Major Security Project – RaspAP (Smart Network Device)

major-security-project-hackogram-tafe-himanshu-sharma

Description of Project

The concept of this project is to build a portable Access Point with secure authentication server, to serve a wired network, wirelessly using 802.1x and inspect an authenticated traffic entering the company’s network using Intrusion Prevention System. This project also covers the use of syslog server to store all logs of network to a centralised location using Raspberry Pi Model B

Reason behind the Project

The major reason behind this project is that most enterprises are using licence-based Access Points to serve wireless networks, whereas this portable $35 chipset can be placed upon anywhere within the network, this anticipates lot of users to connect to a secured network wirelessly and securely using 802.1x.

When we talk about sharing a private network wirelessly, the major focus is the security of the enterprise. This device inspect traffic flow through an internal Intrusion Prevention System, the IPS system will check each and every packet for malicious codes, scripts and will block particular packet/user/hosts, if found.

The other reason behind this project was that most of networks are configured to store logs of their routers/switches/servers/firewalls/etc. locally because they don’t have enough budget to buy another server and store logs at centralised location, whereas this portable device is very cheap and costs less than $100 and gives you a lot more than just a syslog server.

Resources

Following Hardware and packages will be required to complete this project.

Hardware

  • Raspberry Pi Model B 512 MB
  • RTL8187 chipset wireless adaptor
  • 8 GB SD-Card
  • USB-to-MicroUSB power cable
  • Pi-Case (Optional)
  • Breadboard
  • 26-pin rainbow ribbon cable
  • Ribbon cable header socket
  • GPIO Jumper wires (male-to-male)
  • Potentiometer
  • Basic 16×2 character LCD screen (HD44780 LCD controller)

Software Packages

Literature Review

Now I will compare my project with other projects and will cover what other people have done and how is my project unique from others.

Literature Review 1

Project Name: FreeRadius on raspberry pi for Wireless Access Point

Website: http://dormartin.de/blog/2012/10/10/freeradius-auf-raspberry-pi-fuer-wlan-access-point/

Description: FreeRadius on raspberry pi for Wireless Access Point allows external access point to do check authentication credentials from Raspberry Pi Server pre-configured with free radius, which will allow users to access the network.

 My Project comparison: RaspAP will work for authentication in 2 modes and is based on Raspbian wheezy OS

  • Standalone Mode

This mode allows this device to work as access point and authentication server that means there is no need of external access point, it will broadcast a SSID and that network will ask for 802.1x authentication credentials.

  • Real-time Mode

This mode is similar to the above project, that is my device will act as a authentication server for Wireless Access Point. Moreover in both cases, the device will give additional complex features like Intrusion Prevention System and SysLog Server. Also, with real-time mode, RaspAP can be configured to communicate with Active Directory and will be able to authenticate users with Active Directory credentials. For this to work there need to be an IPsec tunnel with 2048-bit RSA key mechanism configured between RaspAP and Active Directory.

Literature Review 2

Project Name: Raspberry Pi Inline IDS Device Project

Website: http://nsimattstiles.wordpress.com/2013/07/10/nsi-individual-major-project-raspberry-piinline-ids-device-project/

Description: This project is designed my one of my fellow classmate Matt Stiles. This project covers Inline Intrusion Detection System of a network using Raspberry Pi. In this project, his device can be placed anywhere between network and it will start monitoring network across that link.

My Project comparison: My project covers 3 major factors; Authentication, Security and Logging.

The device can be placed anywhere within the network, it could be either connected wired or wireless. My project consisted a major difference is that, as my Device is an 802.1x AP, and I have focused much on wireless side of network . When user will be authenticated by my AP, it will start IPS service on bridge interface of wireless and wired network, so if any user will send fake packets, the IPS will automatically drop that packet and will also alert.

Proposed Network Topology

proposed-network-topology-raspap-hackogram-himanshu-tafe

In this Topology, I’ve placed RaspAP somewhere in the network, where company want users to connect wirelessly, RaspAP will be connected to internal network using onboard ethernet interface (eth0) and will act as access point by broadcasting SSID (RaspAP Network) using USB-External wireless adaptor(wlan0).

When clients will try to connect to RaspAP Network, it will ask for 802.1x authentication i.e. username and password will be asked to connect. When they will complete the authentication process, they will be verified by local/remote database and will get IP address automatically from DHCP server.

If there is a DHCP server configured on the link, clients will get IP address from that DHCP server. If there is no DHCP server on the link then RaspAP will turn on the local DHCP server and will give IP address from the pool.

Once the user get an IP address, the device will start the Intrusion Prevention System on both Sending & Receiving interface to prevent from malicious packets and reverse shells. IPS will automatically drop malicious packet and will also alert admin. You can even configure to block user for particular time.

Syslog server running on the device will transport RaspAP local logs, logs from router, switches and any networking device to a centralised storage.

