Topic 'MAC address filtering question' in forum 'Wireless Security' - dslreports.com http://www.dslreports.com/forum/MAC-address-filtering-question-21853351 en Fri, 10 Feb 2012 14:19:57 EDT Fri, 10 Feb 2012 14:19:57 EDT Re: MAC address filtering question http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22680980 http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22680980 Thu, 09 Jul 2009 15:16:45 EDT Re: MAC address filtering question http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22220560 http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22220560 Sat, 11 Apr 2009 12:56:58 EDT Re: MAC address filtering question http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22217993 --
"In the future, that which is not mandatory will be illegal"
"Nobody knows the age of the human race, but everybody agrees that it is old enough to know better" - Anonymous]]> http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22217993 Fri, 10 Apr 2009 20:23:24 EDT Re: MAC address filtering question http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22217950 said by Its a Secret:

said by eastonhockey:

Then that somebody is an incompetent system admin if they can't remember what security measures they have in place.
That would cover 99% of the populace. The only people this will block are too ignorant to know better. Any kid knows how to spoof a MAC. As stated, it's not a defense anymore. Instead of the door being open, now you just have to turn the knob... :uhh:
Do you have a citation for you claim that 99% of system admins are incompetent? Or you embellishing to make a point? And it it's one more knob to turn to get into my network, i'm all for it.]]> http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22217950 Fri, 10 Apr 2009 20:16:36 EDT Re: MAC address filtering question http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22217925 said by eastonhockey:

Then that somebody is an incompetent system admin if they can't remember what security measures they have in place. That would cover 99% of the populace. The only people this will block are too ignorant to know better. Any kid knows how to spoof a MAC. As stated, it's not a defense anymore. Instead of the door being open, now you just have to turn the knob... :uhh:
--
"In the future, that which is not mandatory will be illegal"
"Nobody knows the age of the human race, but everybody agrees that it is old enough to know better" - Anonymous]]> http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22217925 Fri, 10 Apr 2009 20:12:45 EDT Re: MAC address filtering question http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22217762 said by nwrickert:

I guarantee that if you use MAC filtering in addition to WPA, then that MAC filtering will keep somebody out.

And that somebody will be you.

The time will come when you add another computer to your network, and forget to first add its MAC address to the filter table. And then you will be puzzled as to why you are having problems connecting it.
Then that somebody is an incompetent system admin if they can't remember what security measures they have in place. And having the sate of mind that "oh, since this security measure is going to cause me inconvenience i'm not going to use it" will get you into big trouble, and that's how upper management thinks. You're boss says, "well, we are not going to rotate our password because it's an inconvenience to our employees", and the security staff is over in the corner bashing their heads against the wall.]]> http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22217762 Fri, 10 Apr 2009 19:42:34 EDT Re: MAC address filtering question http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22217644
And that somebody will be you.

The time will come when you add another computer to your network, and forget to first add its MAC address to the filter table. And then you will be puzzled as to why you are having problems connecting it.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.8]]> http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22217644 Fri, 10 Apr 2009 19:22:04 EDT Re: MAC address filtering question http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22217573 said by Anav:

because if you have wpa or wpa2 with a strong key its wasting your time. by all means if the op wants to play with the feature it will do no harm.
It's the concept of defense in depth.

"in which multiple layers of defense are placed throughout an Information Technology (IT) system."]]> http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22217573 Fri, 10 Apr 2009 19:08:05 EDT Re: MAC address filtering question http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22216773 http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22216773 Fri, 10 Apr 2009 16:32:12 EDT Re: MAC address filtering question http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22213980 http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22213980 Fri, 10 Apr 2009 03:13:53 EDT Re: MAC address filtering question http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22210330
If you really want a layered approach for your 802.11 environment, set up EAP-TLS, then a VPN over it. Strong? Yes. Practical? Not for most people. It all comes back to risk / cost analysis.

In this case, however, I don't see any harm in using it, particularly because no one will be using the access point. This is just a deterrent method to "disable" 802.11 associations from taking place because there's no hard disabling of the radio on the unit.]]> http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22210330 Thu, 09 Apr 2009 13:41:32 EDT Re: MAC address filtering question http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22209513 http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22209513 Thu, 09 Apr 2009 11:20:07 EDT Re: MAC address filtering question http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22208159 said by eastonhockey:

said by Its a Secret:

said by dspalding:

So until I junk the card ... it would seem the MAC filtering is another deterrent to shoulder-hopping.
It's not. I can use a sniffer and see your MAC addie. From there, I can spoof it. Then, I can hack it. Just a false sense of security.
It's not really a false sense of security. It's defense in depth, make as many security layers as possible to make it as hard for a attacker as possible. Just because it can be evaded, that does not mean you should not implement it.

