Libelium - Development

RSS

Howto secure Meshlium

First steps to secure Meshlium.

1. Change root password (user)

2. Change root password (Manager System)

3. Hide ESSID

4. Select encryption method

5. Enable MAC filtering

6. Protect OLSR traffic

7. Protect data inside the Meshlium

8. Backup configuration

Change root password (user)

First of all, change the default root password of the router by opening a ssh session. If you have a cross link you do not need to connect the router to the network but your computer.

ali@kaizen:~$ ssh root@192.168.1.203
root@192.168.1.203's password:

Once logged, change the password:

meshLium-AX:~# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

Change root password for Meshlium Manager System.

To change the default root password for accessing the Meshlium Manager System, navigate to section "System", plugin "Users Manager". Preferably, do not use the same root password as the root user for the router.
You can add more users with different passwords each one.

Hide ESSID

When configuring an AP it may be interested to hide the ESSID. Navigate to section "Interfaces", plugin "WIFI" and check the field hide near the ESSID field.

This makes the AP partially unvisible so that only clients who know the ESSID can associate to it. Clients who scan the network will get something like this:

root@kaizen:# iwlist ath0 scan
Cell 10 - Address: 00:0B:6B:80:C8:8E
ESSID:""
Protocol:IEEE 802.11bg
Mode:Master
Channel:4
Encryption key:on
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s 9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s ; 48 Mb/s; 54 Mb/s
Quality=59/100 Signal level=-72 dBm Noise level=-72 dBm
Extra: Last beacon: 1636ms ago

Unfortunately, this method can be avoided using some network analyzers, like kismet, so the security of the AP must not rely in hiding its ESSID, as we can see in the following picture:

Select encryption method

For encrypting the traffic between clients and the Meshlium AP, an encryption method must be configured. For the moment, Meshlium supports

WEP40 (5 characters password),

WEP 104 (13 characters password) and

WPA-PSK (8-63 characters password). When configuring them through the Meshlium Manager System all of them use authentication in open mode , this allows all clients to associate to the AP without demonstrate they know the WEP key. This authentication method is safer than the shared , since it uses the SSID in the process, so everyone could see it and use it to decrypt the encrypted message and get the WEP key.

WPA-EAP WPA-EAP allows the use of a radius to authenticate users. Users can be authenticated with TLS, TTLS and PEAP methods.
Meshlium provides FreeRADIUS that can be used as RADIUS to authenticate WPA-EAP users.

Enable MAC filtering

If controlling the clients who can associate to the AP is desired, it can be activated the MAC filter. If the blacklist policy is chosem MACs in the list will be banned automatically On the contrary, if the whitelist is chosen only MACs specified will be allow to connect to the AP.

Protect OLSR traffic

If the Meshlium used is a mesh one, an extension to secure OLSR can be activated. Important! This extension only provides security extensions to OLSR and not the traffic being routed in the MANET. Also, the implemented solution only provides integrity and not confidentiality, although the solution is extendable and could include mechanisms to provide confidentiality. More info in this link . Encrypting all the traffic in the networks requires other solutions like SSH tunneling , which will be covered in future articles.

Protect data inside the Meshlium

The information stored in a node of a computer network may be critical in some cases: accountancy files, medical or student's records, customer data bases, log and config files, data acquired from a sensor network or even executables. Having this data encrypted prevent them from being unveiled if the router where they are stored is stolen. Only those who know the encryption password would be able to access the data, minimizing the damages. If you are responsible of critical information stored in the network nodes of your customers you should consider protecting these data. There are many solutions to keep files safe, either ciphering them separately or putting them in an encrypted partition protected with a password. The Meshlium Manager System provides a mechanism for creating easily an encrypted partition to store data. When the partition is created, you can save files directly and keep them ciphered. Whenever the router is powered off, the encryptied partition must be activated by entering the password. This ensures that the information will not be legible in case someone steals the router. Once the partition is activated, it is accessed through a mapper which encrypts or decrypts on the fly the data written and read from the partition so that the data always remain encrypted. Accessing to these data without the encryption password is impossible, even knowing the root machine password.

Backup configuration

Finally, after configuring your Meshlium it is important to backup the configuration so that you can rescue it in case you need to reset the router to an older configuration. This feature can be also used for replicate fastly the configuration of one Meshlium to the rest of the routers in the network.

