Bino,
Thanks for this share!  It is so StarWars to me, that I can not even comment.
Damn, WPA is now WPA2?
I am so old.................. :)
Best,
Duncan

At 09:27 04/28/2009 -0700, you wrote:
Right; no one should think those methods alone will secure them, but they
make it just that *little* bit harder, such that if someone is being lazy
(or a novice who's trying to learn), you're less likely to get picked than
the guy who is broadcasting their SSID in the open and not doing MAF, right?

And even with WPA there were flaws in the TKIP protocol, so you should
really use WPA2.  But even with WPA2 you can still do 802.1x with a Radius
server and client certs on your machines (or even smartcards) using EAP-TLS
if you want to be truly secure (or 802.11i)! ;)

                                                        BINO


-----Original Message-----
From: hardware-boun...@hardwaregroup.com
[mailto:hardware-boun...@hardwaregroup.com] On Behalf Of Brian Weeden
Sent: Tuesday, April 28, 2009 7:47 AM
To: hwg
Cc: hwg
Subject: Re: [H] MAC Address Filter

Turning off the said broadcast doesn't really work.  I'm pretty sure
the ssid is in all the packet headers so anyone with a sniffer will
still see it.

Same thing with filtering by mac address - the allowed macs are in all
the packet headers so all you have to do is sniff and then spoof your
mac address.

The only true security for wireles is WPA.

-------
Brian Weeden
Technical Consultant
Secure World Foundation

Sent from my iPhone

On 28-Apr-09, at 4:01 PM, Gary Jackson <gjack...@visi.com> wrote:

