AP Client Isolation

L

LemonScrub

Well-Known Member
Joined
Sep 20, 2011
Messages
156
Reaction score
0
Using a TP-Link router, with wireless ap isolation turned on and utilizing wpa2 with a 12 character random key and the wan port connected to an adsl router (set as a modem). The TP-Link router establishes a pppoe connection with the adsl router. How secure will the setup be from sniffing traffic that the clients sent to and from the internet if someone manages to get the wpa2 key and get onto the ap?. Also with ap isolation turned on, i dont think this would stop packets being sniffed on the ethernet side of things?
 
Hi There,
Here are my thoughts
Firstly as additional installation item switch off broadcasting of SSID ( ap name ) that will make potential intruders guessing ap name as well as trying to guess password. Breaking to 128bit encryption will take years, however there are other technologies to do so.

If you need to access your own AP without SSID you can always do manual setup on your laptop, ipad etc. knowing the name that you want to connect.

Sniffing packets via WiFi is possible via wide range aerial but since traffic is encrypted there is not much that one can do. In order to sniff traffic in meaningful way you would have to be part of the same network. IE. One would have to know AP name ( disable, as above ) and logged in ( encrypted ) ....

Same question you can pose on the wired network. It is not impossible but it is extremely difficult to find IP, admin password and become part of the subnet from WAN side.

Again, it can be done but with below precautions you eliminate 99% of potential intruders (ie. 'script kiddies' )

Change name of your AP from default ie "Linksys" into _MY_NICE_HOME_ or _JOHNNYS_INViSIBLE_WIFI_

Switch off broadcasting of SSID

Include encryption ( higher the better )

Disable admin access from WAN side as well as WiFi ( which leaves management of the router only possible if you are connected with physical cable to it )

Warmest regards

Tim
 
Tim the Techxpert said:
Hi There,
Here are my thoughts
Firstly as additional installation item switch off broadcasting of SSID ( ap name ) that will make potential intruders guessing ap name as well as trying to guess password. Breaking to 128bit encryption will take years, however there are other technologies to do so.

If you need to access your own AP without SSID you can always do manual setup on your laptop, ipad etc. knowing the name that you want to connect.

Sniffing packets via WiFi is possible via wide range aerial but since traffic is encrypted there is not much that one can do. In order to sniff traffic in meaningful way you would have to be part of the same network. IE. One would have to know AP name ( disable, as above ) and logged in ( encrypted ) ....

Same question you can pose on the wired network. It is not impossible but it is extremely difficult to find IP, admin password and become part of the subnet from WAN side.

Again, it can be done but with below precautions you eliminate 99% of potential intruders (ie. 'script kiddies' )

Change name of your AP from default ie "Linksys" into _MY_NICE_HOME_ or _JOHNNYS_INViSIBLE_WIFI_

Switch off broadcasting of SSID

Include encryption ( higher the better )

Disable admin access from WAN side as well as WiFi ( which leaves management of the router only possible if you are connected with physical cable to it )

Warmest regards

Tim
Click to expand...

Thanks for the reply, but it didnt address what i asked im afraid.. If one managed to get the wpa2 key, and with AP isolation (a feature to stop communication between wifi clients) turned on, how much traffic can be sniffed?.. Also disabling SSID broadcast is not actually a security feature, since this can easily be obtained with a quick scan using many programs easily available. Even mac address filtering can easily be spoofed
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X