MAC filtering safe enough?

Discussion in 'Wireless Networking' started by Egbert Nierop \(MVP for IIS\), Sep 14, 2005.

  1. Hi,

    It seems that my WAP (LinkSys) is a lto more stable if I disable WEP
    encryption.

    Now that I don't bother about being 'listened' to, since I don't have secret
    things at my wire, I don't care about encryption. In addition, windows has
    been set to use string network encryption.

    But is it safe to have solely MAC filtering on, so that my neighbours can't
    misuse my network? Or are the simple tools to crack the allowed MAC
    adresses?

    Thanks!
     
    Egbert Nierop \(MVP for IIS\), Sep 14, 2005
    #1
    1. Advertising

  2. If you plan on using solely MAC filtering, keep in mind that a valid MAC
    address will be found in just about every packet sent to the access point on
    your network. While you may be alerted to the presence of another computer
    on the LAN with the same MAC address after it is copied (they are supposed
    to be unique), this is of little help while your computer is turned off.

    You need to use encryption.

    -Yves

    "Egbert Nierop (MVP for IIS)" <> wrote in
    message news:%...
    > Hi,
    >
    > It seems that my WAP (LinkSys) is a lto more stable if I disable WEP
    > encryption.
    >
    > Now that I don't bother about being 'listened' to, since I don't have
    > secret things at my wire, I don't care about encryption. In addition,
    > windows has been set to use string network encryption.
    >
    > But is it safe to have solely MAC filtering on, so that my neighbours
    > can't misuse my network? Or are the simple tools to crack the allowed MAC
    > adresses?
    >
    > Thanks!
     
    Yves Konigshofer, Sep 14, 2005
    #2
    1. Advertising

  3. Egbert Nierop \(MVP for IIS\)

    Jack \(MVP\) Guest

    Hi

    You probably have an old 802.11b.

    Giving the prices of current 802.11g it might be a good idea to upgrade.

    Newer 802.11g have WPA and this WEP problem is not presented.

    Wireless Security - http://www.ezlan.net/Wireless_Security.html

    WEP, WPA, and WPA2 - http://www.ezlan.net/wpa_wep.html

    Jack (MVP-Networking).





    "Yves Konigshofer" <> wrote in message
    news:#...
    > If you plan on using solely MAC filtering, keep in mind that a valid MAC
    > address will be found in just about every packet sent to the access point on
    > your network. While you may be alerted to the presence of another computer
    > on the LAN with the same MAC address after it is copied (they are supposed
    > to be unique), this is of little help while your computer is turned off.
    >
    > You need to use encryption.
    >
    > -Yves
    >
    > "Egbert Nierop (MVP for IIS)" <> wrote in
    > message news:%...
    > > Hi,
    > >
    > > It seems that my WAP (LinkSys) is a lto more stable if I disable WEP
    > > encryption.
    > >
    > > Now that I don't bother about being 'listened' to, since I don't have
    > > secret things at my wire, I don't care about encryption. In addition,
    > > windows has been set to use string network encryption.
    > >
    > > But is it safe to have solely MAC filtering on, so that my neighbours
    > > can't misuse my network? Or are the simple tools to crack the allowed MAC
    > > adresses?
    > >
    > > Thanks!

    >
    >
     
    Jack \(MVP\), Sep 14, 2005
    #3
  4. "Jack (MVP)" <Jack(MVP)@discussions.microsoft.com.> wrote in message
    news:...
    > Hi
    >
    > You probably have an old 802.11b.


    No, I have 11g as well.
    It is already my third WAP. This time a LinkSys and they all are very
    instable (running some sort of GPL OS which is not able to stay stable).

