Would anybody be willing to give me some conceptual networking information?
-
With relatively few users using certificates becomes logistically possible.
It's a while since I really looked into this but from my recollection the potential encryption strength of enterprise vs SOHO was equal. However I would say that by default the encryption level of straight WPA2 is probably less than choosing enterprise. That is to say you can configure WPA2 to use an equally high encryption strength but it may not be by default. Using external authentication pretty much forces you to configure everything so you're likely to choose the strongest settings.So in answer to your questions:
1. Perhaps by default but not necessarily
2. You can set the re-keying interval.
3. No rebuttal! ;DSteve
-
"the encryption level of straight WPA2 is probably less than choosing enterprise."
What???
What radius can bring to the table is protection against brute force attacks against short passwords that the user might choose, because you could lock out the account after say 3 bad attempts. Which is something you could not do with a PSK, or you would lock everyone out, etc.
Lets not forget that many enterprise setups the account and password use to auth against the wireless, is also their AD creds. So if someone gets the creds to auth to the wireless, then quite possible they have the creds to auth against the resources on the network.
While when using PSK, they may be able to get on the network - they would not have creds to auth against resources on the network.
Using enterprise to auth makes sense as already brought up in when you have multiple users and need the ability change the ability of 1 user to use the wireless without effecting your other users. I would not say that its more or less secure then PSK out of the box. And depending there can be added security risks with using it - so depending on the setup you could say that enterprise is less secure than psk. But without the details of how each would be setup its hard to say.
One thing for sure - is it makes it more complex, which can make the network less reliable - more things that can fail. So do you make the network more complex to setup and maintain or not depends on your needs. And sorry in a home setup, it is unlikely that enterprise type auth makes any sense to use.
Now if all your after is learning - then sure go for it. But its going to make accessing and maintaining access to your network more complex then it needs that is for sure. And if anything comes with complexity is the possibility of overlooking something, and in the long run having a hole in your security for no reason.
-
Yes, I worded that badly. :-[
What I meant is that the default settings of a SOHO wireless access point could be less secure than those that are selected when you choose to use external authentication. Purely because most access points have default settings that allow them to work with the greatest number of devices out there reducing support calls. By less secure I mean shorter key length, tkip over aes, longer re-keying interval etc.
There are still access points out there that default to no encryption at all. Thankfully they are hard to find these days.Steve
-
While it might be possible to select wpa2 with tkip+aes, I have never seen a soho wireless router or ap that that would be the default when picking from a drop down for wpa - psk, or wpa2 - psk.
By default wpa2 would be AES, this is a requirement of the standard.. To use wpa2 with tkip would be a compatibility type mode that sure is possible, but would not be the default.
And key length of your psk would be something the user would have to pick, while I agree wireless devices should require a min length that is secure, and warn the user and have them agree if picking something short, etc..
Where I disagree is that with using radius its quite common to see enterprise password policy of only 7 characters, at most 8 in length. Now hopefully they have a lock out feature with say 3 bad, etc. And you do have to know what eap they are using, etc. But since usernames are quite often just the email address of a user, where this is public info. And then a short password its quite possible for ent to be less secure than psk.
Keep in mind that with using a enterprise auth, it is in theory possible for me to just do a dos type attack against a company by just sitting in a parking lot and doing random brute force against all of their email names, or just random - looking to lock out all of their accounts ;) Now do I not only lock out their users from wireless - I also can lock them out of their resources on the wired lan by locking out accounts..
Security there are + and -'s to every security scheme - where it makes sense to use enterprise type auth in an enterprise ;) It does not not when your talking a hand full of users in a home or small office.
-
Like I say it's a while since I last looked into this in any detail and my memory isn't what it used to be. I fairly sure that the last access point I configured defaulted to tkip so perhaps it was using wpa. In fact the actual last access point I dealt with was a much older model that had forgotten it's settings and defaulted to completely open.
Anyway I think we are in agreement that external authentication offers nothing by way of encryption security that can't be had by simply configuring the access point correctly. :)
Steve
-
Agreed ;) In a home or small business all enterprise is buying you is complexity..
Now if he wants to play with setting it up - more power too him. But if what he is looking to do is have a secure and rock solid setup, no not the direction he should go.