In this way company will have a complete secure wireless medium, RaspAP wireless medium can be set more secure by configuring authentication server to authenticate using 2048-bit certificate and enables IPsec/GRE tunnel.

Configuration

Basic Configuration

In this part, I’ll explain how to Install and Configure Operating System on raspberrypi.

Download Raspbian OS from official website and do a SHA-1 checksum and match with the checksum available on website. Copy the contents of the downloaded OS to memory card and you are ready to boot.

Insert the memory card into raspberrypi and power the device and it will start booting.

Once device is booted enable services like SSH2.0, VNC-server and enables a secure password for device.

Syslog Server/Client

Syslog server is used to store logs for monitoring in case of any event. RaspAP is configured to store logs locally or remotely for any network device within the network.

Now we will install and configure syslog server/client.

Install it using “sudo apt-get install syslog-ng” and it will install syslog server. Now we can open “/etc/syslog-ng/syslog-ng.conf” using any text editor and we can add line 14

“source s_net { udp(ip(0.0.0.0) port(514)); }; #0.0.0.0 will bind to all interfaces on your syslog server.” and line 15 “destination d_cisco {file(“path-to-the-storage/raspberry_pi_logs.log” ); };”

syslog-ng-conf-raspap-hackogram-himanshu-tafe
Fig 1.1 Appendix #1 [Full Configurations]

Now save the file and restart syslog-ng server using “sudo service syslog-ng restart”

Fig 1.2 service syslog-ng restarted
Fig 1.2 service syslog-ng restarted

This is how syslog server will start transporting logs to network path or local storage.

Intrusion Prevention System

Intrusion Prevention System prevents network from being infected with malicious codes. IPS system continuously monitors each and every packet across the wire and wireless medium. In case of any malicious packet, the IPS system will block that source, malicious packet and will forward the details to network Admin.

In RaspAP, IPS is configured to monitor traffic on br0 which is bridged interface for wired and wireless medium. In more simple words IPS will monitor traffic flowing from wired to wireless and vice-versa.

Snort

Now we will install and configure IPS on RaspAP

We will install package named Snort (which is an Intrusion Detection Package). It will detect for any intrusions for malicious codes and will alert network Admin.

Fig 1.3 snort configurations display
Fig 1.3 snort configurations display

Snort installation on debian is very easy with a line of code “sudo apt-get install snort

This above command will basically install snort package with all the prerequisites. Once snort is installed, it will have latest stable rules installed but they are not activated by default.

In order to activate rules you need to edit snort configuration file “snort.conf

This command is used to open snort configuration file “sudo nano /etc/snort/snort.conf

In the configuration file go to the end and remove “#” and save the file to enable that rule.

Once the rules are saved restart snort using “sudo service snort restart”.

You can even create your own custom rules in “/etc/snort/rules/local.rules”.

Now Snort is configured to monitor traffic, we need to configure interface on which snort will work.

To configure interface, edit the interfaces file “sudo nano /etc/network/interfaces

Fig 2.2 Appendix #2 [Interface Configurations]
Fig 2.2 Appendix #2 [Interface Configurations]

This configuration will bridge the wired and wireless medium and will allow snort to monitor traffic from wired to wireless and vice-versa.

SnortSam

SnortSam is a plugin for Snort, an open-source light-weight Intrusion Detection System (IDS). The plugin allows for automated blocking of IP addresses on the basis of iptables.

Installation of snortsam is very complex. It is a five step process

  • Compile and install SnortSam.
  • Patch and recompile Snort.
  • Configure SnortSam.
  • Configure Snort.
  • iptables dependent configs.

*complete installation instructions at [http://doc.emergingthreats.net/bin/view/Main/SnortSamINSTALL]

To start monitoring we need to run snort with snortsam, I’ve made shell script which run at start-up-as-service. It will automate the whole complex process and will cut down to a simple one line code.

Script located at /etc/init.d/RaspAP_IPS.sh

  • RaspAP_IPS.sh [Appendix #3]
Fig 2.1 Intrusion Prevention System script (RaspAP_IPS.sh)
Fig 2.1 Intrusion Prevention System script (RaspAP_IPS.sh)

RaspAP will run as Intrusion Prevention Device and will block traffic from wireless to wired and vice-versa.

This script will run snort as intrusion detection system, snortsam as blocking agent for any intrusion detected on the bridged interface and will log them to “ips-YYYY-MM-DD.log” which can be accessed at “http://ip-address-of-RaspAP/log/”.

Fig 2.2 logs directory
Fig 2.2 logs directory

Secured Access Point

Secured Access Point uses IEEE 802.1x which is PNAC (Port-based Network Access Control).

802.1X is an IEEE standard for media-level access control, offering the capability to permit or deny network connectivity, control VLAN access and apply traffic policy, based on user or machine identity.RaspAP offers network access control at the media access level (layer 2) through implementation of the 802.1X protocol.