    > Giving the prices of current 802.11g it might be a good idea to upgrade.
    >
    > Newer 802.11g have WPA and this WEP problem is not presented.
    >
    > Wireless Security - http://www.ezlan.net/Wireless_Security.html
    >
    > WEP, WPA, and WPA2 - http://www.ezlan.net/wpa_wep.html
    >
    > Jack (MVP-Networking).
    >
    >
    >
    >
    >
    > "Yves Konigshofer" <> wrote in message
    > news:#...
    >> If you plan on using solely MAC filtering, keep in mind that a valid MAC
    >> address will be found in just about every packet sent to the access point
    >> on
    >> your network. While you may be alerted to the presence of another
    >> computer
    >> on the LAN with the same MAC address after it is copied (they are
    >> supposed
    >> to be unique), this is of little help while your computer is turned off.
    >>
    >> You need to use encryption.
    >>
    >> -Yves
    >>
    >> "Egbert Nierop (MVP for IIS)" <> wrote in
    >> message news:%...
    >> > Hi,
    >> >
    >> > It seems that my WAP (LinkSys) is a lto more stable if I disable WEP
    >> > encryption.
    >> >
    >> > Now that I don't bother about being 'listened' to, since I don't have
    >> > secret things at my wire, I don't care about encryption. In addition,
    >> > windows has been set to use string network encryption.
    >> >
    >> > But is it safe to have solely MAC filtering on, so that my neighbours
    >> > can't misuse my network? Or are the simple tools to crack the allowed
    >> > MAC
    >> > adresses?
    >> >
    >> > Thanks!

    >>
    >>

    >
    >
     
    Egbert Nierop \(MVP for IIS\), Sep 14, 2005
    #4
  5. Egbert Nierop \(MVP for IIS\)

    N. Miller Guest

    On Thu, 15 Sep 2005 00:35:33 +0200, Egbert Nierop (MVP for IIS) wrote:

    > No, I have 11g as well.
    > It is already my third WAP. This time a LinkSys and they all are very
    > instable (running some sort of GPL OS which is not able to stay stable).


    Ah, Linksys. I had a Linksys BEFSR11 which would lock up randomly. I tried
    to set up a friend's Linksys WAP54G, but I could never get the wireless
    computer to pull an IP address through the Linksys.

    I gave up on the Linksys BEFSR11 and got myself an SMC Barricade 7004BR. I
    have never had a router lockup since.

    I had my friend exchange his brand new Linksys WAP54G for a D-Link
    DWL-2100A. I had his wireless LAN running in under thirty minutes. Would
    have been under ten; but my confidence was so shaken from beating my head
    against the wall over the Linksys WAP for six hours, without success, that
    I took extra time to be sure that everything was properly configured for
    the D-Link WAP.

    BTW, if your devices can manage it, WPA-AES is better. I had to resort to
    WPA-TKIP for my friend because his laptop lacks WPA-AES. I haven't seen a
    wireless device with WPA2; I assume that would be best.

    --
    Norman
    ~Win dain a lotica, En vai tu ri, Si lo ta
    ~Fin dein a loluca, En dragu a sei lain
    ~Vi fa-ru les shutai am, En riga-lint
     
    N. Miller, Sep 15, 2005
    #5
  6. "N. Miller" <> wrote in message
    news:...
    > On Thu, 15 Sep 2005 00:35:33 +0200, Egbert Nierop (MVP for IIS) wrote:
    >
    >> No, I have 11g as well.
    >> It is already my third WAP. This time a LinkSys and they all are very
    >> instable (running some sort of GPL OS which is not able to stay stable).

    >
    > Ah, Linksys. I had a Linksys BEFSR11 which would lock up randomly. I tried
    > to set up a friend's Linksys WAP54G, but I could never get the wireless
    > computer to pull an IP address through the Linksys.
    >
    > I gave up on the Linksys BEFSR11 and got myself an SMC Barricade 7004BR. I
    > have never had a router lockup since.
    >
    > I had my friend exchange his brand new Linksys WAP54G for a D-Link
    > DWL-2100A. I had his wireless LAN running in under thirty minutes. Would
    > have been under ten; but my confidence was so shaken from beating my head
    > against the wall over the Linksys WAP for six hours, without success, that
    > I took extra time to be sure that everything was properly configured for
    > the D-Link WAP.
    >
    > BTW, if your devices can manage it, WPA-AES is better. I had to resort to
    > WPA-TKIP for my friend because his laptop lacks WPA-AES. I haven't seen a
    > wireless device with WPA2; I assume that would be best.


