Duncan, two things that need correcting in your email (for your
edification):
1) I *never* said MAF *only* works for wireless clients; in fact if you read
my first email response to you, I pointed out that the manual for your
router specifically offers an option to use MAF for wired clients (which is
unusual since most routers usually only apply MAF to wireless clients).
Just for reference:
-----Original Message-----
From: hardware-boun...@hardwaregroup.com
[mailto:hardware-boun...@hardwaregroup.com] On Behalf Of Bino Gopal
Sent: Friday, April 24, 2009 3:33 PM
To: hardware@hardwaregroup.com
Subject: Re: [H] MAC Address Filter
According to the DGL-4300 manual (found the pdf online) the Filter settings
section (Advanced -> MAC Address Filter) lets you pick from filtering
wireless and wired clients separate from each other p.39).
John is right that some routers usually only let you do it for wireless
clients, but as it turns out yours definitely let's you do it for both.
<snip>
So I would say that your observations are 100% correct (that MAF blocks
wired clients on your router); so MAF works for wired clients in your case
since that's the behavior you are seeing! ;P
2) If and when you go wireless, you should *only* use WPA2-PSK (for your
protection) as I've pointed out multiple times that even WPA is hackable in
a short amount of time nowadays; WPA2 uses AES and it's just that much more
secure...
HTH!
BINO
-----Original Message-----
From: hardware-boun...@hardwaregroup.com
[mailto:hardware-boun...@hardwaregroup.com] On Behalf Of DHSinclair
Sent: Tuesday, April 28, 2009 11:13 AM
To: hardware@hardwaregroup.com
Subject: Re: [H] MAC Address Filter
Greg,
I understand this. But, somehow my original questions still appear to be
un-answered.
I do not need knowledge about Wire-less Router security. I do NOT use WLAN
in my home.
I enabled the MAC Address Filter in my router because it seemed to offer
some additional security in addition to normal NAT and SPI. Apparently I
was wrong.
With so many comments regarding WLAN, I can only conclude that the majority
of the Collective is now using WLAN.................. It this a fair
conclusion?
(yes, a tin-hat question............... :) )
I can confirm that with MAF enabled in my router, for wired-only clients,
any client NOT listed will NEVER see the WWW through my router's current
f/w........... :)
This sorta proves to me that the MAF does affect wired clients......... :)
So, I have 2 choices from what I've read from
Greg/Brian/JRS/Gary/Rick/Bino....:
1) Disable MAF---It is for WLAN ONLY. (even though my docs do NOT say this!)
2) Somehow try and figure out if MAF really does work on a Wired LAN.......
:)
Oh, and should I ever dabbled in WLAN, I would ONLY use WPA....to start
with......!
At 11:10 04/28/2009 -0500, you wrote:
>Ding ding. Disabling the SSID beacon and MAC filtering are utterly
>pointless.
>
>"The six dumbest ways to secure a wireless LAN"
>http://blogs.zdnet.com/Ou/index.php?p=43
>
>Greg
>
> > -----Original Message-----
> > From: hardware-boun...@hardwaregroup.com [mailto:hardware-
> > boun...@hardwaregroup.com] On Behalf Of Brian Weeden
> > Sent: Tuesday, April 28, 2009 9:47 AM
> > To: hwg
> > Cc: hwg
> > Subject: Re: [H] MAC Address Filter
> >
> > Turning off the said broadcast doesn't really work. I'm pretty sure
> > the ssid is in all the packet headers so anyone with a sniffer will
> > still see it.
> >
> > Same thing with filtering by mac address - the allowed macs are in all
> > the packet headers so all you have to do is sniff and then spoof your
> > mac address.
> >
> > The only true security for wireles is WPA.
> >
> > -------
> > Brian Weeden
> > Technical Consultant
> > Secure World Foundation
> >
> > Sent from my iPhone
> >
> > On 28-Apr-09, at 4:01 PM, Gary Jackson <gjack...@visi.com> wrote:
> >
> > >
> > > Two tips I have always heard for *wireless* networks, 1) Turn
> > > off SSID broadcasting and use a unique SSID. 2) If you have a
> > > static network ( meaning that you are not adding and deleting a lot
> > > of devices ) use Mac Address Filtering.
> > >
> > > As a former Network Admin, I have not encountered the use of Mac
> > > Address Filtering as a security method for wired networks, probably
> > > because keeping it up to date would be more of a pain then it is
> > > worth.