A benefit of 802.1x is that none of the switches and the access points inside the network need to know how to authenticate the client. All they do is pass the authentication information between the client and the RaspAP server. RaspAP server handles the actual verification of the client’s credentials. 802.1x support many authentication methods, from simple username and password, to hardware token, challenge and response, and digital certificates.

RaspAP can be configured to use RaspAP with EAP (Extensible Authentication Protocol) to facilitate communication from the supplicant to the authenticator and from the authenticator to the authentication server.

Fig 3.1 The above diagram shows how EAP works
Fig 3.1 The above diagram shows how EAP works

Now we will configure Secure Access Point.

Configuring secured access point to use 802.1x can be done with two packages:

  • hostapd

hostapd is a user space daemon for access point and authentication servers. It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP Authenticators, RADIUS client, EAP server, and RADIUS authentication server.”

hostapd installation

hostapd can be downloaded from [http://hostap.epitest.fi/hostapd]. Installation is simple by extracting tar.gz and using following commands

“chmod +x hostapd
cd hostapd
./configure && make && make install”

After installing hostapd, configuration file need to be modified with following information.

hostapd configurations [Appendix #4]

Fig 3.2 hostapd configuration (hostapd.conf)
Fig 3.2 hostapd configuration (hostapd.conf)
  • freeradius

“FreeRADIUS includes a RADIUS server, a BSD licensed client library, a PAM library, and an Apache module. In most cases, the word FreeRADIUS refers to the RADIUS server.”

freeradius installation

freeradius can be downloaded from apt-get repositry. Installation is simple by using following commands

“apt-get install build-essential libmysqlclient-dev libperl-dev libssl-dev
apt-get install freeradius”

After installing hostapd, configuration file need to be modified with following information.

freeradius configurations

Fig 3.3 freeradius client configuration (clients.conf)
Fig 3.3 freeradius client configuration (clients.conf)
Fig 3.4 freeradius users configuration (users)

Small Screen Display

As you all know raspberry pi doesn’t have any screen on it, a small screen display 16×2 can be attached to this RaspAP which will display the important information like Temperature of the RaspAP, IP Address on bridge interface and status of important services SSH, SYSLOG, IPS.

This small screen display is connected using General-purpose input/output (GPIO) pins. I will be using the RPi.GPIO library and Python to control the 16×2 LCD screen. The LCD used is based on Hitachi HD44780 LCD controller. Although the LCD has 16 pins available for interfacing, using the 4 bit mode only 6 GPIO pins are required (RS,E,D4,D5,D6,D7).

        LCD Pin                                      RaspAP Pin
01                           <>                           GPIO 06 (-ve)
02                           <>                           GPIO-02 (+5v)
03                           <>                           Contrast adjustment (Middle of potentiometer)
04                           <>                           GPIO-26
05                           <>                           GPIO-06
06                           <>                           GPIO-24
07                            –                            NOT USED
08                            –                            NOT USED
09                            –                            NOT USED
10                            –                            NOT USED
11                           <>                           GPIO-22
12                           <>                           GPIO-18
13                           <>                           GPIO-16
14                           <>                           GPIO-12
15                           <>                           GPIO-02 (+5V)
16                           <>                           GPIO-06 (-ve)

Fig 4.1 GPIO Pin Layout
Fig 4.1 GPIO Pin Layout

GPIO – General-purpose input/output (GPIO) is a generic pin on an integrated circuit (commonly called a chip) whose behavior (including whether it is an input or output pin) can be controlled (programmed) by the user at run time. -wikipedia

 GPIO on Raspberry Pi is 26-pin generic input/output that can be controlled/commanded using most of programming scripts/languages with built-in library to communicate with hardware.

Python GPIO library (RPi.GPIO 0.2) – Download

RPi.GPIO 0.2 is a module to control Raspberry Pi GPIO channels.

Installing GPIO module to Python library is easy, once you download package you will have “RPi.GPIO-0.2.0.tar.gz” package. Extract it and install it

cd /tmp
sudo wget https://pypi.python.org/packages/source/R/RPi.GPIO/RPi.GPIO-0.2.0.tar.gz
sudo tar -zxvf RPi.GPIO-0.2.0.tar.gz
cd RPi.GPIO-0.2.0
sudo python setup.py install

After running all the above 5 commands you will have GPIO module installed.

Using GPIO library in Python is simple by calling library with just one line of code

import RPi.GPIO as GPIO

Screen display is controlled by using python script with GPIO library. Scripts are stored in “/var/www/gpio/screen/message.py” [Appendix #5]

This screen display is also running as service using “/etc/init.d/screenDisplay.sh” [Appendix #6]

Fig 4.2 Screen Display [Appendix #6]
Fig 4.2 Screen Display [Appendix #6]

Security

802.1x is used by an access point to implement WPA. In order to connect to the access point, a wireless client must first be authenticated using certificate, username and password. 802.1x uses EAP (Extensible Authentication Protocol) to facilitate communication from the supplicant to the authenticator and from the authenticator to the authentication server.

