Re: Home WiFi Router with pfSense or m0n0wall?
Alejandro Imass wrote: [snip] Most consider the answer to use WPA2, which I do use too. Many think it is 'virtually' unbreakable, but this really is not true; it just takes longer. I've done WPA2 keys in as little as 2-3 hours before. Are you saying that any WPA2 key can be cracked or or you simply referring to weak keys? I would also like to specifically if it's for weak keys or are all WPA2 personal keys crackable by brute force. Also is WPA2 Enterprise as weak also. Could anyone expand on how weak is WPA2 and WPA2 Enterprise or is this related to weak PSKs only?? I'm just a lowly sysadmin and not any kind of crypto expert. The problem is time and horsepower. While a ridiculously easy key of say 4 characters that is not salted may be doable on a PC, once you start to get to 8-9 characters or more the time it takes begins to get huge fast. It's a matter of can you tie up the resource long enough to wait it out. Throw salting into the mix and it gets longer again. What I do at home is concatenate 2 ham radio call signs of friends that I can remember. Then I sha256 that and select from the end backwards 15 characters. This won't actually defeat the inherent weakness of using a pre- shared key, but it will take longer for a simple brute force. You should also throw in additional characters from your character set beyond just alpha/numerics. Also, my little tinkertoy i5-3570K overclocked up to 4.5GHz is just that - a toy. I can use it to generate a trace file, which I then take to work and replay it using a z196 when they occasionally allow me to play for bit. I also have rainbow tables and dictionary word-lists pregenerated for cheating. Another thing people are playing with is stuffing 4 high end video cards in a box and using them for computation. This enhances the PC platform beyond just using the CPU. There are also people doing this in the cloud. And they will rent you compute time for a fee. :-) The pre-shared key is the weakest as compared to Enterprise. Enterprise WPA is stronger because it is a user account based system which authenticates using 802.1x via a Radius server. You can even assign certificates to user accounts and if they don't have the cert on the client they are trying to connect with, it won't. Throw Kerberos re-ticketing into the mix adds another layer to the onion. I seem to think recalling something about Kerberos re-ticketing something like every 900 seconds, or something like that. Switches and other network equipment that supports 802.1x can also filter out traffic that is not authorized. Bottom line is Enterprise is better than a simple pre-shared key. But it involves radius, dns/dhcp, windows domain controllers, active directory, a PKI infrastrucure and access points that are designed for use in this environment (and they cost more). So while it may be more secure than a simple pre-shared key, it is simply not practical for the home user as they won't have all the 'other' resources required to utilize it. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home WiFi Router with pfSense or m0n0wall?
Arthur Chance wrote: [snip] What I was pondering is some form of L2TP tunnel, or some other form of IPSEC tunnel to form some kind of VPN like communication between the client and the wifi. Just never have begun to find the time to get anywhere with the idea. But basically it would resemble a VPN that only accepts connection from a tunnel endpoint client and not pass any traffic from any other client lacking this VPN-like endpoint. I think such a thing is very possible and have read some articles by people who have done very similar sounding things. Indeed, this is what SSL-VPN providers do via a subscription service so people surfing at open wifi coffee shops tunnel through the local open wifi and setup an encrypted VPN tunnel. A quick note: pfSense (I don't know about m0n0wall) has OpenVPN built in to it. Depending on whether all devices which are going to connect wirelessly can run the client end of OpenVPN, this might be a quick way to get greater security on the WiFi side. This is along the lines of what I was thinking. I am my own CA and can generate certs that no one else has the private keys to. The problem with buying certs from a provider is the gov't has access to the private keys on demand. This was mandated back during the Clinton administration for the US. I do things like turn password auth off on my SSH and only auth via certs. Extending this to other 'connectivities' is a way to make it harder for those with no approved cert to get in. The pairing of firewall and OpenVPN together sounds interesting. Will definitely check it out. Thanks for the pointer! -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home WiFi Router with pfSense or m0n0wall?
Michael Powell wrote: [snip] Are you saying that any WPA2 key can be cracked or or you simply referring to weak keys? I would also like to specifically if it's for weak keys or are all WPA2 personal keys crackable by brute force. Also is WPA2 Enterprise as weak also. Could anyone expand on how weak is WPA2 and WPA2 Enterprise or is this related to weak PSKs only?? Oh, and BTW was going to include this in the last and forgot: http://www.aircrack-ng.org/doku.php?id=cracking_wpa -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home WiFi Router with pfSense or m0n0wall?
