Extreme WLAN security

Are there any ways to further secure a WLAN network in addition to WPA2 and a good passphrase?

Government drones flying around hacking my wifi, hackers on my roof and surveillance vans parked outside, what can I do?

Should I just go all wired?

Giving your router a tinfoil hat is the next step.

2 Likes

Simple and fast, mac-address whitelisting. Won't keep everyone out but it's more of a 'make it difficult' then a 'make it impossible' fight anyway.

1 Like

Continuing the discussion from Extreme WLAN security:

Actually cracking mac filtering is much easier than cracking wep/wpa encryption. If someone had gone through the work of cracking your password they won't have a hard time getting past mac filtering.

İt seems the op isn't serious but here goes nothing :)

For home users you can do

1) Change all the firmware of your modems/routers/switches/etc. to quality open source firmware like openwrt/ddwrt/tomato. The stock firmware of consumer networking devices are utterly useless and full of bugs. They also don't use the full potential of the hardware inside your device.

2)Get a working computer that has dual intel or broadcom nic. Other brands are poop. It could be an old pc or some cheap mini-pc or some embedded atom/celeron stuff. The specs don't matter it just has to work and have two nics. Pci express nic add-on cards are cheap if your mobo only has 1.

3) Install Pfsense on that pc. Put your modem into bridge mode and set up dhcp and routing on pfsense. Install and configure the firewall. If the pc has some cpu power and 4gb+ ram and 20ish gb of free space you can also add traffic monitoring. Snort is a good software for that.

4) Connect everything to the pfsense device via a swicth or router.

Know that nothing is ever secure on the internet. Hard copies are the safest.

Hope it helps.

1 Like

I'm joking, but I'm also actually interested in this subject, and I'm going to implement some of your suggestion.

I know this is the software subforum, but how are Buffalo brand routers? I found some years old high end model lying around, I could install openwrt on it.

When using pfsense it doesn't matter the only thing the modem/router will do is to convert incoming traffic into useable ethernet.

If you won't be using pfsense look up the soc in the device. Should be on openwrt wiki. If its broadcom or qualcomm/atheros you are good to go. If it is ralink/mediatek or lantiq i suggest you get a new one.

There will be a pfsense box, eventually, but not at this point. It does have an atheros, and I found the model specific instructions on the wiki.

RADIUS Authentication.

1 Like

Yeah I use RADIUS with TLS authentication so unless a device has a valid certificate installed it can't connect. You can also use username and password. Some advantages of this are that the handshake and authentication happens over an encrypted tunnel (similar to HTTPS) so an attacker can't capture your authentication data and try to brute force it. Also each user has their own certificate or login credentials which means not everyone is sharing the same PSK and if an account becomes compromised you can disable it without affecting anyone else.

I'm also pretty sure that each connection generates their own random session key (similar to how HTTPS works) so each connection is using a different encryption key which makes it harder for someone on the network to sniff another user's traffic.

Another thing I do is have a separate guest network which is isolated from my private network. This way I don't have to give anyone my passwords and I don't have to worry about them messing around with my network. I have mine as an open network but you could use a PSK or if you had RADIUS set up you could use a one time key system or some sort of captive portal setup so you could keep anyone who isn't actually a guest out.

1 Like

helps but not bullet proof you can sniff out the mac during the hand shake then spoof it

How to get 100% wireless security. Turn off wifi, go wired. There is no way to 100% secure a wireless connection. The best possible security wall is to do a pass-phrase, so long password consisting of many words and symbols, plus use wpa2 protocols. If you have a 30 digit pass with many symbols and numbers in it; it will take longer then a life time to crack it.

Now this is interesting. I'm guessing a raspberry pi would make a good RADIUS server.

  • dont use TKIP use AES
  • be sure to disable WPS - should never be used anyway.
  • implement a RADIUS server as others have suggested.
  • change passphrase occasionally

Yeah you can run freeradius on linux, there's also a package for it in pfsense if you end up running that.

Another advantage of using RADIUS and WPA enterprise is that you can verify the server certificate of the network you're connecting to. The simplest way to get someone's wifi password is to impersonate their access point and record their password when they accidentally connect to it.

1 Like

I thought we were looking for things he could change within his current router...
But hey, if you are open to go all-out, pf sense or openwrt are defenitely the way to go.

Forget wireless, anything except professional grade will be "unsafe".

The best way to secure a WLAN is to not have one

2 Likes