daveinpoway
Premium
join:2006-07-03
Poway, CA
| MAC address filtering question
I have a router that has only WEP encryption, and does not give you the ability to disable the wireless function. For security reasons, I don't wish to use the wireless function. If I select MAC address filtering>Allow only these MAC address computers to access the router, and leave the address table blank, is this a reasonably hacker-free method of denying anyone access to the wireless?
Yes, it would be so much better if the wireless function could be disabled, but the manufacturer told me that they didn't think about this when the unit was designed, and they are not ever going to issue any further firmware updates for this model, so what I have is what I have. For now, at least, replacing it with something else is not a simple operation (don't ask). |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | Leaving the MAC table entry should work.
If the antenna can be unscrewed and removed, to greatly weaken the signal, you might want to try that, too.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5 |
|
jefe
Premium
join:2001-05-19
Northport, NY
 ·Verizon FIOS
1 edit | said by nwrickert :
If the antenna can be unscrewed and removed, to greatly weaken the signal, you might want to try that, too.
Interesting idea, but I'd suggest putting a 50 tp 75 ohm 1 watt resistor across the router's antenna connector, rather than leaving it connected to nothing.
The resistor will act as a "dummy load," cause less radiation than no antenna at all, and prevent possible damage to the electronics in the router from running with no load.
edit: fixed quote |
|
daveinpoway
Premium
join:2006-07-03
Poway, CA | Thanks for the feedback. |
|
mbaha
join:2009-03-01 | reply to jefe
Ya or you wrap it in tin foil that should help as well |
|
ryanlin2002
join:2009-02-01
00000
1 edit | reply to daveinpoway
can you detach the wireless antenna? if yes, detach it. that will kill the wireless signal output
this method will not make you more secure, but it will make people in long distances harder to connect |
|
PrivateNetwork
@rr.com | reply to daveinpoway
If you turn on Wireless MAC filtering...it should be impossible for someone to see your SSID show up in the access list and even with that, impossible to log into the router and change settings, with or without a default password. |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
| said by PrivateNetwork :
If you turn on Wireless MAC filtering...it should be impossible for someone to see your SSID show up in the access list and even with that, impossible to log into the router and change settings, with or without a default password.
AFAIK Kismet is able to grab MAC addresses and you can use a program like this to subsequently spoof a MAC address...
»www.klcconsulting.net/Change_MAC_w2k.htm
IMHO the use of WPA2/WPA with a long random ASCII key is the best solution to wireless network security. Personally I use WPA2-PSK [AES] with a 63-character random ASCII key to protect my network.
No SSID hiding/no MAC address filter = No smoke and mirrors
--
"When all else fails, read the instructions..."
MS-MVP Windows – Desktop User Experience |
|
Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
| reply to daveinpoway
said by daveinpoway  :I have a router that has only WEP encryption, and does not give you the ability to disable the wireless function. For security reasons, I don't wish to use the wireless function. If I select MAC address filtering>Allow only these MAC address computers to access the router, and leave the address table blank, is this a reasonably hacker-free method of denying anyone access to the wireless? Yes, it would be so much better if the wireless function could be disabled, but the manufacturer told me that they didn't think about this when the unit was designed, and they are not ever going to issue any further firmware updates for this model, so what I have is what I have. For now, at least, replacing it with something else is not a simple operation (don't ask). Why not?? You could pre-program most informtion into a router assuming you have access to the old one, so that the switch is basically seemsless.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"
LlamaWorks Equipment |
|
DataRiker
Premium
join:2002-05-19
Metairie, LA
clubs:
2 edits | reply to nwrickert
said by nwrickert :Leaving the MAC table entry should work. If the antenna can be unscrewed and removed, to greatly weaken the signal, you might want to try that, too. Yes i agree, unless if leaving it blank defaults to no filter. Since it seems not much care was given in the firmware i would test to make sure this is the case.
A better idea is to simply make a random mac address up and enter it, since its unlikely anyone could guess what it is.
Since no one is connected no chance of it getting intercepted.