On Wed, Apr 24, 2013 at 4:16 PM, Michael Powell nightre...@hotmail.com wrote: Alejandro Imass wrote: [snip] Most consider the answer to use WPA2, which I do use too. Many think it is 'virtually' unbreakable, but this really is not true; it just takes longer. I've done WPA2 keys in as little as 2-3 hours before. Are you saying that any WPA2 key can be cracked or or you simply referring to weak keys? I would also like to specifically if it's for weak keys or are all WPA2 personal keys crackable by brute force. Also is WPA2 Enterprise as weak also. Could anyone expand on how weak is WPA2 and WPA2 Enterprise or is this related to weak PSKs only?? I'm just a lowly sysadmin and not any kind of crypto expert. The problem is time and horsepower. While a ridiculously easy key of say 4 characters that is not salted may be doable on a PC, once you start to get to 8-9 characters or more the time it takes begins to get huge fast. It's a matter of can you tie up the resource long enough to wait it out. Throw salting into the mix and it gets longer again. What I do at home is concatenate 2 ham radio call signs of friends that I can remember. Then I sha256 that and select from the end backwards 15 [...] The pre-shared key is the weakest as compared to Enterprise. Enterprise WPA is stronger because it is a user account based system which authenticates using 802.1x via a Radius server. You can even assign certificates to user OK. So we are talking about weak PSKs, of course with enough computing power virtually anything is crackable by brute force. What I don't get is that I thought that mac address filtering at the wireless level meant that the router would not negotiate with a mac no listed in it's table. I haven't used Kismet but you are saying that with Kismet I can infer authorized macs that are connecting to a specific access point so I can spoof one and perform my brute force attack?? Honestly I don't know much about 802.11 but if that is so it's pretty retarded and mac address filtering really a joke then. Thanks again for such detailed responses. I know all this seems all OT but it's a security issue that I don't think that many people are aware of so I haven't changed the subject to OT because of this. Best, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home WiFi Router with pfSense or m0n0wall?
On Wed, 24 Apr 2013 16:16:32 -0400 Michael Powell wrote: Alejandro Imass wrote: [snip] Most consider the answer to use WPA2, which I do use too. Many think it is 'virtually' unbreakable, but this really is not true; it just takes longer. I've done WPA2 keys in as little as 2-3 hours before. Are you saying that any WPA2 key can be cracked or or you simply referring to weak keys? I would also like to specifically if it's for weak keys or are all WPA2 personal keys crackable by brute force. Also is WPA2 Enterprise as weak also. Could anyone expand on how weak is WPA2 and WPA2 Enterprise or is this related to weak PSKs only?? I'm just a lowly sysadmin and not any kind of crypto expert. The problem is time and horsepower. While a ridiculously easy key of say 4 characters that is not salted may be doable on a PC, once you start to get to 8-9 characters or more the time it takes begins to get huge fast. It's a matter of can you tie up the resource long enough to wait it out. Right, but if you were to strip-mine the earth's crust and turn all the silicon into GPU cores you still wouldn't even come close to brute-forcing AES256 before the sun turns into a red-giant. If you're saying that WPA is inadequate because weak keys can be bruteforced then the answer is don't use a weak key. If someone breaks such a key then that's pilot error, not an inherent weakness in WPA. Use a key with 100-256 bits of entropy. What I do at home is concatenate 2 ham radio call signs of friends that I can remember. Then I sha256 that and select from the end backwards 15 characters. 60 bits tops - assuming that there was 60 bit of entropy in the hashed data. My key is only twice as long, but about 40,000,000,000,000,000,000,000,000,000 times better at resisting a brute force attack. This won't actually defeat the inherent weakness of using a pre- shared key, but it will take longer for a simple brute force. You should also throw in additional characters from your character set beyond just alpha/numerics. That's good advice for natural language pass phrases where there is only about 1 bit of entropy per character. IMO it's easier to type a high entropy password using only characters that wont need shifting on any device i.e. random lower-case letters. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home WiFi Router with pfSense or m0n0wall?
