Are all Access Points with WPA3 equally secure ?
-
So I have replaced my all in one router/AP for a Netgate pfSense box and gotten a Netgear Business AP to add wifi.
I'm wondering if I can safely put the old all in one router in bridge mode and use it only for wifi for a different interface not covered by my main AP ?
It does support WPA3. My question is if these cheap boxes have any security concerns I should worry about when used just in AP (bridge) mode, or if as long as it supports the most recent encryption standard, these boxes are all the same?Thanks!
-
@CharlesT the protocol is the same be it wpa wpa2 or wpa3.. The problem with any transition from old to new protocol is you can't really just use wpa3 unless all your clients support it.. You prob have to run it in some transition mode where it suppose still wpa2/3 which kind of really defeats the advantages in the new protocol if you ask me.
But if brand X supports wpa3 and brand Y also supports wpa3 - I would think there should be any real concerns over X does wpa3 better or more secure than brand Y.
For me I would run eap-tls for all of my wifi - problem is iot devices do not support this, nor do many iot devices support wpa3 as of yet.. So while sure you could run wpa3 for some of your networks.. You prob going to have to provide a wpa2 network for these devices that don't yet support wpa3.. And or some of them don't even work if you try and use a wpa2/wpa3 transition sort of setup..
-
@johnpoz Thanks !
-
You also want it configured so devices also know BSSID. in Windows 10 the software only looks at the SSID. I did tests with changing different AP units same name same password and Windows 10 didn’t know it was a different AP. The new M1 McIntosh knew it had a different BSSID and wouldn’t connect until I deleted the old profile.
-
@JonathanLee little reason to bring that up - talking the difference between a bssid and ssid and essid it getting deep into the weeds for what amounts to a very basic question.
-
That said no not all AP units are equal. OpenWRT is the elite WiFi AP software, it’s also open source just like pfSense. I learned that from @johnpoz
-
@JonathanLee openwrt is fine if you have some shit soho router and want to actually have it work stable and provide all the features the hardware can support ;)
And yes depending on the software your running if you run native or 3rd party it can expose different features. Or different makers of actual AP like unifi or omada or aruba or ruckus or cisco or cisco meraki, etc.
But when it comes to actual wpa3, which is a standard there shouldn't be any differences - because if its not standard you would have issues with different clients using it.
Different makers might do some stupid shit like trying to get 40mhz vht on 2.4, this is not a standard. You might have different makers exposing DFS channels to be used, etc. Or some might support PPSK.
But at the base layer wpa3 is wpa3 - and there sure shouldn't be any sort of security difference be it wpa3 is on make X or Y AP - now possible the device has other security issues related to its OS its running - wpa3 should be wpa3 be it on X or Y.
-
I would argue the bigger advantage of OpenWRT over OEM firmware is that it's updated regularly as long as your device is supported. It's almost certainly more secure than some old device that is no longer updater by the manufacturer. Also many 'actual APs' run openwrt anyway, often an ancient version. Personally I run OpenWRT on all my APs here. But mostly because it's fun and I'm cheap!
Hostname AP300-3 Model WatchGuard AP300 Architecture Qualcomm Atheros QCA9558 ver 1 rev 0 Target Platform ath79/generic Firmware Version OpenWrt SNAPSHOT r26792-646ebbd32c / LuCI Master 24.158.03388~a6f8361 Kernel Version 6.6.35 -
If this is a question / you have a doubt :
Are all Access Points with WPA3 equally secure ?
Connect to the wifi first.
Then fire up your favorite VPN, thus rendering the question to oblivion. You'll be using an encryption into an encryption. Even better, when you are visiting https site (any TLS destination) , you'll just added another encryption layer !
