethernet packets,
instead of maintaining the list...

Quote:> Better, though, would be to put the AP on its own ethernet segment and
> bridge or route traffic from it through a firewall.  You could achieve
> this by putting an extra ethernet card into a spare Linux / *BSD
> machine:

Yes, I used to do this before I had an access point.  I had a wireless
card in my linux router, which allowed much control (which I miss).
Maybe this would be the best idea...

Does anyone know if there's anything that the AP does to the ethernet
packet that would identify it as coming from the AP?  Like tagging its
MAC address in the frame (like a comment)?  Just hoping here ;)

Thanks!

--Dan

 
 
 

1. How to send ethernet frames directly to ethernet driver in SunOS?

I want to know how to send own ethernet frames directly to a ethernet
driver in SunOS 4.1.3.
I read some TCP/IP books, but they mentioned only about receveing parts
of ethernet frame
(for example, NIT or BSD packet filter for tcpdump and snoop program).

Isn't there any normal interface about it? or Would I change kernel of
OS?

If anyone knows about it then, please tell me the solutions.

2. sysfs/mount.c missing include

3. Wireless ethernet in laptop to hard-wired ethernet network, is it possible?

4. variables in sed

5. 2.5.47 - PCMCIA ethernet and wireless ethernet bugs

6. IPX filtering

7. Detecting overrun,frame,parity errors

8. Looking for a restricted yppasswd

9. PCI wireless card not detected

10. Sun Java Desktop System - eth1 wireless detected, but not active

11. wireless pcmcia: detected nteworks (w kismet)... what now?

12. trouble detecting DLINK PCI wireless card on Redhat

13. Ethernet frames sending