Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Method to encrypt traffic over WiFi…Suggestions???

    Scheduled Pinned Locked Moved Wireless
    16 Posts 8 Posters 10.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      danbutter
      last edited by

      Ok, good to know, thanks.

      I am using WPA2-personal which I guess by default means AES encryption.
      I do have a 63 character passphrase.
      I generated that from here:
      http://www.kurtm.net/wpa-pskgen/

      Would there be any added security benefit to me using a radius server on top of what I already have?
      I would like to get the best security that I can for the wireless.

      I could try running it on the pfsense box or another server on my LAN.

      1 Reply Last reply Reply Quote 0
      • Y
        yoda715
        last edited by

        WPA-Enterprise is about the most secure wireless available right now. So yes there would be an added benefit to using it.

        1 Reply Last reply Reply Quote 0
        • D
          danbutter
          last edited by

          Ok well I will look around for a how to on getting radius going on pfsense.

          Does anyone have a link handy for this type of thing?

          thanks

          1 Reply Last reply Reply Quote 0
          • L
            lsf
            last edited by

            WPA PSK with AES, when used with a key longer then 21 chars would take you more then 150.000.000.000.000 years to crack if your average speed for bruteforcing keys is 60 keys a second. So i would not worry too much. WPA is broken the following way. You need to grab the 4 frames containing the initial handshake, then bruteforce it against a dictionary. In order to have a safe transmission all you need to care about is not using something fitting a dictionary attack, and I dare say you should be pretty safe. Use hide SSID and possible add a MAC filter just to make it harder. With enough time everything can be broken. But WPA with a non dictionary key of more then 21 chars should be more then enough to keep you safe.

            -lsf

            1 Reply Last reply Reply Quote 0
            • J
              jeroen234
              last edited by

              wpa-psk is one key for all users
              wpa-e    is a differend key for every user

              so by wpa-psk you can scan all packets and get the key
              by wpa-e you have to scan a singel user to get his key

              1 Reply Last reply Reply Quote 0
              • JeGrJ
                JeGr LAYER 8 Moderator
                last edited by

                Just a quick sidenote:

                Use hide SSID

                Please don't. It does not help you gain a security advantage in any kind of way. With a bit of more work than "fire up windows and scan wlans around you" you'll see the AP anyway and by overhearing packets you'll get the name sooner or later anyways. This just helps to worsen the situations in spots where many APs sit near each other. The "normal" user don't get to see your AP and fires up his own - just with the same settings (frequency/channel/speed) as your own. Benefit? Nope.
                Instead I talked with a few WLAN users and told them to use a SSID with sense. Mail-adress or Location e.g. So if you have problems with a spot near you - you know where to go and talk. May not help? Perhaps, but without it it won't either. Had good results near our company headquarter and in my hometown where users get in touch with each other and could coordinate their wlan settings. Just a thought.

                Other than that I have to fully agree to lsf ;) And with the dan using 63 char passphrase I think PSK with AES is quite secure :)

                Greets Grey

                Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                1 Reply Last reply Reply Quote 0
                • H
                  hoba
                  last edited by

                  I have seen some accesspoints that support a rogue ap detection. They scan for already used channels in range and switch to the most far away channel that is not conflicting with the detected Accesspoint(s). Maybe this is something we could add as a feature. Where you can set channel "auto" and check "rogue AP detection". Then  a cronjob could scan for other APs and hop to another channel to avoid conflicts.

                  1 Reply Last reply Reply Quote 0
                  • JeGrJ
                    JeGr LAYER 8 Moderator
                    last edited by

                    You're my man ;) That would indeed be a nice addition to the feature set (which is simply gorgeous atm) :)

                    Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                    If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                    1 Reply Last reply Reply Quote 0
                    • L
                      lsf
                      last edited by

                      Hide SSID just makes it a bit harder to find your AP, that is all, as for the negative effects sure, if you do not know what you are doing then it could potentially make users use the same channels etc. But a serious user should allways do a site survey with a spectrum type analyzer. In the 2.4 ghz band you will find lots of interference that is not 802.11 traffic, so you will have to use a spectrum analyzer anyways. You will find stuff like dect phones, wireless audio/video transfer, wireless alarm systems, and a bunch of other things. So relying on a AP scan to find a "noise free" channel does not work in real life. Atleast not in the 2.4Ghz band. DFS +TPC will however give a nice result in most cases.

