dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5448
share rss forum feed


IowaCowboy
Want to go back to Iowa
Premium
join:2010-10-16
Springfield, MA
Reviews:
·Verizon Broadban..
·Comcast

[Security] MAC address filtering on AirPort Extreme

I am wondering how do you set up MAC address filtering on AirPort Extreme. I have the latest version of AirPort utility.

I like to use three layers of security on my wireless routers, which includes WPA2, hiding my SSID, and MAC address filtering (where I enter the MAC addresses of authorized devices into the router). I think I might have set it up through something called Timed Access Control.



darcilicious
Cyber Librarian
Premium
join:2001-01-02
Forest Grove, OR
kudos:4
Reviews:
·Frontier FiOS

Just as an FYI: MAC address filtering is a useless security measure and not worth the bother.

Here's an excellent article on the topic: »www.zdnet.com/blog/ou/the-six-du···s-lan/43
--
♬ Dragon of good fortune struggles with the trickster Fox ♬



IowaCowboy
Want to go back to Iowa
Premium
join:2010-10-16
Springfield, MA
Reviews:
·Verizon Broadban..
·Comcast

Like I said in the OP, I like to use multiple security measures to secure my Wi-Fi. I have a neighbor who I know is stealing Internet and he is stealing cable. If I find out he hacked into my Wi-Fi, I will prosecute.

If I use multiple measures (like the MAC filtering in addition to WPA2 and SSID hiding) then they'll have to break through multiple measures before they're in.



darcilicious
Cyber Librarian
Premium
join:2001-01-02
Forest Grove, OR
kudos:4
Reviews:
·Frontier FiOS

Understood. My point remains: if he's serious about breaking in, MAC filtering is no hindrance. If he's not, it's not necessary. Just sayin'
--
♬ Dragon of good fortune struggles with the trickster Fox ♬



Thinkdiff
Premium,MVM
join:2001-08-07
Bronx, NY
kudos:11

1 recommendation

reply to IowaCowboy

You use one layer of security and two layers of annoyance. Annoying for you and your users, not a hacker. MAC address filtering and hidden SSID can be bypassed in under 30 seconds. WPA2 is the only thing actually protecting your network.

If you still want to make your life harder for some reason, you can download the older version of Airport Utility (version 5.6. Just do a google search). It has MAC filtering. Not sure if the new one does.
--
University of Southern California - Fight On!



HiVolt
Premium
join:2000-12-28
Toronto, ON
kudos:21
Reviews:
·TekSavvy DSL
·TekSavvy Cable
reply to IowaCowboy

WPA2 AES hasn't been hacked yet as far as I remember... So as long as you have a long complex passcode, it should be good.

Also always disable WPS on any router, but I think Apple's doesnt offer it anyway.
--
F**K THE NHL. Go Blue Jays 2013!!!


Riamen
Premium
join:2002-11-04
Calgary
reply to IowaCowboy

I'm in agreement that MAC address filtering is a pointless annoyance however the new Airport Utility can do it.

In the utility click on Airport Extreme/Edit/Network/Enable Access Control/Timed Access Control

By default all wireless clients are given access. Change the default rule to deny access to all then add the MAC addresses of those you do want to allow.



TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Da Bronx
Reviews:
·Optimum Online
·Clearwire Wireless
reply to Thinkdiff

said by Thinkdiff:

MAC address filtering and hidden SSID can be bypassed in under 30 seconds. WPA2 is the only thing actually protecting your network.

I thought MAC address filtering was pretty secure because the AP ignores all except those MAC addresses in your access list. This is not correct? Also, I am using "WPA2 Personal" is that the same as WPA2 security wise?

said by Thinkdiff:

.... Airport Utility (version 5.6. Just do a google search). It has MAC filtering. Not sure if the new one does.

Yes the latest updated one 6.10.31 does have MAC filtering. They put it back. I was using 5.6, but now the new one has the facility. Looks like 5.6 is becoming useless. I recently installed an AirPort Express to run AirPlay, and 5.6 will not work with it at all.
--
"Remember, remember the fifth of November.
Gunpowder, Treason and Plot.
I see no reason why Gunpowder Treason
Should ever be forgot."

"People should not be afraid of their governments. Governments should be afraid of their people"



Bootes
Premium
join:2005-01-28
New York, NY

It's fairly easy to set your MAC address to whatever you want and it's also possible to view what the AP and computer are saying to each other and get the computer's MAC address from that. So it really does nothing.

Yes, WPA2 Personal is fine. Enterprise is better, but it's overkill for most people. »www.enterprisenetworkingplanet.c···WLAN.htm



darcilicious
Cyber Librarian
Premium
join:2001-01-02
Forest Grove, OR
kudos:4
Reviews:
·Frontier FiOS
reply to TamaraB

said by TamaraB:

I thought MAC address filtering was pretty secure because the AP ignores all except those MAC addresses in your access list. This is not correct?

Read the article I linked to in my first post above for the gory details why MAC address filtering is useless.
--
♬ Dragon of good fortune struggles with the trickster Fox ♬


Squirrelly

join:2000-10-24
Harrisburg, PA

I use all three as well but I use MAC Filtering so I can always have certain devices always have the same IP like my server, set top boxes, etc.

Like someone said WPA2 is the best you can use, hiding the SSID just makes it harder for the average person.



Thinkdiff
Premium,MVM
join:2001-08-07
Bronx, NY
kudos:11

1 recommendation

said by Squirrelly:

I use all three as well but I use MAC Filtering so I can always have certain devices always have the same IP like my server, set top boxes, etc.

You can do Static Assignments without using MAC filtering.
said by Squirrelly:

Like someone said WPA2 is the best you can use, hiding the SSID just makes it harder for the average person.


That's the thing.. The average person isn't going to be breaking into your WPA2 protected network. "Breaking" (really, brute forcing) WPA2 takes time, enormous computing power, and a pretty good understanding of what you're doing. Somebody that has all that, can get your SSID in a matter of seconds.

Here's the breakdown of how I cracked my own WPA2 network w/ hidden SSID and MAC filtering (just for fun):
Hidden SSID - found in ~10 seconds
MAC Address of approved computer - found in ~5 seconds
Changing my MAC address to match - 5 seconds
Waiting to collect the right packet to brute force WPA - around 15 minutes
Brute forcing WPA - 5 days straight, on 3 separate computers (16 cores total) and I knew it was an all numeric password of a certain length (cutting the computation time down significantly).
--
University of Southern California - Fight On!


Squirrelly

join:2000-10-24
Harrisburg, PA

You are correct that you can do it with static IP, however with a cable set top box if the power goes out I have to set it back up again. This prevents me from having to do this.



Thinkdiff
Premium,MVM
join:2001-08-07
Bronx, NY
kudos:11

I meant you can do static assignments in the AirPort Extreme. The client devices still use DHCP, but they always pull the same IP address based on their MAC address. MAC filtering isn't required for this to work.
--
University of Southern California - Fight On!


kitsune

join:2001-11-26
Sacramento, CA

said by Thinkdiff:

I meant you can do static assignments in the AirPort Extreme. The client devices still use DHCP, but they always pull the same IP address based on their MAC address. MAC filtering isn't required for this to work.

FYI, in airport utility it is referred to as DHCP reservations instead.