>
>    Two tips I have always heard for *wireless* networks, 1)  Turn
> off SSID broadcasting and use a unique SSID.  2)  If you have a
> static network ( meaning that you are not adding and deleting a lot
> of devices ) use Mac Address Filtering.
>
>     As a former Network Admin, I have not encountered the use of Mac
> Address Filtering as a security method for wired networks, probably
> because keeping it up to date would be more of a pain then it is
> worth.
>
>     If you have disabled the wireless side of your router, I don't
> think you need to worry about it as it isn't accessible.
>
> Regards.....Gary
>
>
> At 12:21 PM 4/27/2009, It was written by DHSinclair that this shall
> come to pass:
>> Bino,
>> OK.  I have back thru this whole thing. Thank you for your help,
>> but I am still confused.  I see nothing in my docs for the router
>> that explicitly indicate that using MAF is truly for WLAN only.  I
>> will dig more later today.
>>
>> Anyway. I can confirm that if I now drop my current clients off the
>> MAF, none of them will ever get thru the router to the WWW.  This I
>> have confirmed several times. And, I have re-confirmed that I have
>> all WLAN business in the router disabled; I even left the external
>> antennas in the box!
>>
>> Yes, there is a new f/w available for my router (v1.9). I currently
>> use v1.8.  I have read and re-read the release notes and do NOT see
>> any patches/bug fixes for a Wired LAN.  Everything I read is for
>> WLAN and VPN tunnels.  I use neither at all.  So, I see little push
>> to update the f/w of my router ATM.
>> But, as you have mentioned some segregation between Wired and
>> Wireless NOW in the MAF logic, I will now go back and dig
>> deeper.............perhaps I missed something.  Not like this has
>> ever happened before.................. LOL!
>>
>> Still listening.
>> Best,
>> Duncan
>>
>> At 09:28 04/27/2009 -0700, you wrote:
>>> Ok, going inline with BG1> before my responses; the 1 is if we
>>> continue;
>>> then those will be BG2> and so on... ;)
>>>
>>>
>>> -----Original Message-----
>>> From: hardware-boun...@hardwaregroup.com
>>> [mailto:hardware-boun...@hardwaregroup.com] On Behalf Of DHSinclair
>>> Sent: Friday, April 24, 2009 8:23 PM
>>> To: hardware@hardwaregroup.com
>>> Subject: Re: [H] MAC Address Filter
>>>
>>> Bino,
>>> I gotta go inline below.................
>>> At 15:32 04/24/2009 -0700, you wrote:
>>> >According to the DGL-4300 manual (found the pdf online) the
>>> Filter settings
>>> >section (Advanced -> MAC Address Filter) lets you pick from
>>> filtering
>>> >wireless and wired clients separate from each other p.39).
>>>
>>> OK. Fair. I will go back to the docs once again.................. :)
>>>
>>> >John is right that some routers usually only let you do it for
>>> wireless
>>> >clients, but as it turns out yours definitely let's you do it for
>>> both.
>>>
>>> I am going to, ATM, trust you on this.................. :)
>>> My router did/does NOT give me a choice between WLAN /
>>> LAN............
>>>
>>>
>>> BG1> IF you have a DGL-4300, since I found the pdf manual online
>>> and it had
>>> a screenshot that clearly showed selecting b/w wireless and wired
>>> clients
>>> for the MAF, then either you have a different model which doesn't
>>> have it,
>>> or you need a firmware update to enable that.
>>>
>>>
>>> >Oh and btw, your understanding of the MAF you wrote below is
>>> completely
>>> >wrong (just fyi).
>>>
>>> OMG!!!  Please enlighten........
>>>
>>> >   What you described was NAT (Network Address
>>> >Translation)-that's what takes the PCs on the private address
>>> space of your
>>> >home network and translates them into the public IP that gives
>>> them access
>>> >to the internet.  And it's NOT 2-way; i.e. just b/c the PCs can
>>> access the
>>> >internet, that doesn't mean that things on the internet can
>>> access your
>>> PCs.
>>>
>>> Thanks Bino.  No.  I do believe that NAT is THE clear concept
>>> here......
>>> All my router's since 199x have use NAT. Perhaps NAT has
>>> changed.......
>>> Perhaps I may dick with it a bit, but I do believe I know what NAT
>>> logic
>>> still purports to do......even with SPI now!!...... :)
>>>
>>>
>>> BG1> NAT for the most part is the same as it was since 1999 or
>>> so...so if
>>> you're clear on NAT and how it works and what it does, then you're
>>> fine.
>>> Just remember that it doesn't automatically allow inbound
>>> connections back
>>> to your PC (which is a good thing, b/c otherwise it'd be too easy
>>> to hack
>>> people) unless you specifically set that up (well, AFAIK; maybe
>>> some newer
>>> routers do this, but that would be a BAAAD thing to do by default
>>> w/o making
>>> you enable it first...JM2C there).
>>>
>>>
>>> >So the MAF restricts who can get ONTO your network in the first
>>> place.
>>> >Typically it's more interesting/useful for wireless networks
>>> since anyone
>>> >can try and connect to your network that way, whereas it's a
>>> little harder
>>> >for random people to get the physical access to plug a cable into
>>> your
>>> >router/switch! ;)
>>>
>>> Yes, and this is why I still do NOT play Wire-less............... :)
>>>
>>>
>>> BG1> Well, if you don't broadcast your SSID, and then use MAF on
>>> wireless,
>>> and uses WPA2-PSK and/or client certs, it's practically impossible
>>> to hack
>>> your wireless network and it's a lot more convenient than running
>>> cables, or
>>> if you have laptops.  But YMMV.
>>>
>>>
>>> >But you can also use it for wired connections just to be
>>> uber-safe/paranoid,
>>> >but it's almost kind of useless at that point-like I said if
>>> people have
>>> the
>>> >physical access to plug cables into your router/switch ports, you
>>> kind of
>>> >have bigger problems than worrying about whether you've got MAF
>>> enabled,
>>> you
>>> >know? ;)
>>>
>>> Well, NO.  Please explain.  I missed something.  No one external
>>> to my home
>>> has access to my LAN,...that I believe, ATM.  Access to my LAN is
>>> either a
>>> physical connection to my TSID, or, inside my
>>> home............Unless, I
>>> have grossly missed somthing............... ;)
>>> Best,
>>> Duncan
>>>
>>>
>>> BG1> Sorry!  I was being a little too cheeky/smart here.  So all I
>>> was
>>> trying to say was that having MAF for wired connections is kind of