Hi-- On Apr 24, 2013, at 1:53 PM, Michael Powell nightre...@hotmail.com wrote: This is along the lines of what I was thinking. I am my own CA and can generate certs that no one else has the private keys to. So can someone who does not run their own CA...? The problem with buying certs from a provider is the gov't has access to the private keys on demand. Um, how does that work when they don't have your private keys? People generate a CSR which they send to a public CA like Verisign/Entrust/et al for signing. That CSR contains the RSA public key, and a matching signature created by the private key to authenticate the CSR request, but it does not contain the private key itself. Consider: openssl req -newkey rsa:2048 -keyout key.pem -out req.pem openssl req -in req.pem -text -verify -noout ls -l key.pem req.pem ...or even go through the explicit process of seeing the different data available: openssl rsa -in key.pem -pubout -out pubkey.pem openssl rsa -in key.pem -text -noout openssl rsa -pubin -in pubkey.pem -text -noout [ A CSR is about half of the size of the private+public key file; and the public key by itself is a quarter the size of the private+public key file. And even possessing key.pem doesn't disclose the private key, since there's a password needed. Unless you make an effort to export the key without a password, that is. ] Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home WiFi Router with pfSense or m0n0wall?
On 04/22/13 21:49, Michael Powell wrote: Alejandro Imass wrote: On Mon, Apr 22, 2013 at 3:45 PM, Michael Powell nightre...@hotmail.com wrote: Alejandro Imass wrote: [...] Really these WEP/WPA2 protocols are not providing the level of protection that is truly necessary in this modern day. You can keep out script kiddies and people who don't have skill, but people who know what they are doing are only slowed down. Thanks for the detailed explanation! So, are there ways to run a secure WiFi network? It would seem that in my case I have neighbours that know what they're doing so should I just forget about WiFi go back to UTP? We use 802.1x auth on our switch (and other hardwares) ports at work and this utilizes a Radius server. At work we are mostly a $MS WinderZ shop, but with Enterprise grade access points (we have Aruba's), EAP, and Radius we [...] This email is already getting a trifle long, so suffice to say if you really need the best security on a home ISP router the best you can do is turn off the radio and use Ethernet and UTP. This returns to the original focus of your question in that the firewall would be the point of contention and not the cracking of WEP/WPA2 auth keys. What I was wanting to point out to you originally is that changing the firewall is a separate issue from the cracking of Wifi auth keys. I absolutely got that but I was assuming that a pre-packaged WiFi router with pfSense or m0n0wall would have a more secure wireless hardware and software as well. Now I see the problem is more complex and that the wireless part is vulnerable regardless. So if by cracking the wireless part they can spoof the mac addresses of authorized equipment, what other methods could a BSD-based firewall use to prevent the cracker from penetrating or using the network beyond the WiFi layer? From your response it seems very little or nothing really... Yes - unfortunately this is about the state of things. Not a whole lot you're going to do to improve the consumer grade home router. There are some hardware specific firmware projects that I've never played with such as: http://www.dd-wrt.com/site/index The pre-packaged home equipment is relatively cheap when compared against the top of the line enterprise-grade commercial products. Most are some form of embedded Linux. For example, the MI424WR-Rev3 I have here is busybox ( http://www.busybox.net/ ). If you turn on remote management and telnet into it you get a busybox prompt! With a busybox shell and all busybox commands. The firewall many of these embedded Linux things are using is iptables2, the standard linux firewall package. What I was pondering is some form of L2TP tunnel, or some other form of IPSEC tunnel to form some kind of VPN like communication between the client and the wifi. Just never have begun to find the time to get anywhere with the idea. But basically it would resemble a VPN that only accepts connection from a tunnel endpoint client and not pass any traffic from any other client lacking this VPN-like endpoint. I think such a thing is very possible and have read some articles by people who have done very similar sounding things. Indeed, this is what SSL-VPN providers do via a subscription service so people surfing at open wifi coffee shops tunnel through the local open wifi and setup an encrypted VPN tunnel. A quick note: pfSense (I don't know about m0n0wall) has OpenVPN built in to it. Depending on whether all devices which are going to connect wirelessly can run the client end of OpenVPN, this might be a quick way to get greater security on the WiFi side. Just not enough time in the day. I know it's do-able, just never have found the time to properly approach it. -- In the dungeons of Mordor, Sauron bred Orcs with LOLcats to create a new race of servants. Called Uruk-Oh-Hai in the Black Speech, they were cruel and delighted in torturing spelling and grammar. _Lord of the Rings 2.0, the Web Edition_ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home WiFi Router with pfSense or m0n0wall?
