WPA3 (WAN Show Comment)

[Alex Atkin UK]

5 hours ago, LAwLz said:

Except you weren't keeping it simple because what you said was just straight up wrong.

As I have said time and time again, the frequency does not matter at all. The 2.4GHz and 5Ghz networks that are usually sent out by typical consumer routers? They have full access to each other.

You are inventing things I didn't say.  Right from the start I specifically said:

Quote

So having 2.4Ghz on a private network not connected to your main LAN is recommended anyway

Yes I goofed in not making this explicit that it would mean (from the routers perspective) a fully isolated VLAN, but the OP already mentioned VLAN so I thought it was clear what I meant.

Plus while yes, security through obscurity is NOT security in itself, the whole point was that if you're going to be paranoid about the potential for attack, its inherently morevulnerable due to its range and the fact there are tons of IoT devices which only function on that band.  I didn't say ALL IoT devices only support 2.4Ghz, but a lot of the common things like bulbs, light switches, etc tend to do.

 

5 hours ago, LAwLz said:

It's also not because the AP has to "constantly switch speeds" that it slows things down... The switching of "speed" (as in, the protocol used) is instantaneous.

That's certainly not what I read.  Yes a lot of the slow down is wasted airtime from lower speed devices taking longer to send the same amount of information as faster ones, but its not the only slow down.

 

Most of the devices I moved onto the WiFi 5 AP just sat idle, but they clearly were slowing down my WiFi 6 clients.  Plus as you point out, more beacons means more wasted air time, which means more SSIDs on the same channel is more wasted airtime.  I always thought these things were negligible, until I tested it in the real-world and found it made a difference.

[LAwLz]

On 3/13/2024 at 3:04 AM, Alex Atkin UK said:

Yes I goofed in not making this explicit that it would mean (from the routers perspective) a fully isolated VLAN, but the OP already mentioned VLAN so I thought it was clear what I meant.

But that has nothing to do with the 2.4Ghz spectrum. It could just as well be a 5GHz Wi-Fi network that was isolated from your other devices.

What you are advocating for has literally 0 do to with which spectrum it uses. Nothing at all. There is no reason whatsoever for why what you are describing has anything to do with 2.4GHz. In fact, I think it is very bad to even bring up 2.4GHz because it is an irrelevant detail.

 

 

On 3/13/2024 at 3:04 AM, Alex Atkin UK said:

Plus while yes, security through obscurity is NOT security in itself, the whole point was that if you're going to be paranoid about the potential for attack, its inherently morevulnerable due to its range and the fact there are tons of IoT devices which only function on that band.  I didn't say ALL IoT devices only support 2.4Ghz, but a lot of the common things like bulbs, light switches, etc tend to do.

1) Your Wi-Fi security shouldn't be based on range.

2) 2.4GHz doesn't "inherently have more range". It is something you can tweak.

 

 

On 3/13/2024 at 3:04 AM, Alex Atkin UK said:

That's certainly not what I read.  Yes a lot of the slow down is wasted airtime from lower speed devices taking longer to send the same amount of information as faster ones, but its not the only slow down.

 

Most of the devices I moved onto the WiFi 5 AP just sat idle, but they clearly were slowing down my WiFi 6 clients.  Plus as you point out, more beacons means more wasted air time, which means more SSIDs on the same channel is more wasted airtime.  I always thought these things were negligible, until I tested it in the real-world and found it made a difference.

Then you have read the wrong thing. The slowdown is not because "it switches speed". It has to do with allocating airtime.

[Alex Atkin UK]

4 hours ago, LAwLz said:

But that has nothing to do with the 2.4Ghz spectrum. It could just as well be a 5GHz Wi-Fi network that was isolated from your other devices.

Yes it could, except plenty of IoT devices ONLY support 2.4Ghz or its the only band that will have long enough range to reach those devices.

4 hours ago, LAwLz said:

1) Your Wi-Fi security shouldn't be based on range.

2) 2.4GHz doesn't "inherently have more range". It is something you can tweak.

1) It is an aspect if the topic is "I have to use WPA2, what can I do to reduce the chances of someone being able to hack it?".

2) It absolutely does.  I can drop the transmit power to the absolute minimum and it will still reach well outside my house, whereas 5Ghz on full power will be mostly blocked by the outside wall.

4 hours ago, LAwLz said:

Then you have read the wrong thing. The slowdown is not because "it switches speed". It has to do with allocating airtime.

Its certainly possible I happened to read a bad source and its stuck in my mind.  The result however is the same, that by having a fast SSID and a slow SSID on different channels, it allows those faster devices to work more consistently as airtime on that channel is being used more optimally.

[LAwLz]

1 hour ago, Alex Atkin UK said:

Yes it could, except plenty of IoT devices ONLY support 2.4Ghz or its the only band that will have long enough range to reach those devices.

Yes, but it is an irrelevant detail that some IoT devices only support 2.4GHz. Isolation of networks does not happen at the frequency level. Bringing up frequency only runs the risk of making people believe their 2.4GHz network is isolated from their other networks, which in 99% of cases it isn't. 