 All the communications via RaspAP is encrypted and are monitored by internal Intrusion Prevention System for any intrusions or malicious code to infect the network.

Optional Security: RaspAP can be configured to allow users to connect to the wireless network using the active directory credentials used by them to access other parts of the network. To use this additional security, trust between RaspAP and Active directory is created using 2048-bit RSA keys.

Also, the users host device need to have certificate authorised by CA in order to connect to the secured wireless connection.

Cisco Aironet 600 Series OfficeExtend v/s RaspAP Access Point

Cisco Aironet 600 Series OfficeExtend

Extend 802.11n wireless coverage to the home teleworking environment

Speed setup time without the need for technical support with no-touch deployment

Deliver full 802.11n speed with simultaneous 2.4 GHz and 5 GHz RF band support

Device costs $3500 (includes 50 licences) + $200 per licence

Benefits

  • Extends Borderless Network services and policies to the home-office teleworker.
  • Protects the corporate environment with industry-standard control and wireless access point (CAPWAP) support.
  • Simultaneously supports corporate and personal network activity with traffic segmentation.
  • Increases productivity and reduces cellular cost by extending voice to the home wirelessly or via a wired Ethernet port.
  • Reduces setup time with simplified IT provisioning.

RaspAP Access Point

Extend 802.11n wireless coverage to the home teleworking environment.

Setup/Configure RaspAP features using a very easy webpanel hosted locally.

Deliver full 802.11 b/g/n/ac/ad speed with simultaneous 2.4 GHz and 5 GHz RF band support using any wireless antenna available.

Device costs $80 with unlimited licences.

Benefits

  • Protect network using on board inline – Intrusion Prevention System.
  • Protects the corporate environment with most secured RSA 2048-bit private/public certificates.
  • Capture network using most widely used tool Wireshark & Tshark.
  • Can be used to Increases productivity by using multiple antenna’s to support multiple clients.
  • Monitor traffic using on board syslog-ng.

Conclusion

RaspAP might not be good for performance at this stage, but it provides you secured network access with best intrusion prevention system.

Pricing

RaspAP costs approx. AUD $90. All the software packages used are open source and freeware.

 

RaspAP Hardware Price (in AUD$)
Raspberry Pi Model B 512 MB $ 35.00
RTL8187 chipset wireless adaptor $ 25.00
8 GB SD-Card $ 10.00
USB-to-MicroUSB power cable $ 2.00
Pi-Case (Optional) $ 8.00
Breadboad, Jumper wires and 16×2 screen $11.00
Total $ 92.00

Updates

The Repository is linked to server that store updates for RaspAP

“https://hackogram.com/RaspAP/Updates/src/”

“https://github.com/hackogram/Updates/src/”

To update RaspAP, you need to open console and type this command “sudo update RaspAP” and then enter the Admin password provided.

This “sudo update RaspAP” is linked to script that runs and check for update.

If update exists then it greps update and applies it to RaspAP, before applying update it makes backup of current configuration.

References

http://doc.emergingthreats.net/bin/view/Main/SnortSamINSTALL

https://hackogram.com/content/connecting-lcd-screen-16×2-to-raspberrypi-and-displaying-temperature-ip-and-more-3-raspoelectro/

http://kb.netgear.com/app/answers/detail/a_id/1209/~/what-is-802.1x-security-authentication-for-wireless-networks%3F

http://hostap.epitest.fi/hostapd/

http://wiki.freeradius.org/Home

http://hackogram.com/content/major-security-project-plan/

http://www.cisco.com/c/en/us/products/wireless/aironet-600-series-officeextend-access-point/index.html

http://himanshu181in.wordpress.com/

http://www.raspberrypi.org/forums/viewtopic.php?t=49610

http://www.ndm.net/lan/Cisco/cisco-aironet-600-series-officeext-access-point

http://alcomtel.ie/products.php?category=wi-fi-networks

http://ubuntuforums.org/showthread.php?t=1704166

Appendix

#1 Syslog Configuration (/etc/syslog-ng/syslog.conf)

#2 Interface Configuration (/etc/network/interfaces)

#3 IPS configurations (/etc/init.d/RaspAP-IPS.sh)

#4 hostapd configurations (/etc/hostapd/hostapd.sh)

#5 Screen Display (/var/www/gpio/screen/message.py)

#6 Screen Display as Service (/etc/init.d/screenDisplay.sh)

 

 

If you need urgent help or more information on RaspAP, please email me : himanshu@hackogram.com

 

Leave a Reply

Your email address will not be published. Required fields are marked *