Also I would suggest changing to something like 12.0.0.1 and disabling DHCP, if your serious about stumping a would be intruder. |
|
dspalding
join:2003-10-29
Durham, NC
 ·Dreamhost
| reply to daveinpoway
PMJI ... I may have a similar situation, with a wifi card (Intel 2915ABG in an IBM X32) that only seems to want to keep a connection with WEP. I was quite happy and comfy using WPA2 and a long random passphrase. Being forced back into the stone age of Wifi security has me frowning.
So until I junk the card ... it would seem the MAC filtering is another deterrent to shoulder-hopping. Unless I want to return to McAfee's wifi network security app which rotated the key every hour (ran that for a month, got annoyed with the 5 minute delays every time it dickered with the network). |
|
Its a Secret
Whatever
Premium
join:2008-02-23
U B Funny
 ·Shaw
| said by dspalding : So until I junk the card ... it would seem the MAC filtering is another deterrent to shoulder-hopping. It's not. I can use a sniffer and see your MAC addie. From there, I can spoof it. Then, I can hack it. Just a false sense of security.
--
"In the future, that which is not mandatory will be illegal" |
|
sekim
Premium,MVM
join:1999-08-17
Saint Petersburg, FL | reply to daveinpoway
You can't sniff the mac addy in the mac filter allow list if no pc is using that mac and there are no wifi computers at all using the ap. |
|
eastonhockey
your RF is showing
join:2002-10-30
1 edit | reply to Its a Secret
said by Its a Secret :said by dspalding : So until I junk the card ... it would seem the MAC filtering is another deterrent to shoulder-hopping. It's not. I can use a sniffer and see your MAC addie. From there, I can spoof it. Then, I can hack it. Just a false sense of security. It's not really a false sense of security. It's defense in depth, make as many security layers as possible to make it as hard for a attacker as possible. Just because it can be evaded, that does not mean you should not implement it.
|
|
stinger
join:2001-03-22
Florissant, MO
clubs:
| said by eastonhockey :said by Its a Secret :said by dspalding : So until I junk the card ... it would seem the MAC filtering is another deterrent to shoulder-hopping. It's not. I can use a sniffer and see your MAC addie. From there, I can spoof it. Then, I can hack it. Just a false sense of security. It's not really a false sense of security. It's defense in depth, make as many security layers as possible to make it as hard for a attacker as possible. Just because it can be evaded, that does not mean you should not implement it. I agree.
The layered security approach is best |
|
Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
1 edit | mac address is not a security feature its only a very minimal delay feature. If already implemented no worries does not hurt, but if you have a strong key with WPA or WPA2 implemented, don't waste your time adding mac addresses. |
|
docrice
join:2008-03-31
Fremont, CA
| I generally agree with layered approaches, but one always has to determine for themselves the correct balance between cost and convenience. MAC address filtering is a "security" feature that's so thin that it's almost like using Saran wrap to protect against bullets. There's no cryptography, and while it might keep some clueless people at bay, anyone with a minimal understanding of networking protocols is going to see right through it.
If you really want a layered approach for your 802.11 environment, set up EAP-TLS, then a VPN over it. Strong? Yes. Practical? Not for most people. It all comes back to risk / cost analysis.
In this case, however, I don't see any harm in using it, particularly because no one will be using the access point. This is just a deterrent method to "disable" 802.11 associations from taking place because there's no hard disabling of the radio on the unit. |
|
eastonhockey
your RF is showing
join:2002-10-30
1 edit | As long as you know that MAC address filtering is not a be-all-end-all solution, and you know how it works, and how it can be broken, i don't see a reason why you should not uses it. |
|
Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS | because if you have wpa or wpa2 with a strong key its wasting your time. by all means if the op wants to play with the feature it will do no harm. |
|
eastonhockey
your RF is showing
join:2002-10-30
| said by Anav :because if you have wpa or wpa2 with a strong key its wasting your time. by all means if the op wants to play with the feature it will do no harm. It's the concept of defense in depth.
"in which multiple layers of defense are placed throughout an Information Technology (IT) system." |
|