    Hi,

    I have WAG54G (with firmware 1.01.5). It says: "Sorry, this software doesn't
    support AES yet"...


    ANd funny enouhg (thanks for your hint!), the WPA with TKIP does not lockup,
    so, it seems that the WAG54G has problems with stability when using WEP...
     
    Egbert Nierop \(MVP for IIS\), Sep 15, 2005
    #6
  7. Egbert Nierop \(MVP for IIS\)

    Greg Guest

    "Egbert Nierop (MVP for IIS)" <> wrote in
    message news:%...
    > Hi,
    >
    > It seems that my WAP (LinkSys) is a lto more stable if I disable WEP
    > encryption.
    >
    > Now that I don't bother about being 'listened' to, since I don't have
    > secret things at my wire, I don't care about encryption. In addition,
    > windows has been set to use string network encryption.
    >
    > But is it safe to have solely MAC filtering on, so that my neighbours
    > can't misuse my network? Or are the simple tools to crack the allowed MAC
    > adresses?
    >
    > Thanks!


    Mac filtering is OK but what you SHOULD do is turn broadcast off to make it
    harder to find. It isn't a total solution but it certainly helps.
     
    Greg, Sep 15, 2005
    #7
  8. Egbert Nierop \(MVP for IIS\)

    N. Miller Guest

    On Thu, 15 Sep 2005 23:31:39 +1000, Greg wrote:

    > Mac filtering is OK but what you SHOULD do is turn broadcast off to make it
    > harder to find. It isn't a total solution but it certainly helps.


    MAC filtering is better than disabling SSID broadcast. If it was one, or
    the other, MAC filtering would be the way to go.

    If you use WPA-AES you don't really need to disable SSID broadcast.

    --
    Norman
    ~Win dain a lotica, En vai tu ri, Si lo ta
    ~Fin dein a loluca, En dragu a sei lain
    ~Vi fa-ru les shutai am, En riga-lint
     
    N. Miller, Sep 15, 2005
    #8
  9. Egbert Nierop \(MVP for IIS\)

    TW Guest

    MAC filtering isn't really a security solution at all, since every packet
    sent across your wireless network includes your MAC address. Anyone with a
    good sniffer WILL discover your MAC or ANY MAC on your wireless network. MAC
    addresses CAN be spoofed, this isn't very hard to do at all, Thus MAC
    filtering doesn't offer any security at all.

    Disabling SSID doesn't offer any security either, since every packet sent
    across your wireless network includes the SSID, even when turn off
    broadcasting SSID is set to off.. Again, anyone with a good sniffer WILL
    find your SSID. Also, turning off SSID broadcast(which you think your doing,
    but really it can't be done, due to 802.11 standards) can cause connectivity
    problems with WinXP. Disabling SSID broadcast would be the same as:
    Buying a house, turning off the outside light( thus no one can see your
    house) and leaving the front door unlocked. When someone FINDS the house,
    they will come in and you really haven't secured the home at all.

    Use encryption for security. That's what it's for and that IS the only
    solution for wireless security.WEP at the very least, WPA, WPA-PSK, or even
    better use WPA2(802.11i standard). Encryption IS the only way to keep others
    out of your network.

    Think of it this way. If someone can gain access to your wireless signal and
    connect to it, then they also have access to any internal network shares
    that you may have. If you don't share anything on your network, keep in mind
    that ALL windows machines have hidden administrative shares, and anyone with
    the proper knowledge, can access your complete systems on your network.

    YOU bought the computers. YOU bought the network hardware. This equipment
    belongs to YOU. Why then wouldn't you want to protect your investment and
    secure it properly using the encryption already built into the hardware that
    you already purchased. I have heard this so many times. Is turning off SSID
    good enough? Is limiting DHCP scope good enough? Is MAC filtering good
    enough? The answer to ALL of these is NO. None of these offer ANY security.
    Use Encryption. That is the ONLY solution.

    That's my .02
    TW


    "N. Miller" <> wrote in message
    news:...
    > On Thu, 15 Sep 2005 23:31:39 +1000, Greg wrote:
    >
    >> Mac filtering is OK but what you SHOULD do is turn broadcast off to make
    >> it
    >> harder to find. It isn't a total solution but it certainly helps.