On Mon, Apr 22, 2013 at 8:04 PM, RW rwmailli...@googlemail.com wrote: On Mon, 22 Apr 2013 14:25:30 -0400 Michael Powell wrote: Most consider the answer to use WPA2, which I do use too. Many think it is 'virtually' unbreakable, but this really is not true; it just takes longer. I've done WPA2 keys in as little as 2-3 hours before. Are you saying that any WPA2 key can be cracked or or you simply referring to weak keys? I would also like to specifically if it's for weak keys or are all WPA2 personal keys crackable by brute force. Also is WPA2 Enterprise as weak also. Could anyone expand on how weak is WPA2 and WPA2 Enterprise or is this related to weak PSKs only?? Thanks, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home WiFi Router with pfSense or m0n0wall?
On Sun, Apr 21, 2013 at 9:52 AM, Michael Powell nightre...@hotmail.com wrote: Alejandro Imass wrote: Hi, I'm looking to replace the piece of crap 2wire WiFi router that gets crakced every other day for something with pfSense or m0n0wall Not sure what you mean by 'cracked' here. If you are meaning that someone is using aircrack-ng to break your Wifi authentication key a firewall won't do much to stop this. I use mac address authentication plus wpa2 psk and yet they are still able to connect so it seems that 2Wire's routers are an insecure piece of crap and they are full of holes and back-doors. Just google 2wire vulnerabilities or take a look at this video http://www.youtube.com/watch?v=yTtQGPdSIfM Look at how many ISPs world-wide use 2wire. Makes you wonder if ISPs use these crappy routers on purpose to get some more revenue from cap overruns. Cheers, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home WiFi Router with pfSense or m0n0wall?
Alejandro Imass wrote: On Sun, Apr 21, 2013 at 9:52 AM, Michael Powell nightre...@hotmail.com wrote: Alejandro Imass wrote: Hi, I'm looking to replace the piece of crap 2wire WiFi router that gets crakced every other day for something with pfSense or m0n0wall Not sure what you mean by 'cracked' here. If you are meaning that someone is using aircrack-ng to break your Wifi authentication key a firewall won't do much to stop this. I use mac address authentication plus wpa2 psk and yet they are still able to connect so it seems that 2Wire's routers are an insecure piece of crap and they are full of holes and back-doors. Just google 2wire vulnerabilities or take a look at this video http://www.youtube.com/watch?v=yTtQGPdSIfM With Kismet able to place a wifi unit into monitor mode you can quickly get a list of everything in the vicinity, including all the MAC addresses of devices connecting the various access points. You can then clone your unit's MAC address to match one in the list. Even though I do use it, MAC access lists are very easy to get around and will only stop those who do not know how to do this. Even in passive mode, without using active attack to speed things up I can crack a WEP key in 45 minutes easily. Doing this passively doesn't expose you. The time it takes depends on how busy the access point is. An active attack can break WEP in 2-3 minutes, or less. I've seen it done between a minute and a minute and a half. Most consider the answer to use WPA2, which I do use too. Many think it is 'virtually' unbreakable, but this really is not true; it just takes longer. I've done WPA2 keys in as little as 2-3 hours before. Look at how many ISPs world-wide use 2wire. Makes you wonder if ISPs use these crappy routers on purpose to get some more revenue from cap overruns. Really these WEP/WPA2 protocols are not providing the level of protection that is truly necessary in this modern day. You can keep out script kiddies and people who don't have skill, but people who know what they are doing are only slowed down. The ISPs are seemingly more interested and concerned with protecting Big Media Content's DRM schemes. They have a monetary stake as they move in the direction of deals with 'Big Media', less so the incentive to do more for their retail Internet-access customer. And don't even me started on the advertising industry run-amok. :-) -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home WiFi Router with pfSense or m0n0wall?
On Mon, Apr 22, 2013 at 2:25 PM, Michael Powell nightre...@hotmail.com wrote: Alejandro Imass wrote: On Sun, Apr 21, 2013 at 9:52 AM, Michael Powell nightre...@hotmail.com wrote: Alejandro Imass wrote: Hi, [...] Really these WEP/WPA2 protocols are not providing the level of protection that is truly necessary in this modern day. You can keep out script kiddies and people who don't have skill, but people who know what they are doing are only slowed down. Thanks for the detailed explanation! So, are there ways to run a secure WiFi network? It would seem that in my case I have neighbours that know what they're doing so should I just forget about WiFi go back to UTP? Thanks, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home WiFi Router with pfSense or m0n0wall?
