[–] WORF_MOTORBOATS_TROI 0 points 1 point 1 point (+1|-0) ago
Unplug it.
[–] BakedMofoBread 0 points 2 points 2 points (+2|-0) ago (edited ago)
Create new air-gapped Root Certification Authority and immediately create two Intermediate Certification Authorities from it, also both air-gapped. All three of these systems are air-gapped and running Custom Minix 3, each with a different encryption algorithm and scheme implemented with the system calls to the keep RAM and HDD 100% encrypted at all times, requiring a certificate with a low serial number (as part of the customizations) from the Root CA to decrypt anything, likely provided by QR code.
Why two? because if you detect a breach, you could conceivably switch to the other set rather quickly, especially once you revoke the compromised CA. You just have to generate all your certs twice, and provide each node with both. Maybe one encrypted with a password so that it’s inaccessible until needed.
Using this PKI, you generate client certificates for the wifi endpoints, and IPSEC certificates for the access points and the OpenBSD box (which I assume is the AAA server as well) from the intermediate CAs as prescribed earlier. Use the endpoint client certificates as the authentication parameter for association with an AP connected to and in an IPSEC relationship with the OpenBSD AAA server.
Obviously, you also need to make sure that only the PHY addresses that you expect to be on your network are on your network, and make sure that they, too are in an IPSEC relationship with the OpenBSD server. Ensure that NAC procedures are properly followed, using some kind of policy server or access control server. There are many vendors who provide products which implement these services.
Then you just need to physically secure the server from local, physical tampering with proper physical security.
I’m sure I’m forgetting something at this point, but it’s 1:30am.
Edit: I’m forgetting that the “OpenBSD Computer” is a goddamn client node and not the central computer in the fucking network. “Your Computer” doesn’t read to me as “The Computer You Use For Your Everything,” but as “Some Computer For Which You Are Responsible.” Leaving up the response because it’s not WRONG, just the wrong approach for the question as intended.
[–] derram ago
https://snew.notabug.io/r/openbsd/comments/dxeout/you_have_one_day_to_protect_your_wifimandatory/ :
This has been an automated message.