    >
    > MAC filtering is better than disabling SSID broadcast. If it was one, or
    > the other, MAC filtering would be the way to go.
    >
    > If you use WPA-AES you don't really need to disable SSID broadcast.
    >
    > --
    > Norman
    > ~Win dain a lotica, En vai tu ri, Si lo ta
    > ~Fin dein a loluca, En dragu a sei lain
    > ~Vi fa-ru les shutai am, En riga-lint
     
    TW, Sep 16, 2005
    #9
  10. Egbert Nierop \(MVP for IIS\)

    Greg Guest

    "N. Miller" <> wrote in message
    news:...
    > On Thu, 15 Sep 2005 23:31:39 +1000, Greg wrote:
    >
    >> Mac filtering is OK but what you SHOULD do is turn broadcast off to make
    >> it
    >> harder to find. It isn't a total solution but it certainly helps.

    >
    > MAC filtering is better than disabling SSID broadcast. If it was one, or
    > the other, MAC filtering would be the way to go.
    >
    > If you use WPA-AES you don't really need to disable SSID broadcast.
    >


    You don't need to do ANYTHING at all if you "don't need to...." apply
    thought.

    You DO need some sort of protection, WEP at the very least but more than
    that is obviously better. You DO need to MAC filter and you DO need to
    disable SSID broadcast. If you don't do any of the things available to you
    to protect yourself if you are that paranoid about it all, then you really
    aren't trying.
     
    Greg, Sep 18, 2005
    #10
  11. Egbert Nierop \(MVP for IIS\)

    Greg Guest

    "TW" <twilckenATmsnDOTcom> wrote in message
    news:...
    > MAC filtering isn't really a security solution at all, since every packet
    > sent across your wireless network includes your MAC address. Anyone with a
    > good sniffer WILL discover your MAC or ANY MAC on your wireless network.
    > MAC addresses CAN be spoofed, this isn't very hard to do at all, Thus MAC
    > filtering doesn't offer any security at all.
    >


    That isnt 100% true. It offers SOME protection and depending on where you
    live, it may or may not be just an added extra. If you live in NYC, you need
    it and every single thing else that you can get but if you live in rural
    Australia like I do then the level of protection you "need" is a lot less
    simply because rural people have a hell of a lot more to worry about than
    hacking each other. Also, because there is not a lot of anything out here,
    good hackers tend to migrate to Sydney and other capitals in each state. So
    why bother doing ANY protection at all? Well, because there ARE people who
    wouldnt find it impossible to use YOUR internet to download their illegal
    and/or immoral stuff through YOUR connection and let YOU take the blame for
    it.

    > Disabling SSID doesn't offer any security either, since every packet sent
    > across your wireless network includes the SSID, even when turn off
    > broadcasting SSID is set to off.. Again, anyone with a good sniffer WILL


    Try thinking about need first. Get to know your client, your area and what
    is needed. In rural Australia, for example, a certain company of 4 people
    like to tell people that everything you said is needed. They lose more
    customers than they impress because it ISN'T all "needed" here and certainly
    does play havoc with certain customers depending on what they are doing at
    the time. Don't automatically assume, with wi-fi, that you need everything
    going.
     
    Greg, Sep 18, 2005
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. VT
    Replies:
    43
    Views:
    1,819
  2. ajacobs2

    Enough is enough....

    ajacobs2, Sep 30, 2003, in forum: Digital Photography
    Replies:
    33
    Views:
    1,080
  3. Imhotep

    Enough is enough...

    Imhotep, Sep 24, 2005, in forum: Computer Security
    Replies:
    16
    Views:
    862
    John Hyde
    Sep 28, 2005
  4. richard

    L A county says enough is enough

    richard, Feb 23, 2008, in forum: Computer Support
    Replies:
    7
    Views:
    504
    Plato
    Feb 26, 2008
  5. Evan Platt

    "Enough is enough! I have had it with ....

    Evan Platt, Aug 3, 2009, in forum: Computer Support
    Replies:
    1
    Views:
    461
    Evan Platt
    Aug 4, 2009
Loading...

Share This Page