The pfSense Store

Author Topic: Security considerations  (Read 1528 times)

0 Members and 1 Guest are viewing this topic.

Offline vwgti

  • Newbie
  • *
  • Posts: 2
    • View Profile
Security considerations
« on: July 08, 2011, 09:07:52 am »
We have an non-encrypted wireless access point hanging off an interface dedicated for visitors to the office and managed by Captive Portal.

The visitors who need internet access can ask at reception for a username and password, all works well - so far so good.

However, we cannot justify buying a commercial SSL certificate for the CP login page.. I'm guessing it would be trivial for somone to sniff the login credentials (and all traffic) since the access point is open.

Short of encrpting wifi at the access point meaning users would have to login twice, is there anything else I could do?

Offline Nachtfalke

  • Hero Member
  • *****
  • Posts: 2752
    • View Profile
Re: Security considerations
« Reply #1 on: July 08, 2011, 10:10:50 am »
Instead of username and passwords, why not using vouchers which expire after 24 hours ?
If you disable concurrent logins there could only be one client which is using this voucher.

Further - isn't it possible to create https certificates with openssl ?!

Offline LostInIgnorance

  • Sr. Member
  • ****
  • Posts: 301
    • View Profile
Re: Security considerations
« Reply #2 on: July 08, 2011, 08:02:43 pm »
Maybe this will help.  I know it did for me!  Although the cert is self signed, it still works for securing things.
http://forum.pfsense.org/index.php/topic,33021.0.html
Running 2.0 Full i386 on a Soekris 5501-70 with a 80G HD

Offline dmajela

  • Jr. Member
  • **
  • Posts: 31
    • View Profile
Re: Security considerations
« Reply #3 on: July 12, 2011, 08:41:05 pm »
I'm using voucher 24h and also a password to enter the wireless network here where I work .... a hospital with multiple hits a day.

No complaints and everything works fine.

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6283
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: Security considerations
« Reply #4 on: July 12, 2011, 08:57:54 pm »
Using a self-signed cert isn't much better than using HTTP. You can get a trusted SSL cert for $9 USD/year at namecheap, you really can't justify $9/year? That's the only way to truly keep the credentials secure short of securing the wireless.

Offline ipv6kid

  • Jr. Member
  • **
  • Posts: 53
    • View Profile
Re: Security considerations
« Reply #5 on: November 14, 2011, 02:17:51 pm »
I'm using a StartSSL free SSL certificate on my home PFsense portal. I noticed it doesn't play nice with Firefox, but IE authenticates to it fine.

I would highly suggest a paid SSL certificate for a business environment.

http://www.cheapssls.com/

Comodo is $8 a year and RapidSSL is $9. I'd go with RapidSSL, Comodo's CEO is an idiot.