Implementing a Wireless Gateway with Reef Edge Dolphin

The first solution we’ll examine is freeware. Free is always a good thing, especially in the IT industry! Reef Edge (www.reefedge.com) produces several commercial products for use in securing wireless networks, including Connect Manager. Dolphin is a somewhat scaled-down version of Connect Manager that still provides the same basic features, but is free. If you need to add an unlimited number of users, or add new user groups, you should investigate Connect Manager. The Dolphin FAQ (http://techzone.reefedge.com/dolphin/_index/faq.page) provides more information on the limitations of Dolphin in comparison to Connect Manager.

Dolphin runs a hardened version of Linux and, once installed, acts almost the same as any other network appliance. The chief difference is that console and Telnet logins are not supported; all access is via the Secure Socket Layer (SSL) secured Web interface. An aging piece of Intel 586 hardware can be quickly and easily transformed into a secure wireless gateway, providing access control from the wireless network to the wired network, which we demonstrate in this chapter. Dolphin is a noncommercial product and not to be used in large implementations, but it does provide an ideal (and affordable) solution for Small Office/Home Office (SOHO) applications and serves as an excellent test bed for administrators who want to get their feet wet with wireless without opening their networks to security breaches. If you find that Dolphin is to your liking, you might want to consider contacting Reef Edge to purchase Connect Manager or an edge controller. An edge controller is a second, or satellite, machine that can be set up to support your wireless network. You will be able to easily move up to these solutions with the knowledge you gain by configuring and using Dolphin.

In order to utilize WPA, you must have drivers for your wireless card that support it. Most 802.11g cards either have a WPA capable driver when they are purchased, or one can be downloaded. The problem is that these drivers are for Windows. Linux users have not been able to enjoy the benefits of WPA because there are very few card manufacturers that have released WPA drivers for Linux. Linuxant has offered a solution to this problem for many cards: DriverLoader.

DriverLoader allows you to use the Windows driver for cards based on the Atheros, Broadcom, Cisco, Intel Centrino, Prism, Realtek, and Texas Instruments chipsets in Linux. DriverLoader also supports WPA. It is available for a free trial from the Linuxant web site (www._linuxant.com/driverloader/) and a permanent license can be purchased for $19.95.

Dolphin provides some robust features that are typically found in very expensive hardware-based solutions, including secure authentication, IPSec security, and session roaming across subnets. Users authenticate to the Dolphin server over the WLAN using SSL-secured communications and then are granted access to the wired network. Dolphin supports two groups, users and guests, and you can control the access and quality of service of each group as follows:

• Users Trusted users who can use IPSec to secure their connection and access all resources.

• Guests Unknown users who are not allowed to use IPSec to secure their communications and have access control restrictions in place.

Finally, Dolphin supports encrypted wireless network usage through IPSec tunnels. Through the creation of IPSec VPN tunnels, users can pass data with a higher level of security (encryption) than WEP provides.

To begin working with Dolphin, you need to register for the Reef Edge TechZone at http://techzone.reefedge.com. Once this is done, you will be able to download the CD-ROM ISO image and bootable diskette image files from the Reef Edge download page. The server that you are using for Dolphin must meet the following minimum specifications:

• Pentium CPU (586) or later

• 64MB RAM

• 64MB IDE hard drive as the first boot IDE device

• IDE CD-ROM

• Diskette drive if the CD-ROM drive being used is not El Torrito compliant (see www.area51partners.com/files/eltorito.pdf for more information on this specification).

• Two Peripheral Component Interconnect (PCI) network adapters from the following list of compatible network adapters:

  • 3Com 3c59x family (not 3c905x)

  • National Semiconductor 8390 family

  • Intel EtherExpress 100

  • NE2000/pci

  • PCNet32

  • Tulip family

The Dolphin implementation is depicted in Figure 11.12.

Figure 11.12: Dolphin Provides Gateway Services for the Wireless Network

Installing Dolphin

Once you’ve gathered all the required items, you can begin installing Dolphin on your server. To do so, perform these steps:

1. Create the CD-ROM from the ISO image. If required, create the bootable diskette from the floppy disk image.

2. Connect a keyboard, mouse, and monitor to the Dolphin server.

3. Power on the Dolphin server and place the Dolphin CD-ROM in the CD-ROM drive. If your computer is not capable of booting directly from the CD, you will also need to use the boot diskette.

4. Select OK when prompted to start the installation.

5. Accept the EULA when prompted.

6. Acknowledge, when prompted, that installing Dolphin will erase the contents of the first physical disk.

7. Restart the Dolphin server as prompted after the installation has been completed. After the restart, you will see a long series of dots followed by this message:

   System Ready.  IP address:   192.168.0.1/255.255.255.0.  