                      -lsf

                      1 Reply Last reply Reply Quote 0
                      • D
                        danbutter
                        last edited by

                        @jeroen234:

                        wpa-psk is one key for all users
                        wpa-e    is a differend key for every user

                        so by wpa-psk you can scan all packets and get the key
                        by wpa-e you have to scan a singel user to get his key

                        I am the only user anyway…this is just in my apartment.
                        There are about 5 other AP's that I can see from my apartment. 
                        All are weak signals.
                        None using anything greater than wep for security.

                        I learned a lot in this thread.
                        Since all traffic across the wireless link is encrypted and it appears that I am using the best possible security that a single user can (WPA2, 63 random character key)...

                        I'm happy with what I have now.

                        1 Reply Last reply Reply Quote 0
                        • Y
                          yoda715
                          last edited by

                          @danbutter:

                          @jeroen234:

                          wpa-psk is one key for all users
                          wpa-e    is a differend key for every user

                          so by wpa-psk you can scan all packets and get the key
                          by wpa-e you have to scan a singel user to get his key

                          I am the only user anyway…this is just in my apartment.
                          There are about 5 other AP's that I can see from my apartment. 
                          All are weak signals.
                          None using anything greater than wep for security.

                          I learned a lot in this thread.
                          Since all traffic across the wireless link is encrypted and it appears that I am using the best possible security that a single user can (WPA2, 63 random character key)...

                          I'm happy with what I have now.

                          In your situation, WPA-psk will be fine for you. I would recommend that you change your wireless key every 6-12 months. I would also recommend reducing the transmit power to the lowest acceptable power that you receive good reception at.

                          1 Reply Last reply Reply Quote 0
                          • T
                            techie_g33k
                            last edited by

                            I am personally using a WPA-Personal (TKIP) with a 63 (random) key.  I am also doing a MAC Filter so even a ethernet device can't pass traffic or get DHCP on the network w/o being in the list (can't wait till I can MAC filter ONLY firewall as this is very extreme for most) and am going to be setting up a OpenVPN tunnel from end-client to AP to increase the encryption of the data "flowing over the airwaves"
                            Now this is very extreme and does create a fair bit of overhead so you get even less max through put because of the WPA and then the VPN tunnel but if you trying to protect your information as much as you can then I believe this is about as secure as you can get 802.11x for now.

                            Oddly I use this all for my house (currently just a desktop and laptop), but I do consulting from my house and prefer to protect my clients information as much as I can (while it's within my network).

                            Deja Vu
                            Logan Rogers-Follis

                            1 Reply Last reply Reply Quote 0
                            • G
                              goofyfoot
                              last edited by

                              im no uber-geek, but, a few thoughts.

                              • if WPA-Personal sends your MAC first unencrypted to the AP, then a sniffer can get your MAC from that couldnt it?

                              • MAC filtering is great unless someone captures your MAC and spoofs it right?

                              • if you go to ONLY MAC filtering then you would actually be going backwards securtiy wise since an attacker could ether knock your connection and try to take it over themselves or just wait till your gone or shutdown and connect as you right?

                              just a thought

                              1 Reply Last reply Reply Quote 0
                              • T
                                techie_g33k
                                last edited by

                                By all means MAC filtering is VERY weak, but I have in my list as just another step to crack.  If you want in badly enough and have the time anyone and everyone can get into any wireless network, but why not make it that much more fun for a wireless hacker IMO.

                                Deja Vu
                                Logan Rogers-Follis

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.