Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Unsecured Access Point behind PfSense - Security Question

    Wireless
    3
    6
    3794
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SamLeb last edited by

      I've got the following setup:

      Modem -> Alix Box (pfsense with Captive Portal) -> Router (Connected: Office PC via ethernet cable / Guests via Wireless) (The Router is in Wireless Bridge Mode)

      The Router has encryption disabled, it is unsecured and "open".

      So anybody can connect, but when you open up the browser, you are redirected to the Captive Portal Login Page where you have to enter a Username/Password combination.

      Some people have voiced their concern because they get a warning when they are connecting to the unsecured access point.

      I can only enable WEP on the router, people would have to enter a password and then again a password/username once they start the browser.

      Is this current setup too unsafe?

      1 Reply Last reply Reply Quote 0
      • S
        SeventhSon last edited by

        Question is, too unsafe for WHAT?

        If the network is unencrypted people can easily:

        • sniff the network and see HTTP/POP3/SMTP (plaintext passwords);
        • set up a rogue accesspoint imitating yours.

        Lot of cafe/hotels do this in this way, and I ALWAYS use a VPN connection on those open APs.

        1 Reply Last reply Reply Quote 0
        • S
          SamLeb last edited by

          My point was not made clear, pardon :)

          Basic browsing is not my concern, but what about people logging in to their gmail- / facebook-account, are their login-details at risk?

          The network is protected by the pfsense firewall from the "outside", but traffic between the laptops and the bridge on the "inside" is not encrypted.

          Is there a way to offer some kind of protection (besides WEP, which is not considered safe anymore, but maybe better than nothing)

          1 Reply Last reply Reply Quote 0
          • S
            SeventhSon last edited by

            @SamLeb:

            Basic browsing is not my concern, but what about people logging in to their gmail- / facebook-account, are their login-details at risk?

            I think gmail and FB use session encryption as default by now, but a lot of other sites are vulnerable to things like:
            http://en.wikipedia.org/wiki/Firesheep  ;D

            or a rogue AP with http://www.thoughtcrime.org/software/sslstrip/

            Is there a way to offer some kind of protection (besides WEP, which is not considered safe anymore, but maybe better than nothing)

            WPA2- Enterprise?

            But for a coffee shop/hotel setup that is harder to do (unprotected setup Wi-Fi, protected "real" network, or generated username/pass from the till).

            In the coffee shop i frequent you just get a big red disclaimer on the login page, stating that it is unencrypted.

            1 Reply Last reply Reply Quote 0
            • S
              SamLeb last edited by

              Thanks for the reply

              WPA2- Enterprise?

              The routers I found which I could use in Bridge-Mode (available in electronic stores) didn't offer anything above WEP

              So I'll just put a disclaimer on the login page :)

              1 Reply Last reply Reply Quote 0
              • X
                XIII last edited by

                almost all netgears have a bridge mode (its hidden) some others do as well.

                What you do is:
                1. give router an IP you want it to have
                2. disable DHCP server
                3. dont use WAN port, plug pfSense into one of the LAN ports, you can use the other 3 ports as you see fit.

                -Chris Stutzman
                Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
                Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
                freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
                Check out the pfSense Wiki

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post