How to improve Wireless Security?

carpediem

Dear All,

I have a simple environment at home, on which I would like to improve the (wireless) security.

My environment looks like this:
I have a virtualized pfSense appliance (running on VMware ESXi5.5), which has knowledge of two VLANs:

• VLAN1 - WAN
• VLAN2 - LAN

The pfSense appliance has the following functions in my network:

• Squid proxy server
• DHCP/DNS server
• OpenVPN server
• Firewall

Next, I have a Cisco smart switch which does my VLAN mgmt towards ESXi and the rest of my network.
There is an Engenius ECB350 Access Point connected to the smart switch, tagged on VLAN2.

So, when a client connects to my wireless network, the client gets authenticated on the ECB350 and afterwards receives an IP address from pfSense.

I live in a very high-populated area and I would like to make sure there is no possible way of breaching my wireless network.
I currently make use of WPA2-PSK. For a long while, I had the feeling that this was "secure enough". Currently, after reading up on some security blogs, I became more security aware.
It appears that even WPA2-PSK has lost some of its glory. Therefore, I would like to take my wireless security up a notch.

I have not much experience with wireless security.
Ive been reading up on WPA2-Enterprise, but the complexity of it scares me a little bit (maybe due to my lack of knowledge).
I've had a quick look at FreeRadius (to get WPA2-Enterprise working with my AP), but it's not very self-explanatory.
My first question is, will WPA2-Enterprise introduce more security on my wireless network?

What are my other options?
I've been thinking about the pfSense captive portal.
What if I were to isolate my AP's traffic in a different VLAN, push that traffic to a new interface on pfSense and run the captive portal on that interface.
Does that introduce a Security Benefit? Is it smart to both enable WPA2-PSK and the captive portal?

One more question, is there a way to "detect" new clients on my network? Or "unauthorized" clients?
Ive been using ARPwatch for a while now, I like the fact that I can see when a new client connects to my network.
However, when mac spoofing, there is no way to detect wether a client is ligitimate or not.
Are there any solutions for that aswell? Is it possible to fingerprint my clients?
There must be a way to detect wether a client is legitimate or not…

Because I run my stuff virtual, I can deploy whatever needed to get to a solution...
Any input is welcome!
Thanks for reading.

Kind Regards!

johnpoz

Using wpa2 enterprise with the freeradius package in pfsense is pretty simple.. Is there no guide?  Pretty sure there was - have to look and create one if needed.

What I would do first thing is isolate your wireless to its own vlan.  What cisco smart switch do you have?  So how many interfaces does esxi host have - seems like 1 if your running vlan on your wan?  I currently have 2 wireless vlans running 1 is normal vlan that is not on the lan network, but this is for my own stuff and does have a couple of pinholes in the firewall to print, and a file share, etc.  Then there is a guest vlan that has NO access at all, doesn't even use pfsense for dns.  Only thing pfsense does is hand it an IP and some public dns.

I see no point to the captive portal unless you were going to run an OPEN wifi and wanted to control access with say vouchers or something.  Or just have guest ack that they your monitoring them, or don't do this etc.. Running a wifi with psk or enterprise login and then captive portal on top of that just going to make it hard to access the network without really any added security.  Who is exactly going to have gotten you wifi creds and then gotten stop by your captive portal?

If you wanted to go all tin foil hat on your wifi access, then you could setup eap-tls where you clients have to have a cert signed by your ca to access it.  But this is pain in the ass for new clients to join like your friends and family come over.  And you could always setup WIDS with like kismet and sending this traffic to snort, etc.

Yeah I thought there was a guide.. Doesn't this give you want you need to get going with freeradius and wpa2 enterprise vs psk.
https://doc.pfsense.org/index.php/Using_EAP_and_PEAP_with_FreeRADIUS

Guest

A recent pfSense Gold hangout covered this as well…

johnpoz

So I just set this up to see how much of a hassle it was, went full blown eap-tls only because if your going to let something on your wifi might as well be freaking sure it's a device you want to let on so why just use peap with username and password ;)  And not someone that got your psk somewhere or shared it out via windows 10 ;)

There is problem you most likely can not fully get rid of psk because of consumer type devices.  So for example my nest thermostat, my harmony smart hub remote.  Chromecast, but I put this on a wire when they came out with the $15 ethernet.. The chromecast doesn't move so wire it! ;)

I wish I could do that with my thermostat and hub they don't move either..

Anyhoo - these sorts of devices are not going to suppport 802.1x or wpa/wpa2 enteprise so your going to have to leave up a psk network.

And iphone and ipad kind of suck getting certs installed.. There has to be a password on the .p12 to install your ca and cert and key for the device that you can download..  A feature improvement to the cert manager might be more control over what certs you put into a .p12 file so you could put in say the ca and server file and your clients crt and key for easy eap-tls stuff..  So to get on my apple ios had to use openssl pkcs12 -export to get a password on it.  While there is a nice handy download button for the ca and cert and key you can not put a password on it and might be nice if also contained the server cert all in 1 p12.. You can do it with openssl but might be nice if just handy click download in the ca manager.

My son's android nexus they force you to have a pin setup to install certs..  And was odd figuring out how to set it to tls vs default of peap since screen doesn't by default show you all options you have to hit advance checkbox, etc.

But got all my devices on eap-tls, 4 laptops, 3 phones, ipad and my desktop for when need to play with wireless for something with it.. But its a desktop so its wired gig wifi is only play/test tool on it.  I then created a new psk nework just for my nest and hub and any future things that might be connected that don't support eap-tls.  And then broke out another network and ssid just for guests.  So there are 3 different segments for wireless with their own firewall..  I let the eap-tls one in to some services on my lan, ntp, file share, printer.  But the psk is limited really only to dns from pfsense and ping the gateway, and then the guest can not even use my local dns they get handed isp dns.

I tested revoking a cert which works nice..  And it is kind of nice getting the wireless logins in the system logs which you could actually use to track users moving about the house depending on which AP they hit ;)
Sep 12 10:15:29 radiusd[57374]: Login OK: [s-android] (from client uap-ac-lr port 0 cli 40-B0-FA-71-AE-5B) s-android
Sep 12 10:11:37 radiusd[57374]: Login OK: [s-android] (from client uapac port 0 cli 40-B0-FA-71-AE-5B) s-android

So for example there was my son's phone logging into my AP in the hall uapac to the one out by the patio and in the kitchen area one of the new LR models uap-ac-lr

So while it was a bit of pain to setup, it didn't really take all that long.  Maybe I will put together a walk thru..  But to be honest anyone wanting to go this route shouldn't really need a walk thru, this sort of setup sure and the hell is not for billybob that just found pfsense and thought it might be fun and doesn't even understand what a vlan is.