> > >
> > > If you have disabled the wireless side of your router, I don't
> > > think you need to worry about it as it isn't accessible.
> > >
> > > Regards.....Gary
> > >
> > >
> > > At 12:21 PM 4/27/2009, It was written by DHSinclair that this shall
> > > come to pass:
> > >> Bino,
> > >> OK. I have back thru this whole thing. Thank you for your help,
> > >> but I am still confused. I see nothing in my docs for the router
> > >> that explicitly indicate that using MAF is truly for WLAN only. I
> > >> will dig more later today.
> > >>
> > >> Anyway. I can confirm that if I now drop my current clients off the
> > >> MAF, none of them will ever get thru the router to the WWW. This I
> > >> have confirmed several times. And, I have re-confirmed that I have
> > >> all WLAN business in the router disabled; I even left the external
> > >> antennas in the box!
> > >>
> > >> Yes, there is a new f/w available for my router (v1.9). I currently
> > >> use v1.8. I have read and re-read the release notes and do NOT see
> > >> any patches/bug fixes for a Wired LAN. Everything I read is for
> > >> WLAN and VPN tunnels. I use neither at all. So, I see little push
> > >> to update the f/w of my router ATM.
> > >> But, as you have mentioned some segregation between Wired and
> > >> Wireless NOW in the MAF logic, I will now go back and dig
> > >> deeper.............perhaps I missed something. Not like this has
> > >> ever happened before.................. LOL!
> > >>
> > >> Still listening.
> > >> Best,
> > >> Duncan
> > >>
> > >> At 09:28 04/27/2009 -0700, you wrote:
> > >>> Ok, going inline with BG1> before my responses; the 1 is if we
> > >>> continue;
> > >>> then those will be BG2> and so on... ;)
> > >>>
> > >>>
> > >>> -----Original Message-----
> > >>> From: hardware-boun...@hardwaregroup.com
> > >>> [mailto:hardware-boun...@hardwaregroup.com] On Behalf Of DHSinclair
> > >>> Sent: Friday, April 24, 2009 8:23 PM
> > >>> To: hardware@hardwaregroup.com
> > >>> Subject: Re: [H] MAC Address Filter
> > >>>
> > >>> Bino,
> > >>> I gotta go inline below.................
> > >>> At 15:32 04/24/2009 -0700, you wrote:
> > >>> >According to the DGL-4300 manual (found the pdf online) the
> > >>> Filter settings
> > >>> >section (Advanced -> MAC Address Filter) lets you pick from
> > >>> filtering
> > >>> >wireless and wired clients separate from each other p.39).
> > >>>
> > >>> OK. Fair. I will go back to the docs once again..................
> > :)
> > >>>
> > >>> >John is right that some routers usually only let you do it for
> > >>> wireless
> > >>> >clients, but as it turns out yours definitely let's you do it for
> > >>> both.
> > >>>
> > >>> I am going to, ATM, trust you on this.................. :)
> > >>> My router did/does NOT give me a choice between WLAN /
> > >>> LAN............
> > >>>
> > >>>
> > >>> BG1> IF you have a DGL-4300, since I found the pdf manual online
> > >>> and it had
> > >>> a screenshot that clearly showed selecting b/w wireless and wired
> > >>> clients
> > >>> for the MAF, then either you have a different model which doesn't
> > >>> have it,
> > >>> or you need a firmware update to enable that.
> > >>>
> > >>>
> > >>> >Oh and btw, your understanding of the MAF you wrote below is
> > >>> completely
> > >>> >wrong (just fyi).
> > >>>
> > >>> OMG!!! Please enlighten........
> > >>>
> > >>> > What you described was NAT (Network Address
> > >>> >Translation)-that's what takes the PCs on the private address
> > >>> space of your
> > >>> >home network and translates them into the public IP that gives
> > >>> them access
> > >>> >to the internet. And it's NOT 2-way; i.e. just b/c the PCs can
> > >>> access the
> > >>> >internet, that doesn't mean that things on the internet can
> > >>> access your
> > >>> PCs.
> > >>>
> > >>> Thanks Bino. No. I do believe that NAT is THE clear concept
> > >>> here......
> > >>> All my router's since 199x have use NAT. Perhaps NAT has
> > >>> changed.......