Alejandro Imass wrote: [...] Really these WEP/WPA2 protocols are not providing the level of protection that is truly necessary in this modern day. You can keep out script kiddies and people who don't have skill, but people who know what they are doing are only slowed down. Thanks for the detailed explanation! So, are there ways to run a secure WiFi network? It would seem that in my case I have neighbours that know what they're doing so should I just forget about WiFi go back to UTP? We use 802.1x auth on our switch (and other hardwares) ports at work and this utilizes a Radius server. At work we are mostly a $MS WinderZ shop, but with Enterprise grade access points (we have Aruba's), EAP, and Radius we can extend our network Kerberos out through the wifi realm. Without going into details ( way too much/many for the scope here) I basically have an almost completely locked network which just won't allow a device on it that it doesn't recognize. It is a pain, and not perfect either by any stretch. I have more problems with printers as a result than anything else. I do have to keep an open Internet access for visitors to use, but it is separated from our main network with no path between the two. :-) This does provide better security when compared to what consumers are running at home. It is much more complex and requires expensive equipment. And even still, a really high-grade Uber hacker might still find a way in. We hire pen-tester companies about once a year, and while they haven't found any glaring holes there are some grey areas that we wonder if a really motivated Uber hacker spent enough time on... I have entertained on and off the idea of getting a wifi card for my FreeBSD gateway/firewall box at home to see if I could come up with something more resembling something like we have at work. It probably wouldn't be as involved, but I do think (FreeBSD as a very _capable_ and flexible OS) something could be designed that would inherently be somewhat more secure than what I see in the basic ISP home router. I have Verizon's FIOS here with an Actiontec MI424WR-Rev 3 router and I think I could do better. The alternate provider here is Comcast which mostly seems to be using Motorola Surfboard routers, but the bottom line is I don't have any problem cracking any of them. This email is already getting a trifle long, so suffice to say if you really need the best security on a home ISP router the best you can do is turn off the radio and use Ethernet and UTP. This returns to the original focus of your question in that the firewall would be the point of contention and not the cracking of WEP/WPA2 auth keys. What I was wanting to point out to you originally is that changing the firewall is a separate issue from the cracking of Wifi auth keys. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home WiFi Router with pfSense or m0n0wall?
On Mon, Apr 22, 2013 at 3:45 PM, Michael Powell nightre...@hotmail.com wrote: Alejandro Imass wrote: [...] Really these WEP/WPA2 protocols are not providing the level of protection that is truly necessary in this modern day. You can keep out script kiddies and people who don't have skill, but people who know what they are doing are only slowed down. Thanks for the detailed explanation! So, are there ways to run a secure WiFi network? It would seem that in my case I have neighbours that know what they're doing so should I just forget about WiFi go back to UTP? We use 802.1x auth on our switch (and other hardwares) ports at work and this utilizes a Radius server. At work we are mostly a $MS WinderZ shop, but with Enterprise grade access points (we have Aruba's), EAP, and Radius we [...] This email is already getting a trifle long, so suffice to say if you really need the best security on a home ISP router the best you can do is turn off the radio and use Ethernet and UTP. This returns to the original focus of your question in that the firewall would be the point of contention and not the cracking of WEP/WPA2 auth keys. What I was wanting to point out to you originally is that changing the firewall is a separate issue from the cracking of Wifi auth keys. I absolutely got that but I was assuming that a pre-packaged WiFi router with pfSense or m0n0wall would have a more secure wireless hardware and software as well. Now I see the problem is more complex and that the wireless part is vulnerable regardless. So if by cracking the wireless part they can spoof the mac addresses of authorized equipment, what other methods could a BSD-based firewall use to prevent the cracker from penetrating or using the network beyond the WiFi layer? From your response it seems very little or nothing really... Thanks again for your detailed answers! -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home WiFi Router with pfSense or m0n0wall?
