Ding ding. Disabling the SSID beacon and MAC filtering are utterly pointless.
"The six dumbest ways to secure a wireless LAN" http://blogs.zdnet.com/Ou/index.php?p=43 Greg > -----Original Message----- > From: hardware-boun...@hardwaregroup.com [mailto:hardware- > boun...@hardwaregroup.com] On Behalf Of Brian Weeden > Sent: Tuesday, April 28, 2009 9:47 AM > To: hwg > Cc: hwg > Subject: Re: [H] MAC Address Filter > > Turning off the said broadcast doesn't really work. I'm pretty sure > the ssid is in all the packet headers so anyone with a sniffer will > still see it. > > Same thing with filtering by mac address - the allowed macs are in all > the packet headers so all you have to do is sniff and then spoof your > mac address. > > The only true security for wireles is WPA. > > ------- > Brian Weeden > Technical Consultant > Secure World Foundation > > Sent from my iPhone > > On 28-Apr-09, at 4:01 PM, Gary Jackson <gjack...@visi.com> wrote: > > > > > Two tips I have always heard for *wireless* networks, 1) Turn > > off SSID broadcasting and use a unique SSID. 2) If you have a > > static network ( meaning that you are not adding and deleting a lot > > of devices ) use Mac Address Filtering. > > > > As a former Network Admin, I have not encountered the use of Mac > > Address Filtering as a security method for wired networks, probably > > because keeping it up to date would be more of a pain then it is > > worth. > > > > If you have disabled the wireless side of your router, I don't > > think you need to worry about it as it isn't accessible. > > > > Regards.....Gary > > > > > > At 12:21 PM 4/27/2009, It was written by DHSinclair that this shall > > come to pass: > >> Bino, > >> OK. I have back thru this whole thing. Thank you for your help, > >> but I am still confused. I see nothing in my docs for the router > >> that explicitly indicate that using MAF is truly for WLAN only. I > >> will dig more later today. > >> > >> Anyway. I can confirm that if I now drop my current clients off the > >> MAF, none of them will ever get thru the router to the WWW. This I > >> have confirmed several times. And, I have re-confirmed that I have > >> all WLAN business in the router disabled; I even left the external > >> antennas in the box! > >> > >> Yes, there is a new f/w available for my router (v1.9). I currently > >> use v1.8. I have read and re-read the release notes and do NOT see > >> any patches/bug fixes for a Wired LAN. Everything I read is for > >> WLAN and VPN tunnels. I use neither at all. So, I see little push > >> to update the f/w of my router ATM. > >> But, as you have mentioned some segregation between Wired and > >> Wireless NOW in the MAF logic, I will now go back and dig > >> deeper.............perhaps I missed something. Not like this has > >> ever happened before.................. LOL! > >> > >> Still listening. > >> Best, > >> Duncan > >> > >> At 09:28 04/27/2009 -0700, you wrote: > >>> Ok, going inline with BG1> before my responses; the 1 is if we > >>> continue; > >>> then those will be BG2> and so on... ;) > >>> > >>> > >>> -----Original Message----- > >>> From: hardware-boun...@hardwaregroup.com > >>> [mailto:hardware-boun...@hardwaregroup.com] On Behalf Of DHSinclair > >>> Sent: Friday, April 24, 2009 8:23 PM > >>> To: hardware@hardwaregroup.com > >>> Subject: Re: [H] MAC Address Filter > >>> > >>> Bino, > >>> I gotta go inline below................. > >>> At 15:32 04/24/2009 -0700, you wrote: > >>> >According to the DGL-4300 manual (found the pdf online) the > >>> Filter settings > >>> >section (Advanced -> MAC Address Filter) lets you pick from > >>> filtering > >>> >wireless and wired clients separate from each other p.39). > >>> > >>> OK. Fair. I will go back to the docs once again.................. > :) > >>> > >>> >John is right that some routers usually only let you do it for > >>> wireless > >>> >clients, but as it turns out yours definitely let's you do it for > >>> both. > >>> > >>> I am going to, ATM, trust you on this.................. :) > >>> My router did/does NOT give me a choice between WLAN / > >>> LAN............ > >>> > >>> > >>> BG1> IF you have a DGL-4300, since I found the pdf manual online > >>> and it had > >>> a screenshot that clearly showed selecting b/w wireless and wired > >>> clients > >>> for the MAF, then either you have a different model which doesn't > >>> have it, > >>> or you need a firmware update to enable that. > >>> > >>> > >>> >Oh and btw, your understanding of the MAF you wrote below is > >>> completely > >>> >wrong (just fyi). > >>> > >>> OMG!!! Please enlighten........ > >>> > >>> > What you described was NAT (Network Address > >>> >Translation)-that's what takes the PCs on the private address > >>> space of your > >>> >home network and translates them into the public IP that gives > >>> them access > >>> >to the internet. And it's NOT 2-way; i.e. just b/c the PCs can > >>> access the > >>> >internet, that doesn't mean that things on the internet can > >>> access your > >>> PCs. > >>> > >>> Thanks Bino. No. I do believe that NAT is THE clear concept > >>> here...... > >>> All my router's since 199x have use NAT. Perhaps NAT has > >>> changed....... > >>> Perhaps I may dick with it a bit, but I do believe I know what NAT > >>> logic > >>> still purports to do......even with SPI now!!...... :) > >>> > >>> > >>> BG1> NAT for the most part is the same as it was since 1999 or > >>> so...so if > >>> you're clear on NAT and how it works and what it does, then you're > >>> fine. > >>> Just remember that it doesn't automatically allow inbound > >>> connections back > >>> to your PC (which is a good thing, b/c otherwise it'd be too easy > >>> to hack > >>> people) unless you specifically set that up (well, AFAIK; maybe > >>> some newer > >>> routers do this, but that would be a BAAAD thing to do by default > >>> w/o making > >>> you enable it first...JM2C there). > >>> > >>> > >>> >So the MAF restricts who can get ONTO your network in the first > >>> place. > >>> >Typically it's more interesting/useful for wireless networks > >>> since anyone > >>> >can try and connect to your network that way, whereas it's a > >>> little harder > >>> >for random people to get the physical access to plug a cable into > >>> your > >>> >router/switch! ;) > >>> > >>> Yes, and this is why I still do NOT play Wire-less............... > :) > >>> > >>> > >>> BG1> Well, if you don't broadcast your SSID, and then use MAF on > >>> wireless, > >>> and uses WPA2-PSK and/or client certs, it's practically impossible > >>> to hack > >>> your wireless network and it's a lot more convenient than running > >>> cables, or > >>> if you have laptops. But YMMV. > >>> > >>> > >>> >But you can also use it for wired connections just to be > >>> uber-safe/paranoid, > >>> >but it's almost kind of useless at that point-like I said if > >>> people have > >>> the > >>> >physical access to plug cables into your router/switch ports, you > >>> kind of > >>> >have bigger problems than worrying about whether you've got MAF > >>> enabled, > >>> you > >>> >know? ;) > >>> > >>> Well, NO. Please explain. I missed something. No one external > >>> to my home > >>> has access to my LAN,...that I believe, ATM. Access to my LAN is > >>> either a > >>> physical connection to my TSID, or, inside my > >>> home............Unless, I > >>> have grossly missed somthing............... ;) > >>> Best, > >>> Duncan > >>> > >>> > >>> BG1> Sorry! I was being a little too cheeky/smart here. So all I > >>> was > >>> trying to say was that having MAF for wired connections is kind of > >>> pointless, since the point at which MAF for wired matters, someone > >>> you don't > >>> know has to have physical access to plug in a cable and then you > >>> have bigger > >>> problems (b/c they've broken in at that point, etc), see? > >>> > >>> To put it another way, since you don't have random people coming > >>> in off the > >>> street trying to plug cables into your network, MAF for wired > >>> connections > >>> doesn't really buy you anything! Does that make it more clear? > >>> Sorry for > >>> being too snarky! ;P > >>> > >>> > >>> P.S. HWG email has been spotty for some time.....Stuff happens. > >>> The BIG > >>> PERSON only knows what is going on.......... :) I read this as > >>> "dead-time." But, that is JMHO. > >>> > >>> > >>> BG1> Yeah, but the weird thing is, I'm getting it fine to my > >>> gmail, but NOT > >>> to my hotmail...anyone else running into this? > >>> > >>> > >>> > BINO > >>> > > >>> >P.S. I haven't been getting any HWG emails to my hotmail.com > >>> account since > >>> >4/12/09--none at all. Anyone else on hotmail having this > >>> problem? I also > >>> >have it sent to my gmail account and that's how I even saw this > >>> message... > >>> > > >>> > > >>> > > >>> >-----Original Message----- > >>> >From: hardware-boun...@hardwaregroup.com > >>> >[mailto:hardware-boun...