Using PC as bridge

[Guest]

The apartment where I live is on a university campus and is connected to the
university's network. I have 2 network outlets, one of which is connected to
my PC and the other to a wireless router supplying connectiviy to 2 laptops.

The university has just instituted a system whereby we need to supply a
username and password in order to access the Internet. Since there doesn't
seem to be any way to get the wireless router to do this, my only other
option seems to be to get a second network card for the PC and plug the
wireless router into that. Is this technically feasible, and if so, what do I
need to configure?

 

[Chuck]

The apartment where I live is on a university campus and is connected to the
university's network. I have 2 network outlets, one of which is connected to
my PC and the other to a wireless router supplying connectiviy to 2 laptops.

The university has just instituted a system whereby we need to supply a
username and password in order to access the Internet. Since there doesn't
seem to be any way to get the wireless router to do this, my only other
option seems to be to get a second network card for the PC and plug the
wireless router into that. Is this technically feasible, and if so, what do I
need to configure?

Koren,

If you were to install a second network adapter, and run the Network Setup
Wizard, it would likely create a bridge automatically.

That said, I have to wonder if that's a good idea. Do you intend to access
resources in the University network also (and if not, why do you intend to
connect at all?)?

If you were to create a bridge between a public network and the University LAN,
this would cause a possible security leak around the proxy server which your
University network admins have apparently put into place to protect the LAN
there. Also, connecting a wireless device could put the University LAN at risk.

Have you talked to the network admin staff? They may have a procedure already
in place to help. Give them a chance please.

 

[Guest]

The university IT staff is aware of the situation. They have only just
implemented the security scheme, primarily to deal with the student
accommodation that is in the same building that I live in. (I am a staff
member). Also, since I am in an Asian country, there are various language and
cultural barriers associated with trying to explain the issues to them and
getting them to take it seriously. I (or rather my husband, who is also a
professor here) notified them of the problem and they are "looking at it",
but I suspect that they will just tell me that it "can't be done" rather than
seriously looking for a solution.

The system they have set up means that as soon as you start a browser you
are taken to a login page where you need to supply a user name and password
before you can access any Internet resources (including university web
sites). I don't know about other local network resources (Windows/Netware)
since my home PC isn't logged in to the local network (and neither will the
laptops be). The software appears to be from Aruba Networks, since the URL at
the top begins https://securelogin.arubanetworks.com.

I already have firewall software running on my PC, and it is extremely
unlikely that intruders can get onto our wireless connection for a variety of
reasons, including physical security of the building surrounds, and that the
walls are so thick that the connection barely works within our flat let alone
outside. What other security precautions would I need to take to prevent
problems?

 

[Chuck]

The university IT staff is aware of the situation. They have only just
implemented the security scheme, primarily to deal with the student
accommodation that is in the same building that I live in. (I am a staff
member). Also, since I am in an Asian country, there are various language and
cultural barriers associated with trying to explain the issues to them and
getting them to take it seriously. I (or rather my husband, who is also a
professor here) notified them of the problem and they are "looking at it",
but I suspect that they will just tell me that it "can't be done" rather than
seriously looking for a solution.

The system they have set up means that as soon as you start a browser you
are taken to a login page where you need to supply a user name and password
before you can access any Internet resources (including university web
sites). I don't know about other local network resources (Windows/Netware)
since my home PC isn't logged in to the local network (and neither will the
laptops be). The software appears to be from Aruba Networks, since the URL at
the top begins https://securelogin.arubanetworks.com.

I already have firewall software running on my PC, and it is extremely
unlikely that intruders can get onto our wireless connection for a variety of
reasons, including physical security of the building surrounds, and that the
walls are so thick that the connection barely works within our flat let alone
outside. What other security precautions would I need to take to prevent
problems?

Koren,

Let's see. A bridge operates at OSI Layer 2 (Data Link), and a Firewall /
Router at OSI Layers 3/4 (Network / Transport). I'd question whether anything
bridged would even go thru the firewall, so if you have two connections, and
you're operating a bridge, that's an open passage from the untrusted network
(Internet or WiFi LAN) into the trusted network (your University LAN), and on
the WRONG side of the Aruba proxy.
<http://en.wikipedia.org/wiki/OSI_model>

Now the issue of signal strength is really one of security by obscurity, as in
there would be lots of stronger signals nearby, so no intruder would ever use
mine. You're implying, though, that you have a weak signal, so no intruder
would ever see yours. Koren, this is not accurate. Wardrivers use high gain
antennas; while your wimpy little stub antenna might barely get you +3db SNR, a
wardriver with a high gain parabola might sit in a parking lot a block away and
surf with +6db SNR. Please don't confuse yourself, wardrivers don't play by
your rules, or use your hardware.