> > >>> Perhaps I may dick with it a bit, but I do believe I know what NAT
> > >>> logic
> > >>> still purports to do......even with SPI now!!...... :)
> > >>>
> > >>>
> > >>> BG1> NAT for the most part is the same as it was since 1999 or
> > >>> so...so if
> > >>> you're clear on NAT and how it works and what it does, then you're
> > >>> fine.
> > >>> Just remember that it doesn't automatically allow inbound
> > >>> connections back
> > >>> to your PC (which is a good thing, b/c otherwise it'd be too easy
> > >>> to hack
> > >>> people) unless you specifically set that up (well, AFAIK; maybe
> > >>> some newer
> > >>> routers do this, but that would be a BAAAD thing to do by default
> > >>> w/o making
> > >>> you enable it first...JM2C there).
> > >>>
> > >>>
> > >>> >So the MAF restricts who can get ONTO your network in the first
> > >>> place.
> > >>> >Typically it's more interesting/useful for wireless networks
> > >>> since anyone
> > >>> >can try and connect to your network that way, whereas it's a
> > >>> little harder
> > >>> >for random people to get the physical access to plug a cable into
> > >>> your
> > >>> >router/switch! ;)
> > >>>
> > >>> Yes, and this is why I still do NOT play Wire-less...............
> > :)
> > >>>
> > >>>
> > >>> BG1> Well, if you don't broadcast your SSID, and then use MAF on
> > >>> wireless,
> > >>> and uses WPA2-PSK and/or client certs, it's practically impossible
> > >>> to hack
> > >>> your wireless network and it's a lot more convenient than running
> > >>> cables, or
> > >>> if you have laptops. But YMMV.
> > >>>
> > >>>
> > >>> >But you can also use it for wired connections just to be
> > >>> uber-safe/paranoid,
> > >>> >but it's almost kind of useless at that point-like I said if
> > >>> people have
> > >>> the
> > >>> >physical access to plug cables into your router/switch ports, you
> > >>> kind of
> > >>> >have bigger problems than worrying about whether you've got MAF
> > >>> enabled,
> > >>> you
> > >>> >know? ;)
> > >>>
> > >>> Well, NO. Please explain. I missed something. No one external
> > >>> to my home
> > >>> has access to my LAN,...that I believe, ATM. Access to my LAN is
> > >>> either a
> > >>> physical connection to my TSID, or, inside my
> > >>> home............Unless, I
> > >>> have grossly missed somthing............... ;)
> > >>> Best,
> > >>> Duncan
> > >>>
> > >>>
> > >>> BG1> Sorry! I was being a little too cheeky/smart here. So all I
> > >>> was
> > >>> trying to say was that having MAF for wired connections is kind of
> > >>> pointless, since the point at which MAF for wired matters, someone
> > >>> you don't
> > >>> know has to have physical access to plug in a cable and then you
> > >>> have bigger
> > >>> problems (b/c they've broken in at that point, etc), see?
> > >>>
> > >>> To put it another way, since you don't have random people coming
> > >>> in off the
> > >>> street trying to plug cables into your network, MAF for wired
> > >>> connections
> > >>> doesn't really buy you anything! Does that make it more clear?
> > >>> Sorry for
> > >>> being too snarky! ;P
> > >>>
> > >>>
> > >>> P.S. HWG email has been spotty for some time.....Stuff happens.
> > >>> The BIG
> > >>> PERSON only knows what is going on.......... :) I read this as
> > >>> "dead-time." But, that is JMHO.
> > >>>
> > >>>
> > >>> BG1> Yeah, but the weird thing is, I'm getting it fine to my
> > >>> gmail, but NOT
> > >>> to my hotmail...anyone else running into this?
> > >>>
> > >>>
> > >>> > BINO
> > >>> >
> > >>> >P.S. I haven't been getting any HWG emails to my hotmail.com
> > >>> account since
> > >>> >4/12/09--none at all. Anyone else on hotmail having this
> > >>> problem? I also
> > >>> >have it sent to my gmail account and that's how I even saw this
> > >>> message...