Now isolation of services via network segments/vlans and ACLs – clearly will add complexity to the config. But sure its a good idea to only allow specific segments access to only the resources they need on a different segment.
If box A on segment A needs to talk to box B on segment B on ports http and https -- than sure lock that down via a ACL to only allow that traffic on your firewall between your segments! This is always good common security practice. Can get to be a bit much for a home setup, and can add a lot more overhead to your network management.
But I think the OP is jumping ahead in the book ;) If he does not even understand how vlans talk to each other.. Maybe you should work that out before trying to work out how to setup a enterprise wireless solution..
-
Congratulations, you won ( :D :D :D).
I am taking the knowledge, experience and wisdom that you have extremely seriously, just as a I am extremely grateful that you devote your time to helping me out (thank you, again, very much :P).
As you go to great length to tell me I should not be wanting this, for now I will, finally (I am a stubborn person ;D), follow your recommendations. I will not do Radius for the time being. You won ;D
So I will be using WPA2-PSK with the maximum key (63 characters, I think I read somewhere). But still, I am wondering how to secure it more. The old wish is still this: I would like to allow my own laptop (and later on the tablet I will be buying for my lovely wife who still stays with me despite all my shortfalls ( ;D))) to access the wired Synology NAS (pictures of our long gone but very very beloved dogs, ebooks, movies). At the same time minimizing the risk of a hacker to access that Synology.
There is one option in the Pfs DHCP that says 'deny unknown clients'. Would this be sufficient? Or should I indeed go into the route of different VLAN's, one for wired and one for wireless, and then 'some' firewall rules that allow specific (fixed, all my LAN-devices are fixed, as this makes rsync scripts easier) IP's access from VLAN1 to VLAN2?
Not that I have a clue as to how to set this up. Just to clarify: in addition to donating financially (although not much, I am not rich) to the PFS-project, I have also bought the book 'PFS the definite guide', also to sponsor this project. I've read parts of it, and it definitely is a good book. I do realize however that I am some sort of a 'strange breed': the book obviously has been written assuming more background knowledge than I have (I am an economist, not an IT-technician), so at some points in the book I have difficulties attaching to the subject. So I feel the book alone is not sufficient for me (still stressing it is a good book).
So would you perhaps be willing to give me a some high level instruction how to proceed? Again, I don't expect a 'click here and click there' reply, but if you would be willing to tell me: 'setup VLAN x and VLAN y, make firewall rules as follows to allow/deny XYZ, make sure ABC are right in the PFS configuration', then I would have a clue as to what to study next.
I apologise for me being such a noob, and I do assure you: I really can do your taxes, that is my area of expertise ;D ;D ;D
Thank you again for all your help, it is deeply appreciated,
Bye,
-
"So I will be using WPA2-PSK with the maximum key (63 characters, "
Dude that is just over the top ;) 20 should be enough, if your paranoid use 25 ;)
Setting up mac controls in dhcp or not even running dhcp is also suggested in the 6 dumbest way to secure your wireless lists.. Are not security methods, they are controls. But do you really think someone that just hacked a 63 character psk is going to have an issue with you not giving him an IP address via dhcp??
If you want to isolate your wired from your wireless - then sure vlans or actual physical segments is the way to do it. Does risk of possible breach of your secure PSK in a home setup warrant it, prob not. But hey if you want to segment your network and put in ACLs between them - sure have fun.
-
Separating your wireless and wired traffic is something I would recommend just to make it easier to control your traffic.
If you want to get a paranoia level of security you could setup a vpn server in pfSense and then configure your wireless interface firewall rules to only allow access to that. Then all your wireless devices would have to connect to the vpn server to get access to anything. VPN encryption level can be anything you choose. Potentially you could use two factor authentication or something! ;)
Steve
-
Separating your wireless and wired traffic is something I would recommend just to make it easier to control your traffic.
If you want to get a paranoia level of security you could setup a vpn server in pfSense and then configure your wireless interface firewall rules to only allow access to that. Then all your wireless devices would have to connect to the vpn server to get access to anything. VPN encryption level can be anything you choose. Potentially you could use two factor authentication or something! ;)
Steve
I still have to do this all, but I don't have enough time :-\
Thank you for your reply, Steve ;D
