Re: [H] MAC Address Filter

Tue, 28 Apr 2009 07:39:00 -0700
Two tips I have always heard for *wireless* networks, 1) Turn off SSID broadcasting and use a unique SSID. 2) If you have a static network ( meaning that you are not adding and deleting a lot of devices ) use Mac Address Filtering. 


     As a former Network Admin, I have not encountered the use of Mac 
Address Filtering as a security method for wired networks, probably because 
keeping it up to date would be more of a pain then it is worth.



     If you have disabled the wireless side of your router, I don't think 
you need to worry about it as it isn't accessible.


Regards.....Gary



At 12:21 PM 4/27/2009, It was written by DHSinclair that this shall come to 
pass:

Bino,

OK.  I have back thru this whole thing. Thank you for your help, but I am 
still confused.  I see nothing in my docs for the router that explicitly 
indicate that using MAF is truly for WLAN only.  I will dig more later today.



Anyway. I can confirm that if I now drop my current clients off the MAF, 
none of them will ever get thru the router to the WWW.  This I have 
confirmed several times. And, I have re-confirmed that I have all WLAN 
business in the router disabled; I even left the external antennas in the box!



Yes, there is a new f/w available for my router (v1.9). I currently use 
v1.8.  I have read and re-read the release notes and do NOT see any 
patches/bug fixes for a Wired LAN.  Everything I read is for WLAN and VPN 
tunnels.  I use neither at all.  So, I see little push to update the f/w 
of my router ATM.
But, as you have mentioned some segregation between Wired and Wireless NOW 
in the MAF logic, I will now go back and dig deeper.............perhaps I 
missed something.  Not like this has ever happened 
before.................. LOL!


Still listening.
Best,
Duncan

At 09:28 04/27/2009 -0700, you wrote:

Ok, going inline with BG1> before my responses; the 1 is if we continue;
then those will be BG2> and so on... ;)


-----Original Message-----
From: hardware-boun...@hardwaregroup.com
[mailto:hardware-boun...@hardwaregroup.com] On Behalf Of DHSinclair
Sent: Friday, April 24, 2009 8:23 PM
To: hardware@hardwaregroup.com
Subject: Re: [H] MAC Address Filter

Bino,
I gotta go inline below.................
At 15:32 04/24/2009 -0700, you wrote:
>According to the DGL-4300 manual (found the pdf online) the Filter settings
>section (Advanced -> MAC Address Filter) lets you pick from filtering
>wireless and wired clients separate from each other p.39).

OK. Fair. I will go back to the docs once again.................. :)

>John is right that some routers usually only let you do it for wireless
>clients, but as it turns out yours definitely let's you do it for both.

I am going to, ATM, trust you on this.................. :)
My router did/does NOT give me a choice between WLAN / LAN............


BG1> IF you have a DGL-4300, since I found the pdf manual online and it had
a screenshot that clearly showed selecting b/w wireless and wired clients
for the MAF, then either you have a different model which doesn't have it,
or you need a firmware update to enable that.


>Oh and btw, your understanding of the MAF you wrote below is completely
>wrong (just fyi).

OMG!!!  Please enlighten........

>   What you described was NAT (Network Address
>Translation)-that's what takes the PCs on the private address space of your
>home network and translates them into the public IP that gives them access
>to the internet.  And it's NOT 2-way; i.e. just b/c the PCs can access the
>internet, that doesn't mean that things on the internet can access your
PCs.

Thanks Bino.  No.  I do believe that NAT is THE clear concept here......
All my router's since 199x have use NAT. Perhaps NAT has changed.......
Perhaps I may dick with it a bit, but I do believe I know what NAT logic
still purports to do......even with SPI now!!...... :)


BG1> NAT for the most part is the same as it was since 1999 or so...so if
you're clear on NAT and how it works and what it does, then you're fine.
Just remember that it doesn't automatically allow inbound connections back
to your PC (which is a good thing, b/c otherwise it'd be too easy to hack
people) unless you specifically set that up (well, AFAIK; maybe some newer
routers do this, but that would be a BAAAD thing to do by default w/o making
you enable it first...JM2C there).


>So the MAF restricts who can get ONTO your network in the first place.
>Typically it's more interesting/useful for wireless networks since anyone
>can try and connect to your network that way, whereas it's a little harder
>for random people to get the physical access to plug a cable into your
>router/switch! ;)

Yes, and this is why I still do NOT play Wire-less............... :)


BG1> Well, if you don't broadcast your SSID, and then use MAF on wireless,
and uses WPA2-PSK and/or client certs, it's practically impossible to hack
your wireless network and it's a lot more convenient than running cables, or
if you have laptops.  But YMMV.


>But you can also use it for wired connections just to be
uber-safe/paranoid,
>but it's almost kind of useless at that point-like I said if people have
the
>physical access to plug cables into your router/switch ports, you kind of
>have bigger problems than worrying about whether you've got MAF enabled,
you
>know? ;)

Well, NO.  Please explain.  I missed something.  No one external to my home
has access to my LAN,...that I believe, ATM.  Access to my LAN is either a
physical connection to my TSID, or, inside my home............Unless, I
have grossly missed somthing............... ;)
Best,
Duncan


BG1> Sorry!  I was being a little too cheeky/smart here.  So all I was
trying to say was that having MAF for wired connections is kind of
pointless, since the point at which MAF for wired matters, someone you don't
know has to have physical access to plug in a cable and then you have bigger
problems (b/c they've broken in at that point, etc), see?

