On 26/6/12 8:46 pm, Paul Cockings wrote:
1. (broad question... beat me up if like..) Are microwave links "hackable" and therefore I should consider some type of encryption on that link
You should probably let the list have a bit more detail about the type of links you're setting up - specifically which frequency bands and how narrowly 'focused' the signal will be.
As a general rule, yes, such links can be intercepted. Having said that, if you're talking a short-range point-to-point link with a very narrow signal (i.e. sub 6 degrees horizontal and vertical), and on a non-public frequency band (i.e. not 2.4Ghz or 5Ghz), then the probability of interception is fairly minimal. By contrast, if you're running a long-range link with a fairly diffuse signal, and in a common frequency band like 2.4Ghz or 5Ghz, then interception is much more likely.
Personally, I'd definitely want to run some sort of encryption over it - whether that's a VPN between your pfSense boxes, or something provided by your microwave transmitters is something you'll want to think about.
As a matter of principle, I would run encryption over any point-to-point link wherever I didn't have complete custody over that link (i.e. the whole route went over my property), even if it was in a fibre under the street. I've heard stories of fibres being 'hacked' by gaining access to a manhole and inserting mirrors to reflect the signal. Given the relatively low CPU power to perform encryption these days and still maintain wire speed, it's just not worth taking the risk of *not* encrypting.
2. If I had a 2nd pfSense box in the sub-office, does pfSense have a way to encrypt/secure the data travelling over the microwave link. I'm thinking something like a VPN - but not sure how to go about this when I'm essentially trying to secure a patch lead.
It's essentially a network-to-network VPN - something like OpenVPN would be ideal here. The underlying LAN interface (or VLAN, if that's how you choose to implement it) effectively has 4 devices: the pfSense at each end, and the transmitter at each end. But see above about using your transmitters instead - some of them have processing units specifically for encryption, which will reduce the load on your pfSense.
Kind regards, Chris -- This email is made from 100% recycled electrons _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