   This value represents the wired side of the Dolphin server and can be changed later if you desire by completing the steps in the “Configuring Dolphin” section of this chapter.

8. Determine which network adapter is which on the Dolphin server. Configure the network adapter on your management station (depicted in Figure 11.15) with the IP address of 10.10.10.10 and a subnet mask of 255.255.255.0, as shown in Figure 11.13.

   
   Figure 11.13: Configuring the Network Adapter

9. Connect directly using a crossover cable between your management station and one of the network adapters on the Dolphin server, ping the Dolphin server with an IP address of 10.10.10.1. If you receive an echo reply, as shown in Figure 11.14, you have located the wireless side of the Dolphin server. If you don’t get an echo reply, make the connection to the other network adapter on the Dolphin server. Attempt to ping the other network adapter on the Dolphin server with the IP address of 10.10.10.1 to verify connectivity. The wired side of the Dolphin server initially has the IP address of 192.168.0.1 with a subnet mask of 255.255.255.0, as mentioned in Step 7. You can, however, change the IP addresses and subnet masks of both the wireless and wired side of the Dolphin server if you so desire, as discussed in the next section, “Configuring Dolphin.”

   
   Figure 11.14: Finding the Wireless Side of the Dolphin Server

10. Configure your management station with an IP address in the 192.168.0.x range, such as 192.168.0.180, and connect it to the wired side (192.168.0.1) of the Dolphin server, preferably through a switch, but you can use a crossover cable to make a direct connection.

11. Configure your wireless client for Dynamic Host Configuration Protocol (DHCP) so that it can receive an IP address and DNS server information from the Dolphin server. (You can change the DHCP values passed out later in this procedure.)

12. Connect the AP to the wireless side of the Dolphin server (10.10.10.1). Ensure that the AP and the wireless side of the Dolphin server are configured correctly, with IP addresses on the same subnet. You should now have an arrangement like the one shown in Figure 11.15.

    
    Figure 11.15: Making the Dolphin Connections

13. Force the wireless client to renew its DHCP lease and check to see that it looks something like the one shown in Figure 11.16.

    
    Figure 11.16: Verifying the DHCP Lease

14. Ping the wireless side of the Dolphin server, from the wireless client, at 10.10.10.1 to verify connectivity.

15. Ping the wireless side of the Dolphin server again, from the wireless client, using the DNS name mobile.domain.

16. Attempt to access resources on the wired network from the wireless client. Acknowledge the SSL connection if prompted to do so (although you won’t actually see any SSL-secured pages until you attempt to log in at the next step). If you see the Web page in Figure 11.17, congratulate yourself—your Dolphin installation is operating properly!

    
    Figure 11.17: Connecting to the Dolphin Server

17. Log in from the page shown in Figure 11.18 using the username temp and the password temp. If login is successful, you will see the page shown in Figure 11.19. Notice that the IPSec key shown at the bottom of the page is actually your shared key that you would use to create IPSec connections.

    
    Figure 11.18: Logging into the Dolphin Web Page

    
    Figure 11.19: Login Is Successful

    Note

    Although these are the default credentials to enter your Dolphin system, it is critical that you change them once you are done with the initial configuration. After you have created your first user account, Dolphin will delete the temp account for you automatically to ensure that no one compromises the server or gains unauthorized network access. Figure 11.20: Logging In to the Administrative Interface

18. Log in to the Dolphin Web management interface by entering https://mobile.domain/admin into your browser. You will be prompted to log in, as shown in Figure 11.20.

    Note

    If you don’t have a crossover cable, you can use a switch or hub and two standard straight-through cables. Simply connect the Dolphin server to the management station through the switch or hub. Ensure that you are using the uplink port on the switch or hub and, if required by your hardware, ensure that the uplink port is selected for uplink via regular use. Also make sure that you are on the right network segment with correct IP addressing configured.

1. Log in to the Dolphin server by completing Steps 17–18 of the previous procedure.

2. Click the Wired LAN link from the menu on the left side of the window. This provides you with the capability to change the wired-side properties, as shown in Figure 11.21. In most cases, you’ll need to change the wired-side IP address from the default configuration of 192.168.0.1 because this is typically reserved for use by the default gateway. Be sure to enter the default gateway and DNS server IP addresses as well as to enable wireless network clients to access network resources. After making your changes, click the Save button. (Note that you will have to restart the Dolphin server to commit the changes to the running configuration. You can, however, make all your changes and then restart the server.)

   
   Figure 11.21: Changing the Wired-Side Network Properties

3. Click the Wireless LAN link to configure the wireless-side properties, as shown in Figure 11.22. You can change all these properties as you see fit. By default, the Dolphin server is configured with the domain name reefedge.com and DHCP address range of 10.10.10.10–10.10.10.253. After making your changes, click the Save button. If you want to configure the quality of service that wireless clients receive, click the Wireless LAN Bandwidth link to configure your values, as shown in Figure 11.23. After making your changes, click the Save button.

