SSH Tunneling to internal destinations

[CubsFan]

Hello,

I am attempting to help a small business whose network designer is no longer around to answer questions. The network is peer-to-peer (all clients are Win XP), and covers two buildings with three SSIDs. Building #A has two SSIDs supported by a single router (DD-WRT). SSID #1 is secure, and consists of 3 wired PCs and 2 wireless laptops (DHCP 192.168.1.200-250). SSID #2 has no security and is open to guests (DHCP 192.168.5.1-50). SSID #3 (static IPs 192.168.1.1-100) is in building #B, and is connected by a wireless Ubiquity system to Building #A. The network designer’s documentation indicates he tunneled (SSH) from PCs and laptops on SSID #1 to the various IP addresses on SSID #3 (wireless access point, wireless printer). This would prevent any guests on SSID #2 from eavesdropping on communications between SSIDs #1 and #3. I do not see any indication of PuTTY installations on SSID #1. In order to implement SSH, do I install PuTTY on the clients in SSID #1? When configuring PuTTY, should I use internal IP addresses or external for destinations on SSID #3?

 

[eibgrad]

The only thing that's not clear to me is the relationship between SSID1 and SSID3. I see they're using the same network (192.168.1.x), but different ranges. That suggests to me that SSID3 is bridged back to SSID1 and configured as a wireless repeater (thus establishing SSID3 for bldg B). Not sure that it matters, but it was the one thing that wasn't 100% clear.

From your description, I don't see why SSH is even necessary. SSH is only necessary if your communications are otherwise not secure. But they are secure, at least between SSID1 and SSID3, thanks to wireless encryption. The use of SSH is completely redundant. It doesn't hurt, but it doesn't provide any more protection than the WPA/WPA2 security you already have between them.

The fact he even suggests using SSH makes me wonder if perhaps you normally allow traffic to flow between the 192.168.1.x and 192.168.5.x networks. Ideally you should keep a guest network completely separate from the other network, and you do that not just by defining a guest network (SSID2 in this case), but also updating the firewall (via iptables) to make sure neither can access the other (i.e., filtering). This is especially important when the guest network is OPEN. Remember, your entire network is only as secure as its weakest link. So if your admin felt it necessary to use SSH to prevent those on the open network (SSID2) from eavesdropping, and I’m right that that’s because he failed to secure each network from the other via the firewall, then you have a serious security issue! His use of SSH (in the absence of any evidence to the contrary) strongly suggests this is the case, and that SSH was his “hackish” attempt to deal w/ the problem he created by not securing the two networks from each other, generally. IOW, ALL your traffic on SSID1 (even that which is only local to SSID1) is vulnerable to eavesdropping from the other network (SSID2).

Again, as long as the two networks can’t access each other, both by using the firewall and wireless security, then SSH is pointless. You’re only going to use SSH within the context of an open network (e.g., he needs to secure communications between two PCs, both located in the 192.168.1.200-250 range), but that shouldn’t be the case here between SSID2 and the other SSIDs, not unless your admin messed up. And it certainly sounds that way to me. Many ppl mistakenly fail to secure the guest SSID from the private SSID when configuring dd-wrt. They just create the two SSIDs and either hope they are secured by default (which they aren’t), or don’t even know it and do nothing. I suspect your admin new there was a problem but didn’t know how to fix it. So he decided to use SSH when he had real concerns about security.

So first thing I’d do is figure out why SSH is being used at all, something’s wrong there, I see the potential for a real security breach unless someone can provide a plausible explanation.

 

[CubsFan]

Thank you for your response. You are correct that SSID1 & 3 are in the same subnet with different ranges. When I stepped in, the wireless access point (NetGear WN802T, 192.168.1.97) for SSID3 was fried. I installed an AMPED 300N wireless access point (DHCP disabled, Gateway IP is the main router's IP). A wireless laptop can connect to SSID3 and access the wireless printer (192.168.1.30), but only while in buiding #2...and I am unable to access the Internet from SSID3.

Looking at the Linksys E3000 router (dd-wrt) in building #1, I don't see any bridge or VPN configurations pointing to SSID3. There is a Ubiquity wireless system between the two buildings, but there is no documentation for it.

My goal is to allow the wireless laptop to have Internet access while in building #2 on SSID3, and for the same wireless laptop to have access to the wireless printer (in building #2) while in building #1. The guest SSID2 should not see anything outside of the 192.168.5.x subnet. I would sure appreciate your thoughts and suggestions. Thank you.

 

[CubsFan]

Best answer selected by CubsFan.