From owner-freebsd-questions@FreeBSD.ORG Mon Apr 22 20:09:34 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id E43E9A71 for ; Mon, 22 Apr 2013 20:09:34 +0000 (UTC) (envelope-from aimass@yabarana.com) Received: from mail-da0-x22a.google.com (mail-da0-x22a.google.com [IPv6:2607:f8b0:400e:c00::22a]) by mx1.freebsd.org (Postfix) with ESMTP id C27DF1213 for ; Mon, 22 Apr 2013 20:09:34 +0000 (UTC) Received: by mail-da0-f42.google.com with SMTP id n15so1481158dad.15 for ; Mon, 22 Apr 2013 13:09:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:x-gm-message-state; bh=QXwlZVTTMMQrx1jWvHTOd9NcDMaxuK8jeVjEp8NOVZU=; b=Vo4SUGP0q3Woku3heOIwom5S7xz4/dnXOFP+Xz3InTr8S/TjO0MexXFfnUfqGrqTt0 4d/8nDvkwmVkjImB7iT0FtMetVMsw1Qp8yJ8AkjnB/9W7oIumI4fpJjFfiNqWsPby5rY vb2wNosl/GKu5H0Hl9Eify+5/2iQEKmajYEqW2H6kFz22G/rwl1119iZRzqZvsbn+oXu kxbLiiqH2Pq9FK6qhrWtVH3e+Mf3SaErvZbTomZBSgkn3RRfIskqmAMOo3oqZJXTEcYC wAO0G0eFZjR0tGXmd+3ixXMttlBShm7HL74mN7BV8mrUm8Cknk/rorFg+WuiX2ub0cCg pD9Q== MIME-Version: 1.0 X-Received: by 10.68.180.132 with SMTP id do4mr34272948pbc.96.1366661374566; Mon, 22 Apr 2013 13:09:34 -0700 (PDT) Received: by 10.66.235.3 with HTTP; Mon, 22 Apr 2013 13:09:34 -0700 (PDT) In-Reply-To: References: Date: Mon, 22 Apr 2013 16:09:34 -0400 Message-ID: Subject: Re: Home WiFi Router with pfSense or m0n0wall? From: Alejandro Imass To: Michael Powell Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQkQuqbCrZWoY2WhGSoBPlRGLMN4j2zWRGvRRP6/yvjdkfEd6KU5cVke1RdU0ulwk9JpYW5L Cc: FreeBSD Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Apr 2013 20:09:35 -0000 On Mon, Apr 22, 2013 at 3:45 PM, Michael Powell wrote: > Alejandro Imass wrote: > >> [...] >> >>> Really these WEP/WPA2 protocols are not providing the level of protection >>> that is truly necessary in this modern day. You can keep out script >>> kiddies and people who don't have skill, but people who know what they >>> are doing are only slowed down. >>> >> >> Thanks for the detailed explanation! So, are there ways to run a >> secure WiFi network? It would seem that in my case I have neighbours >> that know what they're doing so should I just forget about WiFi go >> back to UTP? >> > > We use 802.1x auth on our switch (and other hardwares) ports at work and > this utilizes a Radius server. At work we are mostly a $MS WinderZ shop, but > with Enterprise grade access points (we have Aruba's), EAP, and Radius we [...] > > This email is already getting a trifle long, so suffice to say if you really > need the best security on a home ISP router the best you can do is turn off > the radio and use Ethernet and UTP. This returns to the original focus of > your question in that the firewall would be the point of contention and not > the cracking of WEP/WPA2 auth keys. What I was wanting to point out to you > originally is that changing the firewall is a separate issue from the > cracking of Wifi auth keys. > I absolutely got that but I was assuming that a pre-packaged WiFi router with pfSense or m0n0wall would have a more secure wireless hardware and software as well. Now I see the problem is more complex and that the wireless part is vulnerable regardless. So if by cracking the wireless part they can spoof the mac addresses of authorized equipment, what other methods could a BSD-based firewall use to prevent the cracker from penetrating or using the network beyond the WiFi layer? From your response it seems very little or nothing really... Thanks again for your detailed answers! -- Alejandro Imass