How safe is this wireless network?



  • I was just wondering how safe is this wireless network:

    Interface Wireless no encryption at all (No WEP no WPA) SSID is hidden
    DHCP on for Wireless interface , Deny unknown clients in use, Static ARP in use (for clients filtering by MAC)
    PPPOE server on for Wireless interface

    Firewall:

    • Wireless interface - just one rule block all traffic
    • PPPOE VPN - just one rule allow all trafic from PPPOE clients


  • I don't understand why you would even bother having a wireless adapter at all if you want it to be completely blocked by the firewall, I am assuming that thats what the bottom bit really means.  From a hacker point of view, turning off the SSID and enabling mac filtering doesn't prevent someone from gaining access from the outside at all.  The only thing that can really stop someone is WPA.  WPA's only weakness is the length of the pass phrase you use and the characters you use within the phrase.  The minimum number of characters you can use for WPA is 8 but that could be easily cracked given enough time and the right resources.  What you want for a passphrase is something that is 20+ characters and is a really random garble of letters, numbers and symbols.  fw@$nmfXJn5klX*$y5(CknKL$%(kDMN < That would be a good example of something really hard to crack, when I say really hard I mean essentially impossible unless it's being ran through brute force on a super computer with rainbow tables and all that.  Good luck.



  • If I'm understanding you correctly, you force all clients to authenticate via PPPoE before they can access anything. That's a reasonable means of protecting your wired network from your wireless network, though leaving it open leaves traffic subject to interception by unauthorized parties. Add WPA or WPA2 with AES on top of that and you'll have a better setup. Hiding the SSID doesn't do a whole lot, other than obscuring the network from clueless people.



  • Well, if i try to use WPA or WPA2 I'm having this problem: http://forum.pfsense.org/index.php/topic,13500.0.html

    if I try to use WEP I can connect to the wireless network with the client but the client can't get ip using DHCP, I tryed to set muanual the ip and disable DCHP in pfsense but nothing is working, the client is conected to the wireless network but I can't even ping the pfsense wireless ip… (because I can use the wireless card as access point using windows the card is ok)

    Because of this I have to find another way to secure de wireless network so PPPOE server was one of the solution. If you have a better solution just tell me :) .



  • As far as I know WPA2 isn't the best way to go as many other wireless adapters are not compatible with it.  I read several times that there isn't any difference between WPA and WPA2, at least in turns of cracking.  You want to use WPA - Pre shared key(psk), with tkip only.  If that doesn't work out then I am all out of solutions and I suggest either trying different combination or tell it to the devs.  Good luck!



  • I got my wireless ap on a different lan subnet than my wired lan subnet, anyone connecting through the wireless (No security enabled), gets redirected to a portal page, and have to login or register an account there, through a radius server.  Anyone trying to brute force attack the portal page trying to login gets their mac address banned and will no longer be able to get an ip address from the dhcp server.  Its a little advanced but it is quite secure.  If anyone wants access I charge them a dollar an hour or $10 a day.



  • @Nanafriend:

    As far as I know WPA2 isn't the best way to go as many other wireless adapters are not compatible with it.  I read several times that there isn't any difference between WPA and WPA2, at least in turns of cracking.  You want to use WPA - Pre shared key(psk), with tkip only.

    Don't use TKIP at all anymore, it is crackable (or close to it, Google for recent info on this). WPA with AES is fine, and WPA2 works on almost everything. Some laptops with XP may not work with WPA2 unless the wireless card manufacturer provides software that supports it.


Locked