Alejandro Imass wrote: On Mon, Apr 22, 2013 at 3:45 PM, Michael Powell nightre...@hotmail.com wrote: Alejandro Imass wrote: [...] Really these WEP/WPA2 protocols are not providing the level of protection that is truly necessary in this modern day. You can keep out script kiddies and people who don't have skill, but people who know what they are doing are only slowed down. Thanks for the detailed explanation! So, are there ways to run a secure WiFi network? It would seem that in my case I have neighbours that know what they're doing so should I just forget about WiFi go back to UTP? We use 802.1x auth on our switch (and other hardwares) ports at work and this utilizes a Radius server. At work we are mostly a $MS WinderZ shop, but with Enterprise grade access points (we have Aruba's), EAP, and Radius we [...] This email is already getting a trifle long, so suffice to say if you really need the best security on a home ISP router the best you can do is turn off the radio and use Ethernet and UTP. This returns to the original focus of your question in that the firewall would be the point of contention and not the cracking of WEP/WPA2 auth keys. What I was wanting to point out to you originally is that changing the firewall is a separate issue from the cracking of Wifi auth keys. I absolutely got that but I was assuming that a pre-packaged WiFi router with pfSense or m0n0wall would have a more secure wireless hardware and software as well. Now I see the problem is more complex and that the wireless part is vulnerable regardless. So if by cracking the wireless part they can spoof the mac addresses of authorized equipment, what other methods could a BSD-based firewall use to prevent the cracker from penetrating or using the network beyond the WiFi layer? From your response it seems very little or nothing really... Yes - unfortunately this is about the state of things. Not a whole lot you're going to do to improve the consumer grade home router. There are some hardware specific firmware projects that I've never played with such as: http://www.dd-wrt.com/site/index The pre-packaged home equipment is relatively cheap when compared against the top of the line enterprise-grade commercial products. Most are some form of embedded Linux. For example, the MI424WR-Rev3 I have here is busybox ( http://www.busybox.net/ ). If you turn on remote management and telnet into it you get a busybox prompt! With a busybox shell and all busybox commands. The firewall many of these embedded Linux things are using is iptables2, the standard linux firewall package. What I was pondering is some form of L2TP tunnel, or some other form of IPSEC tunnel to form some kind of VPN like communication between the client and the wifi. Just never have begun to find the time to get anywhere with the idea. But basically it would resemble a VPN that only accepts connection from a tunnel endpoint client and not pass any traffic from any other client lacking this VPN-like endpoint. I think such a thing is very possible and have read some articles by people who have done very similar sounding things. Indeed, this is what SSL-VPN providers do via a subscription service so people surfing at open wifi coffee shops tunnel through the local open wifi and setup an encrypted VPN tunnel. Just not enough time in the day. I know it's do-able, just never have found the time to properly approach it. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home WiFi Router with pfSense or m0n0wall?
On Mon, 22 Apr 2013 14:25:30 -0400 Michael Powell wrote: Most consider the answer to use WPA2, which I do use too. Many think it is 'virtually' unbreakable, but this really is not true; it just takes longer. I've done WPA2 keys in as little as 2-3 hours before. Are you saying that any WPA2 key can be cracked or or you simply referring to weak keys? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home WiFi Router with pfSense or m0n0wall?
Hi, I'm looking to replace the piece of crap 2wire WiFi router that gets crakced every other day for something with pfSense or m0n0wall I would like something that is plug and play and easy to use in the $300 rage tops that has the WiFi router integrated. It seems only Hacom offers this. Can anyone recommend something different or has anyone here tried Hacom WiFi routers? Any additional comments or recommendations? Thanks, -- Alejandro Imass Get a HostAP capable miniPCI card and stick it in a netbook. I did that to an Acer I picked up cheap and added external antenna (not sure how much that mattered), works great all for under 300USD. I'm running OpenBSD on mine but should do any of the firewall/routers specific variants just fine. -- | _ ASCII Ribbon Eric S Pulley | ( ) Campaign Against pul...@dabus.com | X HTML Mail | / \ www.asciiribbon.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home WiFi Router with pfSense or m0n0wall?
Alejandro Imass wrote: Hi, I'm looking to replace the piece of crap 2wire WiFi router that gets crakced every other day for something with pfSense or m0n0wall Not sure what you mean by 'cracked' here. If you are meaning that someone is using aircrack-ng to break your Wifi authentication key a firewall won't do much to stop this. -Mike [snip] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Home WiFi Router with pfSense or m0n0wall?
Hi Alejandro. I can't speak about Hacom, but I've had excellent results with Soekris hardware. It'll run all sorts of FreeBSD-based systems. They have kit suitable for both wired and wireless networks. -- James. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