@hardwaregroup.com] On Behalf Of > DHSinclair > >>> >Sent: Friday, April 24, 2009 2:58 PM > >>> >To: hardware@hardwaregroup.com > >>> >Subject: Re: [H] MAC Address Filter > >>> > > >>> >John, > >>> >I so appreciate your share. BUT, it seems to be focused at > >>> >Wire-less/AccessPoint/WLAN business.............? > >>> >I do get this for a LAN that has WLAN access. I do NOT. Still > >>> moderately > >>> >confused....... > >>> > > >>> >Is MAC Address Filter really ONLY good for WLAN? > >>> > > >>> >I freely accept that my current router is totally focused toward > >>> >WLAN! And, Gaming! Neither of which I use it for. I bought it > >>> on the > >>> >recc from HayesElkins............. > >>> >Best, > >>> >Duncan > >>> > > >>> >At 14:22 04/24/2009 -0700, you wrote: > >>> > >Most Wi-Fi access points and routers ship with a feature called > >>> hardware > >>> > >or MAC address filtering. > >>> > >This feature is normally turned "off" by the manufacturer, > >>> because it > >>> > >requires a bit of effort to set up properly. > >>> > > > >>> > >However, to improve the > >>> > >security of your Wi-Fi LAN (WLAN), strongly consider enabling > >>> and using > >>> > >MAC address filtering. > >>> > > > >>> > >Without MAC address filtering, any wireless client can join > >>> (authenticate > >>> > >with) a Wi-Fi network if they know the network name (also > >>> called the > >>> SSID) > >>> > >and perhaps a few other security parameters like encryption > keys. > >>> > > > >>> > > > >>> > >When > >>> > >MAC address filtering is enabled, however, the access point or > >>> router > >>> > >performs an additional check on a different parameter. > >>> Obviously the > >>> > >more checks that are made, the greater the likelihood of > >>> preventing > >>> > >network break-ins. > >>> > > > >>> > >To set up MAC address filtering, you as a WLAN administrator > >>> > >must configure a list of clients that will be allowed to join > the > >>> > >network. First, obtain the MAC addresses of each client from its > >>> > >operating system or configuration utility. Then, they enter > those > >>> > >addresses into a configuratin screen of the wireless access > >>> point or > >>> > >router. Finally, switch on the filtering option. > >>> > > > >>> > >Once enabled, whenever the wireless access point or router > >>> > >receives a request to join with the WLAN, it compares the MAC > >>> address > >>> > >of that client against the administrator's list. Clients on the > >>> list > >>> > >authenticate as normal; clients not on the list are denied any > >>> access > >>> > >to the WLAN. > >>> > > > >>> > >MAC addresses on wireless clients can't be changed as they are > >>> > >burned into the hardware. However, some wireless clients allow > >>> their > >>> > >MAC address to be "impersonated" or "spoofed" in software. It's > >>> > >certainly possible for a determined hacker to break into your > >>> WLAN by > >>> > >configuring their client to spoof one of your MAC addresses. > >>> Although > >>> > >MAC address filtering isn't bulletproof, still it remains a > >>> helpful > >>> > >additional layer of defense that improves overall Wi-Fi network > >>> > >security. > >>> > > -- > >>> > >JRS > >>> > >stei...@pacbell.net > >>> > > > >>> > > > >>> > >Facts do not cease to exist just > >>> > >because they are ignored. > >>> > > > >>> > > > >>> > > > >>> > >----- Original Message ---- > >>> > > > From: DHSinclair <dsinc...@bellsouth.net> > >>> > > > To: Hardware Group <hardware@hardwaregroup.com> > >>> > > > Sent: Friday, April 24, 2009 1:42:04 PM > >>> > > > Subject: [H] MAC Address Filter > >>> > > > > >>> > > > I use a d-link dgl-4300 router. I have disabled the wire- > less > >>> > > section. I only > >>> > > > do wired LAN business. > >>> > > > The router is currently at F/W v1.8. I do know that F/W 1.9 > >>> is > >>> > > available, but > >>> > > > as I read the docs, it seems to only deal with wire-less > >>> > > > business/bug-fixes........ > >>> > > > > >>> > > > Can anyone point me to some reading about MAC Address > >>> Filters? I do > >>> > > have one; > >>> > > > and, I DO use it. > >>> > > > But, now have questions................ :) > >>> > > > > >>> > > > MyCurrentUnderstanding: I 'think' that my router's MAF is > >>> what allows > >>> > > my LAN > >>> > > > objects to gain access to the WWW (thru my router) via my > >>> Service > >>> > > > Provider.....(when enabled!)... Is this correct? > >>> > > > > >>> > > > AND, I accept that this MAF access is completely 2-Way, with > >>> agreed > >>> > > > comprehension of non-routeable IP-Addy's? > >>> > > > > >>> > > > I feel like I am walking into a black hole here. .... :) > >>> > > > Best, > >>> > > > Duncan > >>> > > > >>> > >__________ NOD32 4034 (20090424) Information __________ > >>> > > > >>> > >This message was checked by NOD32 antivirus system. > >>> > >http://www.eset.com > >>> > > >>> > > >>> >__________ NOD32 4034 (20090424) Information __________ > >>> > > >>> >This message was checked by NOD32 antivirus system. > >>> >http://www.eset.com > >>> > >>> > >>> __________ NOD32 4036 (20090427) Information __________ > >>> > >>> This message was checked by NOD32 antivirus system. > >>> http://www.eset.com > >> > > > > > >