The open-source community has finally entered the wireless arena. One of its first offerings, the Sputnik Community Gateway, allows Internet access through a point that you control without limiting your access or bandwidth. All you need is a laptop or desktop machine with an Ethernet card and a wireless card to act as the router or gateway.
It sounds like an inexpensive, simple solution to introducing a wireless network for an organization, so I downloaded the latest version (1.1b004) and decided to see how it works. I discovered several weaknesses that should prevent the current revision of this product from being used in a corporate environment. In this article, I will illustrate those weaknesses and then identify ways that this networking solution can be used safely.
Available Sputnik products
Sputnik is working on several products that deal with wireless networking. One of those products, the Community Gateway is designed to allow you to control an access point through which the general public can access the Internet without limiting your access or bandwidth to the Internet or compromising your system or network security.
Sputnik also sells the Enterprise Gateway, which offers more features than the Community Gateway. It includes features such as intrusion detection, directory service integration (i.e. LDAP, Active Directory, and others), and more security features. To get a copy of the Enterprise Gateway you have to contact Sputnik directly, whereas the Community Gateway can be downloaded for free or via a pressed CD purchased for $10 U.S.
The down side: A gaping security hole
When testing, I noticed many areas of weakness for the Sputnik Community Gateway. Prominently noted on the Sputnik Web site is the word "security," and with the Web browsing authentication, they have put some security in place.
Unfortunately, this security extends only to Web browsing. I was able to connect to my IMAP mail server to read e-mail via the gateway without having authenticated myself via the Web browser. I was also able to use OpenSSH, Telnet, FTP, and Ping, all without any authentication or restriction on the client laptop, which was an Apple iBook that was dual-booting Mandrake Linux 8.2 and Mac OS X.
The other drawback I noted was no wireless equivalent protocol (WEP) security. While WEP isn't the most secure protocol around, it does make things more difficult for the average sniffer. With no WEP security, all traffic to the gateway is in the clear, indicating another area where security falls short. While it might be difficult to implement WEP in a system that is largely made up of anonymous people using equipment they are unfamiliar with, and who have no knowledge of the setup of the gateway beyond the fact that is a Sputnik gateway, this is still a problem.
The lack of WEP can be somewhat overlooked because of the anonymity of the Sputnik setup, but be aware that there is absolutely no security between your hardware and the wireless gateway. Fortunately, the member sign-in on the Sputnik Web site is done over HTTPS, so your password is not being transmitted in the clear.
On a whim, I looked a little closer at the Sputnik Community Gateway and noticed it ran the 2.4.18 kernel and iptables, which is good. There are no firewall rules by default; the policies are set by default to ACCEPT for incoming, outgoing, and forwarded traffic, which means there is no protection on the gateway at all. While this is fine for the actual gateway—it's CD-based so no changes can be written or anything done to it that a simple reboot won't fix—the lack of protection could prove problematic for those using the gateway. It affords them no protection from each other or hosts on the Internet. Malicious users on the gateway could also wreak havoc on the Internet via the completely unrestricted access this system offers.
After I discovered several insecurities in this product, I decided to try pinging the IP address of the Ethernet port on the gateway; in this case the IP address assigned was 220.127.116.11. The Sputnik uses a Class C address network of 192.168.190.0. To my dismay, I was able to ping the internal network device—the network that I hoped would be protected from the general public at all costs. Even worse, a ping to a system on the internal network, a Windows XP system, was likewise successful.
Anyone using the Sputnik gateway could take advantage of its complete lack of authentication on all protocols—except for HTTP—to hack into the internal network. If you truly wanted to use Sputnik, you would have to place a firewall between the Sputnik Community Gateway and your internal network to allow in and out traffic to specific ports that you designate and probably a firewall system between the gateway and the Internet itself.
By now, Sputnik must know how incredibly insecure this is. I hope they are soon planning to provide an updated version that addresses these problems. If the gateway is meant to be used only for HTTP traffic, which could be acceptable, the firewall on the gateway itself must be far more limiting. As it stands now, the Sputnik Community Gateway stands as an open invitation for crackers to play with your internal network or use your infrastructure to carry out any attacks or other such mischief they may have planned. The end result: You are liable for the damages they do using your infrastructure because you enabled the gateway to allow such anonymous access via your Internet account.