   
   Figure 11.22: Changing the Wireless-Side Network Properties

   
   Figure 11.23: Dolphin Provides Quality of Service Controls for Wireless Clients

4. Create a list of authorized users for Dolphin—that is, a listing of users who can authenticate to Dolphin and then be granted wireless network access. Click the Add New User link to open the User Management page shown in Figure 11.24. Note that you can only choose between the users group and the guests group—Dolphin does not support creating custom groups (a limitation due to its freeware status). After supplying the required information, click Save. After creating your first Dolphin user, the “temp” account will be deleted for security reasons. If you want to configure additional security policies, click the Security Policies link to open the Security Policies For User Groups page, shown in Figure 11.25. This page allows you to configure the equivalent of a firewall rule set for your Dolphin server.

   
   Figure 11.24: Creating Users for the Dolphin Database

   
   Figure 11.25: Creating or Modifying Security Policies

5. Change the administrative password to restart your Dolphin server. To do this, scroll the page all the way to the bottom and click the Admin Password link. Click Save after making your change (see Figure 11.26).

   
   Figure 11.26: Changing the Administrator Password

6. Restart your Dolphin server. After Dolphin has completed loading, you will see the familiar series of dots, this time followed by the new wired-side IP address that you have configured.

Improving the User Experience

Should you not want authorized users to need to use the Web interface to Dolphin to authenticate, you can equip them with a small utility that is available from Reef Edge, and can be used to perform regular and IPSec-secured logins/logouts. The process to install and use this utility is outlined here:

1. Download the Active TCL package from Active State at www.activestate.com/Products/Download/Download.plex?id=ActiveTCL and install it onto your wireless client computer.

2. Download the TCL TLS 1.4 package from Reef Edge’s download page. Create a folder called tls1.4 in the lib directory of the Active TCL installation path and extract the contents of the TLS 1.4 archive into this folder.

3. Download the dolphin_status.tcl file, also located at the Reef Edge download page.

4. Place the dolphin_status.tcl file in a convenient location on the client computer. Once Active TCL has been installed, the dolphin_status.tcl file will act as an executable and can be double-clicked to open.

5. Execute the dolphin_status.tcl file to get the login prompt shown in Figure 11.27. You have the option of creating an IPSec tunnel at this time as well. The tcl file will create a configuration file named dolphin in the same directory it is located in.

   
   Figure 11.27: Using the Dolphin_status.tcl File to Log In

Dolphin Review

As you’ve seen in this chapter, the Dolphin product provides a very inexpensive solution for small wireless environments. It is very lightweight and has minimal hardware requirements; you most likely have an old PC stuffed in a storage room that could be turned into a dedicated wireless gateway by installing the Dolphin application on it.

On the up side, Dolphin is easy to use and configure, is inexpensive, and provides a relatively good amount of security for smaller organizations. In addition,

Tools and Traps…
Using Enterprise Wireless Gateways

Don’t think of Dolphin as a full-featured Enterprise Wireless Gateway (EWG). However, you should consider it a wireless gateway. For a full-featured EWG, you might want to consider one of the more capable and robust (and more expensive) solutions offered from one of the following vendors:

• Bluesocket www.bluesocket.com

• Columbitech www.columbitech.com

• Reef Edge www.reefedge.com

• Sputnik www.sputnik.com

• Vernier Networks www.verniernetworks.com

• Viator Networks www.viatornetworks.com

  These solutions offer the same features as Dolphin—authentication and VPN support—but they also provide many other options, such as RADIUS server support, hot failover support, and multiple protocol support (such as WAP, 3G, and 802.11). The EWG market is still in a great deal of flux as vendors try to refine their products. That does not mean, however, that you cannot create very secure solutions using today’s technology. A word of caution, though: You should expect to find bugs and other errors with most of these solutions because the technology is still so new. Caveat emptor.

Dolphin supports the creation of IPSec-secured VPN tunnels between the wireless clients and the Dolphin server. On the down side, Dolphin is limited in the number of users it can support as well as the number of groups you can create to classify users. Dolphin also does not provide for the use of an external RADIUS server. These limitations, however, are clearly stated by Reef Edge because Dolphin is not intended for commercial usage. If you have a small home or office wireless network that needs to be secured by an access-granting device, Dolphin might be an ideal choice for you.

Now that we’ve spent some time looking at the freeware Dolphin product, let’s step up the discussion and examine some more robust (and more costly) solutions that you might implement to secure a larger wireless network necessitating control over user access in a larger enterprise environment.

---

< Day Day Up >