Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 22 Apr 2013 15:45:57 -0400
From:      Michael Powell <nightrecon@hotmail.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: Home WiFi Router with pfSense or m0n0wall?
Message-ID:  <kl441k$6sg$1@ger.gmane.org>
References:  <CAHieY7S9b9F1jndpkR2Drw=GCoBxmEWRs6Ot8MRjjQFH=xmHQQ@mail.gmail.com> <kl0qu9$ovo$1@ger.gmane.org> <CAHieY7SSbO+wt68PeFLYDzAtqMnR0kJ3UakOjvLkSMzVA31LbA@mail.gmail.com> <kl3vao$hbt$1@ger.gmane.org> <CAHieY7QNqfvwyB4_ZM-df72qTnY06vi7sk1gcvpSAfcwAifC8A@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Alejandro Imass wrote:

> [...]
> 
>> Really these WEP/WPA2 protocols are not providing the level of protection
>> that is truly necessary in this modern day. You can keep out script
>> kiddies and people who don't have skill, but people who know what they
>> are doing are only slowed down.
>>
> 
> Thanks for the detailed explanation! So, are there ways to run a
> secure WiFi network? It would seem that in my case I have neighbours
> that know what they're doing so should I just forget about WiFi go
> back to UTP?
> 

We use 802.1x auth on our switch (and other hardwares) ports at work and 
this utilizes a Radius server. At work we are mostly a $MS WinderZ shop, but 
with Enterprise grade access points (we have Aruba's), EAP, and Radius we 
can extend our network Kerberos out through the wifi realm. Without going 
into details ( way too much/many for the scope here) I basically have an 
almost completely locked network which just won't allow a device on it that 
it doesn't recognize. It is a pain, and not perfect either by any stretch. I 
have more problems with printers as a result than anything else.  I do have 
to keep an open Internet access for visitors to use, but it is separated 
from our main network with no path between the two.  :-) 

This does provide better security when compared to what consumers are 
running at home. It is much more complex and requires expensive equipment. 
And even still, a really high-grade Uber hacker might still find a way in. 
We hire pen-tester companies about once a year, and while they haven't found 
any glaring holes there are some "grey" areas that we wonder if a really 
motivated Uber hacker spent enough time on...

I have entertained on and off the idea of getting a wifi card for my FreeBSD 
gateway/firewall box at home to see if I could come up with something more 
resembling something like we have at work. It probably wouldn't be as 
involved, but I do think (FreeBSD as a very _capable_ and flexible OS) 
something could be designed that would inherently be somewhat more secure 
than what I see in the basic ISP home router. I have Verizon's FIOS here 
with an Actiontec MI424WR-Rev 3 router and I think I could do better. The 
alternate provider here is Comcast which mostly seems to be using Motorola 
Surfboard routers, but the bottom line is I don't have any problem cracking 
any of them.

This email is already getting a trifle long, so suffice to say if you really 
need the best security on a home ISP router the best you can do is turn off 
the radio and use Ethernet and UTP. This returns to the original focus of 
your question in that the firewall would be the point of contention and not 
the cracking of WEP/WPA2 auth keys. What I was wanting to point out to you 
originally is that changing the firewall is a separate issue from the 
cracking of Wifi auth keys. 

-Mike
 





Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?kl441k$6sg$1>