To put it another way, since you don't have random people coming in off the
street trying to plug cables into your network, MAF for wired connections
doesn't really buy you anything!  Does that make it more clear?  Sorry for
being too snarky! ;P


P.S.  HWG email has been spotty for some time.....Stuff happens.  The BIG
PERSON only knows what is going on.......... :)  I read this as
"dead-time."  But, that is JMHO.


BG1> Yeah, but the weird thing is, I'm getting it fine to my gmail, but NOT
to my hotmail...anyone else running into this?


>                                                         BINO
>
>P.S. I haven't been getting any HWG emails to my hotmail.com account since
>4/12/09--none at all.  Anyone else on hotmail having this problem?  I also
>have it sent to my gmail account and that's how I even saw this message...
>
>
>
>-----Original Message-----
>From: hardware-boun...@hardwaregroup.com
>[mailto:hardware-boun...@hardwaregroup.com] On Behalf Of DHSinclair
>Sent: Friday, April 24, 2009 2:58 PM
>To: hardware@hardwaregroup.com
>Subject: Re: [H] MAC Address Filter
>
>John,
>I so appreciate your share. BUT, it seems to be focused at
>Wire-less/AccessPoint/WLAN business.............?
>I do get this for a LAN that has WLAN access.  I do NOT.  Still moderately
>confused.......
>
>Is MAC Address Filter really ONLY good for WLAN?
>
>I freely accept that my current router is totally focused toward
>WLAN!  And, Gaming!  Neither of which I use it for.  I bought it on the
>recc from HayesElkins.............
>Best,
>Duncan
>
>At 14:22 04/24/2009 -0700, you wrote:
> >Most Wi-Fi access points and routers ship with a feature called hardware
> >or MAC address filtering.
> >This feature is normally turned "off" by the manufacturer, because it
> >requires a bit of effort to set up properly.
> >
> >However, to improve the
> >security of your Wi-Fi LAN (WLAN), strongly consider enabling and using
> >MAC address filtering.
> >
> >Without MAC address filtering, any wireless client can join (authenticate
> >with) a Wi-Fi network if they know the network name (also called the
SSID)
> >and perhaps a few other security parameters like encryption keys.
> >
> >
> >When
> >MAC address filtering is enabled, however, the access point or router
> >performs an additional check on a different parameter. Obviously the
> >more checks that are made, the greater the likelihood of preventing
> >network break-ins.
> >
> >To set up MAC address filtering, you as a WLAN administrator
> >must configure a list of clients that will be allowed to join the
> >network. First, obtain the MAC addresses of each client from its
> >operating system or configuration utility. Then, they enter those
> >addresses into a configuratin screen of the wireless access point or
> >router. Finally, switch on the filtering option.
> >
> >Once enabled, whenever the wireless access point or router
> >receives a request to join with the WLAN, it compares the MAC address
> >of that client against the administrator's list. Clients on the list
> >authenticate as normal; clients not on the list are denied any access
> >to the WLAN.
> >
> >MAC addresses on wireless clients can't be changed as they are
> >burned into the hardware. However, some wireless clients allow their
> >MAC address to be "impersonated" or "spoofed" in software. It's
> >certainly possible for a determined hacker to break into your WLAN by
> >configuring their client to spoof one of your MAC addresses. Although
> >MAC address filtering isn't bulletproof, still it remains a helpful
> >additional layer of defense that improves overall Wi-Fi network
> >security.
> >  --
> >JRS
> >stei...@pacbell.net
> >
> >
> >Facts do not cease to exist just
> >because they are ignored.
> >
> >
> >
> >----- Original Message ----
> > > From: DHSinclair <dsinc...@bellsouth.net>
> > > To: Hardware Group <hardware@hardwaregroup.com>
> > > Sent: Friday, April 24, 2009 1:42:04 PM
> > > Subject: [H] MAC Address Filter
> > >
> > > I use a d-link dgl-4300 router.  I have disabled the wire-less
> > section.  I only
> > > do wired LAN business.
> > > The router is currently at F/W v1.8.  I do know that F/W 1.9 is
> > available, but
> > > as I read the docs, it seems to only deal with wire-less
> > > business/bug-fixes........
> > >
> > > Can anyone point me to some reading about MAC Address Filters?  I do
> > have one;
> > > and, I DO use it.
> > > But, now have questions................ :)
> > >
> > > MyCurrentUnderstanding: I 'think' that my router's MAF is what allows
> > my LAN
> > > objects to gain access to the WWW (thru my router) via my Service
> > > Provider.....(when enabled!)... Is this correct?
> > >
> > > AND, I accept that this MAF access is completely 2-Way, with agreed
> > > comprehension of non-routeable IP-Addy's?
> > >
> > > I feel like I am walking into a black hole here.  .... :)
> > > Best,
> > > Duncan
> >
> >__________ NOD32 4034 (20090424) Information __________
> >
> >This message was checked by NOD32 antivirus system.
> >http://www.eset.com
>
>
>__________ NOD32 4034 (20090424) Information __________
>
>This message was checked by NOD32 antivirus system.
>http://www.eset.com


__________ NOD32 4036 (20090427) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com




























					Reply via email to