On Jun 26, 2012, at 3:07 PM, Chris Bagnall <[email protected]> wrote:
> On 26/6/12 8:46 pm, Paul Cockings wrote: >> 1. (broad question... beat me up if like..) Are microwave links >> "hackable" and therefore I should consider some type of encryption on >> that link > > You should probably let the list have a bit more detail about the type of > links you're setting up - specifically which frequency bands and how narrowly > 'focused' the signal will be. Why? I it's a satellite link. Likely Ku-band, but could be C-band, or even something else. > As a general rule, yes, such links can be intercepted. Having said that, if > you're talking a short-range point-to-point link with a very narrow signal > (i.e. sub 6 degrees horizontal and vertical), and on a non-public frequency > band (i.e. not 2.4Ghz or 5Ghz), then the probability of interception is > fairly minimal. Pah. Even with spot coverage, one side of the link can be intercepted within a radius of 10s to 100s of miles. True story: in 1994, the people who put on Lollapalooza hired me to bring "the Internet" to every venue on the tour that year. (Except the two dates In Canada, because we couldn't get an export license for the sat modem.). Being 1994, we got handed something that looked a lot like a T1, on a v.35 connection. (I routed it.) > By contrast, if you're running a long-range link with a fairly diffuse > signal, and in a common frequency band like 2.4Ghz or 5Ghz, then interception > is much more likely. What is "diffuse"? If you're trying to say that more directional antennae are a security method, well... No, they're not. Longer explanation if you want it, but this is pfSense, not RF hackers, and I'm typing on the phone. (True story: I was once the CTO of a company that built beam-forming WiFi access points.) > Personally, I'd definitely want to run some sort of encryption over it - > whether that's a VPN between your pfSense boxes, or something provided by > your microwave transmitters is something you'll want to think about. > > As a matter of principle, I would run encryption over any point-to-point link > wherever I didn't have complete custody over that link (i.e. the whole route > went over my property), even if it was in a fibre under the street. I've > heard stories of fibres being 'hacked' by gaining access to a manhole and > inserting mirrors to reflect the signal. Mirrors? No. Outside of a lab environment, phase distortion would ruin the link. The easiest and most undetectable method for optical hacking is bending. Using a commercially available clip-on coupler, a micro-bend is placed in the cable to allow a small amount of light to radiate through the polymer cladding. > Given the relatively low CPU power to perform encryption these days and still > maintain wire speed, it's just not worth taking the risk of *not* encrypting. "Wire-speed" on fiber-optic links is much higher than you relate here. It's unlikely that any off-the-shelf pfSense box would handle same, even without encryption. >> 2. If I had a 2nd pfSense box in the sub-office, does pfSense have a way >> to encrypt/secure the data travelling over the microwave link. I'm >> thinking something like a VPN - but not sure how to go about this when >> I'm essentially trying to secure a patch lead. > > It's essentially a network-to-network VPN - something like OpenVPN would be > ideal here. OpenVPN: not ideal, but workable. Requires making an IP interface out of each end (as does IPSEC). If Paul wants to bridge the connection, neither will help. If he wants to route between the two pfSense boxes, either will work, through IPSec will offer greater throughput, and Openvpn is typically easier to setup. Jim > The underlying LAN interface (or VLAN, if that's how you choose to implement > it) effectively has 4 devices: the pfSense at each end, and the transmitter > at each end. But see above about using your transmitters instead - some of > them have processing units specifically for encryption, which will reduce the > load on your pfSense. > > Kind regards, > > Chris > -- > This email is made from 100% recycled electrons > > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