 

I am not sure how many times I have said this, but the frequency has absolutely nothing to do with isolating clients from one another. It has absolutely nothing to do with security either. 

 

If your 2.4Ghz devices are isolated from your 5Ghz devices then they are isolated because you have two separate networks with access control between them and it just so happens than one is only being broadcasted at 2.4GHz and the other only on 5GHz. The fact that in your case it seems like you have restricted the two networks to different frequencies is just a restriction you have applied to your specific network and should under no circumstances be interested as something normal or something that is happening because they are different frequencies. 

 

In most consumer routers that broadcast separate SSIDs for 2.4GHz and 5Ghz, they are the same network and there is no access control between them. Everyone who has this type of device might be mislead to believe that putting unsecure devices on the 2.4GHz network will somehow protect their devices on the 5Ghz network. That is false. It is not true at all. It will give them a false sense of security. That covers something like 99% of all new consumer networks.

 

For more advanced networks you typically broadcast the same SSID on multiple frequencies and then do band-steering to optimize which frequency band the clients get connected to. In those cases you don't differentiate between the 2.4GHz and 5Ghz band security-wise. So your advice doesn't apply to those networks either. That covers like 95% of the enterprise networks.

 

 

So your advice doesn't apply to enterprise networks, and it risks misleading the 99% of consumers into a false sense of security that in actuality provides no additional protection.

 

 

This is why I keep responding to your posts. Because it is straight-up bad advice. Your setup is atypical and I strongly question why you have ever configured it this way at all, and I also strongly question if it even provides you any additional security either. Nonetheless, it is bad advice to spout because it is misleading at best and dangerous at worst to 99% of people.

 

 

 

1 hour ago, Alex Atkin UK said:

1) It is an aspect if the topic is "I have to use WPA2, what can I do to reduce the chances of someone being able to hack it?".

But what you are saying doesn't make any sense. I really can't even begin to follow your line of reasoning here. 

Putting your IoT devices on an SSID only being broadcasted at 2.4Ghz wouldn't provide any additional security. Putting them on a separate network which has restricted access would increase security somewhat, but the 2.4GHz part is completely irrelevant. Yes, I know you keep saying some IoT devices only support 2.4GHz but as I have said time and time again, the frequency is not related to the network. Saying the network should be 2.4Ghz is essentially like saying "the network should include the letter x in the SSID name". It makes no sense because the frequency (or letters in the SSID name) does not affect the function of it being a separate network with filtering.

 

 

As I said in my example earlier, saying "put them on a 2.4GHz network" is basically like saying "connect your old PCs with cat 5 cables and new PCs with cat 6 cables because it increases security". It makes absolutely no sense. Saying "old devices usually only support 100Mbps, and that's what cat 5 supports" doesn't make any sense either as an explanation for why you believe the frequency has anything to do with it increasing security.

Do you understand my issue with your post now? You have essentially been saying "use cat 5 cables for old unsecure PCs and cat 6 for new PCs because it increases security".

Please, just stop bringing up 2.4GHz and 5Ghz because it does not matter, just like cat 5 and cat 6 cables doesn't matter. It is not the frequency or cable type that determines whether or not a device is on the same network or not. A network doesn't become more secure just because you change all the cables to old PCs for cat 5 cables and cables to new PCs to cat 6 cables. Likewise, connecting unsecure IoT devices to 2.4Ghz frequency and other devices to 5Ghz frequency doesn't inherently make it more secure. Putting them on separate networks might increase security, but just like with cat 5 and cat 6 cables that has nothing to do with the frequency. 

 

 

 

 

2 hours ago, Alex Atkin UK said:

2) It absolutely does.  I can drop the transmit power to the absolute minimum and it will still reach well outside my house, whereas 5Ghz on full power will be mostly blocked by the outside wall.

Even if that's true, your security shouldn't be based on the range of the network. 

If you want to go "paranoid" then "mostly blocked by the outside wall" isn't enough, especially not since an attacker would probably use a fairly high-gain antenna that would get better reception than whatever device you have tested with (probably some phone or laptop). The attacker would be able to get the information they wanted even from a weak signal. 

 

Also, unsecure devices don't make the network vulnerable. Just because you have an unsecure device on your network doesn't mean someone can get access to the network itself. If we look at one of the few serious attacks that can be done against a WPA2 network, KRACK, the fact of the matter is that the device attacked is the client, and the damage gets isolated to the traffic to and from the device itself. It doesn't spread to the rest of the network. What matters is the range of the client's antennas, not the Wi-Fi network itself. That parameter doesn't change no matter how you configure your network. It's determined by the client.

 

 

2 hours ago, Alex Atkin UK said:

Its certainly possible I happened to read a bad source and its stuck in my mind.  The result however is the same, that by having a fast SSID and a slow SSID on different channels, it allows those faster devices to work more consistently as airtime on that channel is being used more optimally.

That is not related to frequency. You could get the same effect with two networks on 2.4GHz or two networks on 5Ghz. The speed difference you might have seen is unrelated to one network being 2.4GHz and the other being 5Ghz.