If you would like to use the Sputnik Community Gateway
In spite of the security issues, there still may be reasons why you want to install the Sputnik Community Gateway. Perhaps you could use it for testing purposes, or maybe this article has piqued your curiosity. The Sputnik Community Gateway is available as a single ISO download. Based on the Linuxcare bootable business card, all you need to do is download the ISO, burn it to CD, put it in your intended gateway system, and boot from it. The entire operating system is contained on this 30-MB CD-ROM, so you can use a system with only a CD-ROM to use as your Sputnik Gateway; no hard drive or floppy drive is required—provided you can boot from the CD itself. You can download the ISO directly from Sputnik's Web site.
The installation process is pretty much nonexistent. All you have to do to get the gateway up and running is boot from the CD-ROM. However, this assumes that you are on a network that provides IP addresses on the wired side via DHCP. The Sputnik Community Gateway uses a DHCP client to obtain an IP address, so if you have a static address, you'll have to configure the gateway and routing settings manually. Unfortunately, if this is the case, you will need to do this every time you boot the gateway—a major drawback to using a CD-based read-only file system.
After you boot Sputnik for the first time, move to one of the laptops or the wireless system you intend to use via the gateway. Open up a browser on this machine and point to the Sputnik Web site. If you're already a Sputnik member, you'll be authenticated to use the gateway automatically. If this is your first time using Sputnik, you'll have to become a Sputnik member, free of charge. The gateway uses the sign-up information to authenticate you for the Web browsing you'll do via the gateway.
With the Sputnik Community Gateway, you don't even need to know the IP address of the gateway for this to work, which is the premise behind anonymous access via the gateway. Without knowing the IP address of the gateway, you allow others around you—within a relative range of 150 feet—to access the Internet via your system without knowing or even speaking with you. If their laptops have the ESSID set to ANY or specifically to Sputnik (the default ESSID of the gateway), users will be able to connect with absolutely no problems.
The Sputnik Community Gateway also comes with a small browser and X server so you can run graphical applications on the system. It also comes with an Apache server installed with PHP support, a DHCP client, and a DHCP server to provide IP addresses to connecting clients, as well as named, which must be used as a caching name server.
Sputnik provided a large number of programs on the CD to make using the gateway as easy and familiar as possible—that is, familiar as long as you have experience using any Linux-based system. Some of the tools don't really belong on a wireless gateway, such as the Web server, but many are nice tools to make administering your gateway easier—provided you have to do any administration at all. The self-configuration of the gateway is fairly seamless, and most people will be able to use it immediately without making any modifications to the system at all, which is presumably how the entire system was designed.
The nice thing about the Sputnik gateway is that it can be used with any wireless product and operating system. I was able to connect with Mandrake Linux 8.2/PPC, Mac OS X, and Windows XP. According to the Sputnik Web page, it also supports wireless PDA devices.
The end goal, presumably, is to have a number of Sputnik Community Gateways in various cities around the world, each allowing anyone to connect to the Internet in various areas without paying connection fees. The concept of using each wireless machine as a gateway to greater enhance the reach of a wireless network is an interesting approach. Now that the bulk of the foundation has been set with Sputnik, it’s time for the developers to set out to patch up the major security weakness of this idea.
A great idea with some major weaknesses
The Sputnik Community Gateway has a lot of potential and is, in theory, a revolutionary and groundbreaking product. Unfortunately, it probably isn't a very good idea to use it anywhere but in a closed testing environment until they tighten up some of the security issues.
Of course, as with all things Linux, it would be very simple to copy the program's image to a hard drive, which would allow you to customize it to your heart's content. You could define iptables firewall rules that come back on each reboot, perform kernel tuning, and so forth. So if you have the time to do a lot of configuring and developing, Sputnik could be a viable alternative to your wireless networking needs. If you don’t have the time or skills available, wait until Sputnik irons out these serious security issues before deploying this technology on your corporate network.
Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.