>>> pointless, since the point at which MAF for wired matters, someone
>>> you don't
>>> know has to have physical access to plug in a cable and then you
>>> have bigger
>>> problems (b/c they've broken in at that point, etc), see?
>>>
>>> To put it another way, since you don't have random people coming
>>> in off the
>>> street trying to plug cables into your network, MAF for wired
>>> connections
>>> doesn't really buy you anything!  Does that make it more clear?
>>> Sorry for
>>> being too snarky! ;P
>>>
>>>
>>> P.S.  HWG email has been spotty for some time.....Stuff happens.
>>> The BIG
>>> PERSON only knows what is going on.......... :)  I read this as
>>> "dead-time."  But, that is JMHO.
>>>
>>>
>>> BG1> Yeah, but the weird thing is, I'm getting it fine to my
>>> gmail, but NOT
>>> to my hotmail...anyone else running into this?
>>>
>>>
>>> >                                                         BINO
>>> >
>>> >P.S. I haven't been getting any HWG emails to my hotmail.com
>>> account since
>>> >4/12/09--none at all.  Anyone else on hotmail having this
>>> problem?  I also
>>> >have it sent to my gmail account and that's how I even saw this
>>> message...
>>> >
>>> >
>>> >
>>> >-----Original Message-----
>>> >From: hardware-boun...@hardwaregroup.com
>>> >[mailto:hardware-boun...@hardwaregroup.com] On Behalf Of DHSinclair
>>> >Sent: Friday, April 24, 2009 2:58 PM
>>> >To: hardware@hardwaregroup.com
>>> >Subject: Re: [H] MAC Address Filter
>>> >
>>> >John,
>>> >I so appreciate your share. BUT, it seems to be focused at
>>> >Wire-less/AccessPoint/WLAN business.............?
>>> >I do get this for a LAN that has WLAN access.  I do NOT.  Still
>>> moderately
>>> >confused.......
>>> >
>>> >Is MAC Address Filter really ONLY good for WLAN?
>>> >
>>> >I freely accept that my current router is totally focused toward
>>> >WLAN!  And, Gaming!  Neither of which I use it for.  I bought it
>>> on the
>>> >recc from HayesElkins.............
>>> >Best,
>>> >Duncan
>>> >
>>> >At 14:22 04/24/2009 -0700, you wrote:
>>> > >Most Wi-Fi access points and routers ship with a feature called
>>> hardware
>>> > >or MAC address filtering.
>>> > >This feature is normally turned "off" by the manufacturer,
>>> because it
>>> > >requires a bit of effort to set up properly.
>>> > >
>>> > >However, to improve the
>>> > >security of your Wi-Fi LAN (WLAN), strongly consider enabling
>>> and using
>>> > >MAC address filtering.
>>> > >
>>> > >Without MAC address filtering, any wireless client can join
>>> (authenticate
>>> > >with) a Wi-Fi network if they know the network name (also
>>> called the
>>> SSID)
>>> > >and perhaps a few other security parameters like encryption keys.
>>> > >
>>> > >
>>> > >When
>>> > >MAC address filtering is enabled, however, the access point or
>>> router
>>> > >performs an additional check on a different parameter.
>>> Obviously the
>>> > >more checks that are made, the greater the likelihood of
>>> preventing
>>> > >network break-ins.
>>> > >
>>> > >To set up MAC address filtering, you as a WLAN administrator
>>> > >must configure a list of clients that will be allowed to join the
>>> > >network. First, obtain the MAC addresses of each client from its
>>> > >operating system or configuration utility. Then, they enter those
>>> > >addresses into a configuratin screen of the wireless access
>>> point or
>>> > >router. Finally, switch on the filtering option.
>>> > >
>>> > >Once enabled, whenever the wireless access point or router
>>> > >receives a request to join with the WLAN, it compares the MAC
>>> address
>>> > >of that client against the administrator's list. Clients on the
>>> list
>>> > >authenticate as normal; clients not on the list are denied any
>>> access
>>> > >to the WLAN.
>>> > >
>>> > >MAC addresses on wireless clients can't be changed as they are
>>> > >burned into the hardware. However, some wireless clients allow
>>> their
>>> > >MAC address to be "impersonated" or "spoofed" in software. It's
>>> > >certainly possible for a determined hacker to break into your
>>> WLAN by
>>> > >configuring their client to spoof one of your MAC addresses.
>>> Although
>>> > >MAC address filtering isn't bulletproof, still it remains a
>>> helpful
>>> > >additional layer of defense that improves overall Wi-Fi network
>>> > >security.
>>> > >  --
>>> > >JRS
>>> > >stei...@pacbell.net
>>> > >
>>> > >
>>> > >Facts do not cease to exist just
>>> > >because they are ignored.
>>> > >
>>> > >
>>> > >
>>> > >----- Original Message ----
>>> > > > From: DHSinclair <dsinc...@bellsouth.net>
>>> > > > To: Hardware Group <hardware@hardwaregroup.com>
>>> > > > Sent: Friday, April 24, 2009 1:42:04 PM
>>> > > > Subject: [H] MAC Address Filter
>>> > > >
>>> > > > I use a d-link dgl-4300 router.  I have disabled the wire-less
>>> > > section.  I only
>>> > > > do wired LAN business.
>>> > > > The router is currently at F/W v1.8.  I do know that F/W 1.9
>>> is
>>> > > available, but
>>> > > > as I read the docs, it seems to only deal with wire-less
>>> > > > business/bug-fixes........
>>> > > >
>>> > > > Can anyone point me to some reading about MAC Address
>>> Filters?  I do
>>> > > have one;
>>> > > > and, I DO use it.
>>> > > > But, now have questions................ :)
>>> > > >
>>> > > > MyCurrentUnderstanding: I 'think' that my router's MAF is
>>> what allows
>>> > > my LAN
>>> > > > objects to gain access to the WWW (thru my router) via my
>>> Service
>>> > > > Provider.....(when enabled!)... Is this correct?
>>> > > >
>>> > > > AND, I accept that this MAF access is completely 2-Way, with
>>> agreed
>>> > > > comprehension of non-routeable IP-Addy's?
>>> > > >
>>> > > > I feel like I am walking into a black hole here.  .... :)
>>> > > > Best,
>>> > > > Duncan
>>> > >
>>> > >__________ NOD32 4034 (20090424) Information __________
>>> > >
>>> > >This message was checked by NOD32 antivirus system.
>>> > >http://www.eset.com
>>> >
>>> >
>>> >__________ NOD32 4034 (20090424) Information __________
>>> >
>>> >This message was checked by NOD32 antivirus system.
>>> >http://www.eset.com
>>>
>>>
>>> __________ NOD32 4036 (20090427) Information __________
>>>
>>> This message was checked by NOD32 antivirus system.
>>> http://www.eset.com
>>
>
>
>


__________ NOD32 4040 (20090428) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com

Reply via email to