This story illustrates how easy wardriving is.
<http://nitecruzr.blogspot.com/2005/05/incredibly-stupid-wardriver.html>

So let's see how this works.

University Network <=(1)=> PC <=(2)=> WiFi Router <-(3)-> Laptops

where <-(n)-> is wireless, and <=(n)=> is Ethernet. You could indeed install a
second card in your PC, and make a bridge out of it. But it would, I think,
have the security problem that I described above.

What you would want to do is use the WiFi router as a WAP. I've written an
article explaining how to do this.
<http://nitecruzr.blogspot.com/2005/06/file-sharing-on-lan-with-two-routers.html>

If I was a LAN admin that setup a proxy requiring authentication, I'd certainly
not appreciate it to find a bridged connection connecting the protected side of
my proxy (my LAN) to the unprotected WiFi environment. And I doubt that I'd be
too polite if I did find one. Don't put yourself, or the University network, at
risk please.

I do hope, for everybody's sake, that they ARE sweeping their network looking
for unauthorised connections. WiFi leaks, like what you're contemplating, are
well known threats in the business world, and a whole product line of commercial
products, designed to find unauthorised WiFi installations, are available. I
wouldn't be too surprised to find that your University LAN admins are taking
similar precautions.

This is not to say that I don't think you should have wireless convenience. I
do, but what you're proposing, without you knowing the risks, would be very
wrong.

Even normal WiFi precautions, which would protect your 2 laptops, and your PC,
still won't protect the University LAN IMHO. Please read this article and
carefully consider all precautions for YOUR computers.
<http://nitecruzr.blogspot.com/2005/05/setting-up-wifi-lan-please-protect.html>

I'm going to do some deeper research into the bridge implications. Please let
me know that you have read this, and understand what I said, and whether my
ASCII art diagram above is what you're considering. I will get back to you, so
please be patient.

 

[Guest]

Thanks for your detailed reply Chuck. Yes, your ASCII-art diagram is exactly
what I am contemplating.

The thing that frustrates me most about this situation is that the reason
this system was set up is _not_ to protect the University's LAN. The system
does not operate all over the University, but only in the student residences.
It was set up so they could keep a closer eye on exactly who was downloading
illegal movies, porn, etc. Unfortunately the staff residences happen to be in
the same building as some of the students so we have been caught in the same
restrictive system. (Well, maybe some staff, or their kids, are downloading
pirate movies too). Everything on the University's intranet is still
password-protected anyway.

As regards wardriving, I understand the risks, but I truly believe them to
be minimal in this situation. One issue is that there are wireless access
points elsewhere on campus that are more easily accessible. Secondly, the
security on campus is such that a casual driver can't get within 500 metres
of our building without a specified reason for being on campus. We are
surrounded by hills and forest with only one access road onto campus (we
aren't in the middle of nowhere, but the campus itself is pretty isolated).
Thirdly, the construction of our apartment is such that I needed to run a
directional antenna to get the signal from the base station (in one room) to
the living room 10 metres away! I know these reasons don't make it
impossible, but it's pretty unlikely in my opinion.

I don't quite follow your reference to the posting on using the Wi-Fi router
as a WAP. I don't have 2 routers but only one, the wireless one. My PC, and
the wireless router, are connected to (presumably) a switch on the
university's network.

Again, thank you for your detailed response. If I do go down this path I
will be sure to use the security suggestions on your web site as a guide.

Cheers, Koren

 

[Chuck]

Thanks for your detailed reply Chuck. Yes, your ASCII-art diagram is exactly
what I am contemplating.

The thing that frustrates me most about this situation is that the reason
this system was set up is _not_ to protect the University's LAN. The system
does not operate all over the University, but only in the student residences.
It was set up so they could keep a closer eye on exactly who was downloading
illegal movies, porn, etc. Unfortunately the staff residences happen to be in
the same building as some of the students so we have been caught in the same
restrictive system. (Well, maybe some staff, or their kids, are downloading
pirate movies too). Everything on the University's intranet is still
password-protected anyway.

As regards wardriving, I understand the risks, but I truly believe them to
be minimal in this situation. One issue is that there are wireless access
points elsewhere on campus that are more easily accessible. Secondly, the
security on campus is such that a casual driver can't get within 500 metres
of our building without a specified reason for being on campus. We are
surrounded by hills and forest with only one access road onto campus (we
aren't in the middle of nowhere, but the campus itself is pretty isolated).
Thirdly, the construction of our apartment is such that I needed to run a
directional antenna to get the signal from the base station (in one room) to
the living room 10 metres away! I know these reasons don't make it
impossible, but it's pretty unlikely in my opinion.