(*)

I have read and I accept the privacy policy

In order to comply with the provisions in Spanish Data Protection Act (L.O. 15/1999 of 13th December) and its implementing Regulation (R.D. 1720/2007, of 21st December), LIBELIUM hereby informs its Customers and websites users that any personal data supplied through the forms contained in its websites shall be recorded in a file named “CUSTOMERS” for which LIBELIUM is responsible, located at LIBELIUM´s registered address and which has been registered with the Spanish General Registry for Data Protection (Registro General de Protección de Datos de la Agencia Española de Protección de Datos).

Except for those fields expressly requesting compulsory filling, answers to the questions contained in any form are voluntary and therefore, the lack of answer does not imply a reduction of the quantity or quality of LIBELIUM´s services. The aim of this data collection are to provide access to LIBELIUM´s online shop, to send information on LIBELIUM´s Product(s) and services as well as to collect Customer’s acceptance to the terms of use of the forums and other sections in LIBELIUM´s websites. By filling these forms Customers consent in receiving promotional offers concerning LIBELIUM´s Product(s) and services. You further consent further that LIBELIUM may make such data available to its services suppliers to the sole purpose of enabling service provision.

Any User providing personal data through any of the forms in LIBELIUM´s websites shall count on a 30 day period to inform LIBELIUM in writing of his/her refusal to the processing of his/her personal data. Unless this communication is made, it shall be deemed that the User consents the processing of his/her personal data according to the terms set forth in these T&C. All personal data collected shall be processed by using the security measures requested by Law to avoid their loss, damage or access by any unauthorised third party. User may nevertheless be aware of the fact that the existing security measures for computer systems on the Internet are not entirely trustworthy. Should you think that your email address has been disclosed to us without your consent, do not hesitate to inform us thereof. Users may at any time exercise their rights of access, rectification, update, cancellation and objection, as well as revoke the consent granted for all of any of the above-mentioned processings, by sending a written statement to LIBELIUM, either through the “Contact” section in our website http://www.libelium.com or by post to the following address: LIBELIUM COMUNICACIONES DISTRIBUIDAS, S.L., c/ María de Luna, 11, nave 5, CEEIARAGON. 50018 Zaragoza (Spain).

To exercise the above-mentioned rights you must indicate your name, ID/passport number, full address, date and signature, including any document supporting your request, in case it is needed; a copy of your ID card/passport must be enclosed, unless you use an electronic signature. User shall be liable for the veracity of data provided and only in case of holders of parental rights concerning children under fourteen and in connection with said children, shall LIBELIUM accept the disclosure of personal data concerning third parties. Users shall assume all liability for direct or consequential damages arising out of or in connection with the provision of false, inaccurate, incomplete or non updated data.

Furthermore, LIBELIUM reserves its right to exclude from any service for which prior registration is required, to any User having provided false data or failing to comply with these T&C, notwithstanding any other legal action to which LIBELIUM may be entitled. LIBELIUM reserves its right to modify its Privacy Policy or these T&C to adapt them to the regulations in force or for any other reason. Provided that the use of LIBELIUM´s websites by Users shall be deemed as User’s acceptance of LIBELIUM´s Privacy Policy and T&C, User is hereby requested to check these T&C and any further amendments from time to time.

Privacy Policy
Users may visit LIBELIUM´s websites without disclosing neither their identity nor any personal data. LIBELIUM´s servers may only collect domain names but not email addresses of their visitors. This kind of information is used to elaborate reports on visit statistics, the time spent in the websites, websites accessed, the general origin of visitors (through “Favourites”, search engines, links from other websites, etc.) to the sole purposes of getting information on how the websites are used and improving their contents and services.

Linked sites
LIBELIUM´s websites may provide links to other sites but LIBELIUM assumes no liability on the privacy policies adopted by the linked sites, directly or indirectly. Links to other sites are provided as a suggestion only and do not imply LIBELIUM´s warranty or liability concerning their quality, accuracy or contents of the information provided therein.

LIBELIUM does not warrant the veracity or accuracy of the information disclosed by its suppliers or third parties whose products or services are offered through LIBELIUM, their origin, ownership or the use or practical implementation made by Customers.

(*) Mandatory fields

| Terms of use