• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Method to encrypt traffic over WiFi…Suggestions???

Wireless
8
16
9.8k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jeroen234
    last edited by Jan 26, 2007, 12:14 PM

    wpa-psk is one key for all users
    wpa-e    is a differend key for every user

    so by wpa-psk you can scan all packets and get the key
    by wpa-e you have to scan a singel user to get his key

    1 Reply Last reply Reply Quote 0
    • J
      JeGr LAYER 8 Moderator
      last edited by Jan 26, 2007, 12:44 PM

      Just a quick sidenote:

      Use hide SSID

      Please don't. It does not help you gain a security advantage in any kind of way. With a bit of more work than "fire up windows and scan wlans around you" you'll see the AP anyway and by overhearing packets you'll get the name sooner or later anyways. This just helps to worsen the situations in spots where many APs sit near each other. The "normal" user don't get to see your AP and fires up his own - just with the same settings (frequency/channel/speed) as your own. Benefit? Nope.
      Instead I talked with a few WLAN users and told them to use a SSID with sense. Mail-adress or Location e.g. So if you have problems with a spot near you - you know where to go and talk. May not help? Perhaps, but without it it won't either. Had good results near our company headquarter and in my hometown where users get in touch with each other and could coordinate their wlan settings. Just a thought.

      Other than that I have to fully agree to lsf ;) And with the dan using 63 char passphrase I think PSK with AES is quite secure :)

      Greets Grey

      Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

      If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by Jan 26, 2007, 2:42 PM

        I have seen some accesspoints that support a rogue ap detection. They scan for already used channels in range and switch to the most far away channel that is not conflicting with the detected Accesspoint(s). Maybe this is something we could add as a feature. Where you can set channel "auto" and check "rogue AP detection". Then  a cronjob could scan for other APs and hop to another channel to avoid conflicts.

        1 Reply Last reply Reply Quote 0
        • J
          JeGr LAYER 8 Moderator
          last edited by Jan 26, 2007, 3:07 PM

          You're my man ;) That would indeed be a nice addition to the feature set (which is simply gorgeous atm) :)

          Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

          1 Reply Last reply Reply Quote 0
          • L
            lsf
            last edited by Jan 26, 2007, 7:19 PM

            Hide SSID just makes it a bit harder to find your AP, that is all, as for the negative effects sure, if you do not know what you are doing then it could potentially make users use the same channels etc. But a serious user should allways do a site survey with a spectrum type analyzer. In the 2.4 ghz band you will find lots of interference that is not 802.11 traffic, so you will have to use a spectrum analyzer anyways. You will find stuff like dect phones, wireless audio/video transfer, wireless alarm systems, and a bunch of other things. So relying on a AP scan to find a "noise free" channel does not work in real life. Atleast not in the 2.4Ghz band. DFS +TPC will however give a nice result in most cases.

            -lsf

            1 Reply Last reply Reply Quote 0
            • D
              danbutter
              last edited by Jan 26, 2007, 7:35 PM

              @jeroen234:

              wpa-psk is one key for all users
              wpa-e    is a differend key for every user

              so by wpa-psk you can scan all packets and get the key
              by wpa-e you have to scan a singel user to get his key

              I am the only user anyway…this is just in my apartment.
              There are about 5 other AP's that I can see from my apartment. 
              All are weak signals.
              None using anything greater than wep for security.

              I learned a lot in this thread.
              Since all traffic across the wireless link is encrypted and it appears that I am using the best possible security that a single user can (WPA2, 63 random character key)...

              I'm happy with what I have now.

              1 Reply Last reply Reply Quote 0
              • Y
                yoda715
                last edited by Jan 27, 2007, 8:14 AM

                @danbutter:

                @jeroen234:

                wpa-psk is one key for all users
                wpa-e    is a differend key for every user

                so by wpa-psk you can scan all packets and get the key
                by wpa-e you have to scan a singel user to get his key

                I am the only user anyway…this is just in my apartment.
                There are about 5 other AP's that I can see from my apartment. 
                All are weak signals.
                None using anything greater than wep for security.

                I learned a lot in this thread.
                Since all traffic across the wireless link is encrypted and it appears that I am using the best possible security that a single user can (WPA2, 63 random character key)...

                I'm happy with what I have now.

                In your situation, WPA-psk will be fine for you. I would recommend that you change your wireless key every 6-12 months. I would also recommend reducing the transmit power to the lowest acceptable power that you receive good reception at.

                1 Reply Last reply Reply Quote 0
                • T
                  techie_g33k
                  last edited by Jan 27, 2007, 7:04 PM

                  I am personally using a WPA-Personal (TKIP) with a 63 (random) key.  I am also doing a MAC Filter so even a ethernet device can't pass traffic or get DHCP on the network w/o being in the list (can't wait till I can MAC filter ONLY firewall as this is very extreme for most) and am going to be setting up a OpenVPN tunnel from end-client to AP to increase the encryption of the data "flowing over the airwaves"
                  Now this is very extreme and does create a fair bit of overhead so you get even less max through put because of the WPA and then the VPN tunnel but if you trying to protect your information as much as you can then I believe this is about as secure as you can get 802.11x for now.

                  Oddly I use this all for my house (currently just a desktop and laptop), but I do consulting from my house and prefer to protect my clients information as much as I can (while it's within my network).

                  Deja Vu
                  Logan Rogers-Follis

                  1 Reply Last reply Reply Quote 0
                  • G
                    goofyfoot
                    last edited by Feb 11, 2007, 6:56 AM

                    im no uber-geek, but, a few thoughts.

                    • if WPA-Personal sends your MAC first unencrypted to the AP, then a sniffer can get your MAC from that couldnt it?

                    • MAC filtering is great unless someone captures your MAC and spoofs it right?

                    • if you go to ONLY MAC filtering then you would actually be going backwards securtiy wise since an attacker could ether knock your connection and try to take it over themselves or just wait till your gone or shutdown and connect as you right?

                    just a thought

                    1 Reply Last reply Reply Quote 0
                    • T
                      techie_g33k
                      last edited by Feb 14, 2007, 4:44 AM

                      By all means MAC filtering is VERY weak, but I have in my list as just another step to crack.  If you want in badly enough and have the time anyone and everyone can get into any wireless network, but why not make it that much more fun for a wireless hacker IMO.

                      Deja Vu
                      Logan Rogers-Follis

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.