I don't quite follow your reference to the posting on using the Wi-Fi router
as a WAP. I don't have 2 routers but only one, the wireless one. My PC, and
the wireless router, are connected to (presumably) a switch on the
university's network.

Again, thank you for your detailed response. If I do go down this path I
will be sure to use the security suggestions on your web site as a guide.

Cheers, Koren

Koren,

OK, I see your question. You could leave the Internet feed, in this case, to
the WiFi LAN (which includes your desktop computer) as an untrusted second
network. I am so used to posting the router to WAP conversion as a solution
where folks can't understand why they can't get all of their computers (ie your
desktop and 2 laptops) to communicate openly. If you don't care about that at
all, and ONLY want to share internet service, then using your WiFi router and
feeding it from the desktop and University LAN, would be the right procedure.
Though that puts the NAT filtering effect backwards.

But I WAS betting that the Uni LAN uses the authenticating proxy to track usage.
That is the reason why authenticating proxies are being sold so well these days.
And THAT would be one reason why the University might be watching for folks
going around the proxy, and might catch you, though for a different reason.

And the Uni network, on your side of the proxy, is a protected environment to
many. Which would still, IMHO, make the Uni LAN admins unpleasant if they catch
your bridging WiFi into their LAN. Unlikely consequences (and I would still
think about that) though the isolated environment MAY make.

But I think you have another technical detail to consider. I don't think,
looking at it from the network aspect, that your bridge will help you. I think
that when you authenticate to the proxy, that you're authenticating for the
browser on the desktop computer. The WiFi LAN, on the other side of the bridge,
will look just like another computer to the proxy. Just the same as if you
connected a hub to the wall outlet.

I just finished writing a summary of this issue, in the DSLR Security Forum,
where many knowledgeable folk hang out. You're welcome to follow along, or
participate, if you wish. It's a semi-open forum, with free and encouraged
registration.
<http://www.dslreports.com/forum/remark,14053284>

I like this issue. I think we both may learn a bit.

 

[Guest]

Hi Chuck,

I see the point regarding the technical issue of authenticating. I don't
know exactly how the Aruba software works. I do know, however, that after
logging in using a browser, I can then exit the browser and still use FTP and
Eudora, or start up a different browser. So that issue is still a question
mark for me.

As far as the university tracking usage using the Aruba software, as far as
I can see it should show up as "me" being connected. Assuming the above
technical issue isn't a problem, the traffic is going through my PC which has
authenticated using my username. Of course if someone did happen to hack in
to the wireless connection and start downloading stuff through my PC I would
be in trouble :-(

I will get a chance to test it all out on the weekend, which is the soonest
I can get out shopping to get a second network adapter for my PC. I will keep
you posted as to the outcome.

Cheers, Koren

 

[Chuck]

Hi Chuck,

I see the point regarding the technical issue of authenticating. I don't
know exactly how the Aruba software works. I do know, however, that after
logging in using a browser, I can then exit the browser and still use FTP and
Eudora, or start up a different browser. So that issue is still a question
mark for me.

As far as the university tracking usage using the Aruba software, as far as
I can see it should show up as "me" being connected. Assuming the above
technical issue isn't a problem, the traffic is going through my PC which has
authenticated using my username. Of course if someone did happen to hack in
to the wireless connection and start downloading stuff through my PC I would
be in trouble :-(

I will get a chance to test it all out on the weekend, which is the soonest
I can get out shopping to get a second network adapter for my PC. I will keep
you posted as to the outcome.

Cheers, Koren

Koren,

Leave the desktop as is, forget about the bridge.

Connect the router as I suggested earlier, using it as a WAP only. Use it as
Router 2 in my article:
<http://nitecruzr.blogspot.com/2005/06/file-sharing-on-lan-with-two-routers.html>

Each laptop will connect to the LAN, and to the Aruba proxy, and, as the
desktop, will have to authenticate. As long as the Aruba proxy doesn't object
to one account (yours) being used from more than one computer simultaneously,
you should be OK.

And observe all WiFi security precautions please.

 

[Guest]

If the authentication system they are using is PPPoE or another form you
should be able to set the username and password in the router. It's just a
matter of changing the WAN settings from automatic detect to PPPoE etc.

What type of router do you have?