I agree.
The layered security approach is best]]> http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22208159 Thu, 09 Apr 2009 01:17:20 EDT Re: MAC address filtering question http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22202477 said by Its a Secret:

said by dspalding:

So until I junk the card ... it would seem the MAC filtering is another deterrent to shoulder-hopping.
It's not. I can use a sniffer and see your MAC addie. From there, I can spoof it. Then, I can hack it. Just a false sense of security.
It's not really a false sense of security. It's defense in depth, make as many security layers as possible to make it as hard for a attacker as possible. Just because it can be evaded, that does not mean you should not implement it.
]]> http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22202477 Wed, 08 Apr 2009 02:32:05 EDT Re: MAC address filtering question http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22192802 http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22192802 Mon, 06 Apr 2009 14:34:20 EDT Re: MAC address filtering question http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22180930 said by dspalding:

So until I junk the card ... it would seem the MAC filtering is another deterrent to shoulder-hopping. It's not. I can use a sniffer and see your MAC addie. From there, I can spoof it. Then, I can hack it. Just a false sense of security.
--
"In the future, that which is not mandatory will be illegal"]]> http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22180930 Fri, 03 Apr 2009 23:30:34 EDT Re: MAC address filtering question http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22176322
So until I junk the card ... it would seem the MAC filtering is another deterrent to shoulder-hopping. Unless I want to return to McAfee's wifi network security app which rotated the key every hour (ran that for a month, got annoyed with the 5 minute delays every time it dickered with the network). ]]> http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22176322 Fri, 03 Apr 2009 10:57:45 EDT Re: MAC address filtering question http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22069272 said by nwrickert:

Leaving the MAC table entry should work.

If the antenna can be unscrewed and removed, to greatly weaken the signal, you might want to try that, too.
Yes i agree, unless if leaving it blank defaults to no filter. Since it seems not much care was given in the firmware i would test to make sure this is the case.

A better idea is to simply make a random mac address up and enter it, since its unlikely anyone could guess what it is.

Since no one is connected no chance of it getting intercepted.

Also I would suggest changing to something like 12.0.0.1 and disabling DHCP, if your serious about stumping a would be intruder.]]> http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22069272 Sat, 14 Mar 2009 17:44:45 EDT Re: MAC address filtering question http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22058216 said by daveinpoway:

I have a router that has only WEP encryption, and does not give you the ability to disable the wireless function. For security reasons, I don't wish to use the wireless function. If I select MAC address filtering>Allow only these MAC address computers to access the router, and leave the address table blank, is this a reasonably hacker-free method of denying anyone access to the wireless?

Yes, it would be so much better if the wireless function could be disabled, but the manufacturer told me that they didn't think about this when the unit was designed, and they are not ever going to issue any further firmware updates for this model, so what I have is what I have. For now, at least, replacing it with something else is not a simple operation (don't ask).
Why not?? You could pre-program most informtion into a router assuming you have access to the old one, so that the switch is basically seemsless.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment]]> http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22058216 Thu, 12 Mar 2009 14:19:47 EDT Re: MAC address filtering question http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22026982 said by PrivateNetwork :

If you turn on Wireless MAC filtering...it should be impossible for someone to see your SSID show up in the access list and even with that, impossible to log into the router and change settings, with or without a default password.
AFAIK Kismet is able to grab MAC addresses and you can use a program like this to subsequently spoof a MAC address...

»www.klcconsulting.net/Change_MAC_w2k.htm

IMHO the use of WPA2/WPA with a long random ASCII key is the best solution to wireless network security. Personally I use WPA2-PSK [AES] with a 63-character random ASCII key to protect my network.

No SSID hiding/no MAC address filter = No smoke and mirrors
--
"When all else fails, read the instructions..."
MS-MVP Windows – Desktop User Experience]]> http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22026982 Fri, 06 Mar 2009 15:57:35 EDT MAC address filtering question http://www.dslreports.com/forum/MAC-address-filtering-question-22026604 http://www.dslreports.com/forum/MAC-address-filtering-question-22026604 Fri, 06 Mar 2009 14:59:17 EDT Re: MAC address filtering question http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22010869
this method will not make you more secure, but it will make people in long distances harder to connect]]> http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22010869 Tue, 03 Mar 2009 23:40:43 EDT Re: MAC address filtering question http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22009690 http://www.dslreports.com/forum/Re-MAC-address-filtering-question-22009690 Tue, 03 Mar 2009 20:18:11 EDT Re: MAC address filtering question http://www.dslreports.com/forum/Re-MAC-address-filtering-question-21859443 http://www.dslreports.com/forum/Re-MAC-address-filtering-question-21859443 Wed, 04 Feb 2009 05:32:01 EDT Re: MAC address filtering question http://www.dslreports.com/forum/Re-MAC-address-filtering-question-21853551 said by nwrickert :

If the antenna can be unscrewed and removed, to greatly weaken the signal, you might want to try that, too.
Interesting idea, but I'd suggest putting a 50 tp 75 ohm 1 watt resistor across the router's antenna connector, rather than leaving it connected to nothing.

The resistor will act as a "dummy load," cause less radiation than no antenna at all, and prevent possible damage to the electronics in the router from running with no load.

edit: fixed quote]]> http://www.dslreports.com/forum/Re-MAC-address-filtering-question-21853551 Tue, 03 Feb 2009 08:56:27 EDT Re: MAC address filtering question http://www.dslreports.com/forum/Re-MAC-address-filtering-question-21853366
If the antenna can be unscrewed and removed, to greatly weaken the signal, you might want to try that, too.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5]]> http://www.dslreports.com/forum/Re-MAC-address-filtering-question-21853366 Tue, 03 Feb 2009 08:07:12 EDT MAC address filtering question http://www.dslreports.com/forum/MAC-address-filtering-question-21853351 Allow only these MAC address computers to access the router, and leave the address table blank, is this a reasonably hacker-free method of denying anyone access to the wireless?

Yes, it would be so much better if the wireless function could be disabled, but the manufacturer told me that they didn't think about this when the unit was designed, and they are not ever going to issue any further firmware updates for this model, so what I have is what I have. For now, at least, replacing it with something else is not a simple operation (don't ask). ]]> http://www.dslreports.com/forum/MAC-address-filtering-question-21853351 Tue, 03 Feb 2009 08:01:21 EDT