> > >>> >
> > >>> >
> > >>> >
> > >>> >-----Original Message-----
> > >>> >From: hardware-boun...@hardwaregroup.com
> > >>> >[mailto:hardware-boun...@hardwaregroup.com] On Behalf Of
> > DHSinclair
> > >>> >Sent: Friday, April 24, 2009 2:58 PM
> > >>> >To: hardware@hardwaregroup.com
> > >>> >Subject: Re: [H] MAC Address Filter
> > >>> >
> > >>> >John,
> > >>> >I so appreciate your share. BUT, it seems to be focused at
> > >>> >Wire-less/AccessPoint/WLAN business.............?
> > >>> >I do get this for a LAN that has WLAN access. I do NOT. Still
> > >>> moderately
> > >>> >confused.......
> > >>> >
> > >>> >Is MAC Address Filter really ONLY good for WLAN?
> > >>> >
> > >>> >I freely accept that my current router is totally focused toward
> > >>> >WLAN! And, Gaming! Neither of which I use it for. I bought it
> > >>> on the
> > >>> >recc from HayesElkins.............
> > >>> >Best,
> > >>> >Duncan
> > >>> >
> > >>> >At 14:22 04/24/2009 -0700, you wrote:
> > >>> > >Most Wi-Fi access points and routers ship with a feature called
> > >>> hardware
> > >>> > >or MAC address filtering.
> > >>> > >This feature is normally turned "off" by the manufacturer,
> > >>> because it
> > >>> > >requires a bit of effort to set up properly.
> > >>> > >
> > >>> > >However, to improve the
> > >>> > >security of your Wi-Fi LAN (WLAN), strongly consider enabling
> > >>> and using
> > >>> > >MAC address filtering.
> > >>> > >
> > >>> > >Without MAC address filtering, any wireless client can join
> > >>> (authenticate
> > >>> > >with) a Wi-Fi network if they know the network name (also
> > >>> called the
> > >>> SSID)
> > >>> > >and perhaps a few other security parameters like encryption
> > keys.
> > >>> > >
> > >>> > >
> > >>> > >When
> > >>> > >MAC address filtering is enabled, however, the access point or
> > >>> router
> > >>> > >performs an additional check on a different parameter.
> > >>> Obviously the
> > >>> > >more checks that are made, the greater the likelihood of
> > >>> preventing
> > >>> > >network break-ins.
> > >>> > >
> > >>> > >To set up MAC address filtering, you as a WLAN administrator
> > >>> > >must configure a list of clients that will be allowed to join
> > the
> > >>> > >network. First, obtain the MAC addresses of each client from its
> > >>> > >operating system or configuration utility. Then, they enter
> > those
> > >>> > >addresses into a configuratin screen of the wireless access
> > >>> point or
> > >>> > >router. Finally, switch on the filtering option.
> > >>> > >
> > >>> > >Once enabled, whenever the wireless access point or router
> > >>> > >receives a request to join with the WLAN, it compares the MAC
> > >>> address
> > >>> > >of that client against the administrator's list. Clients on the
> > >>> list
> > >>> > >authenticate as normal; clients not on the list are denied any
> > >>> access
> > >>> > >to the WLAN.
> > >>> > >
> > >>> > >MAC addresses on wireless clients can't be changed as they are
> > >>> > >burned into the hardware. However, some wireless clients allow
> > >>> their
> > >>> > >MAC address to be "impersonated" or "spoofed" in software. It's
> > >>> > >certainly possible for a determined hacker to break into your
> > >>> WLAN by
> > >>> > >configuring their client to spoof one of your MAC addresses.
> > >>> Although
> > >>> > >MAC address filtering isn't bulletproof, still it remains a
> > >>> helpful
> > >>> > >additional layer of defense that improves overall Wi-Fi network
> > >>> > >security.
> > >>> > > --
> > >>> > >JRS
> > >>> > >stei...@pacbell.net
> > >>> > >
> > >>> > >
> > >>> > >Facts do not cease to exist just
> > >>> > >because they are ignored.
> > >>> > >
> > >>> > >
> > >>> > >
> > >>> > >----- Original Message ----
> > >>> > > > From: DHSinclair <dsinc...@bellsouth.net>
> > >>> > > > To: Hardware Group <hardware@hardwaregroup.com>
> > >>> > > > Sent: Friday, April 24, 2009 1:42:04 PM
> > >>> > > > Subject: [H] MAC Address Filter
> > >>> > > >
> > >>> > > > I use a d-link dgl-4300 router. I have disabled the wire-
> > less
> > >>> > > section. I only
> > >>> > > > do wired LAN business.
> > >>> > > > The router is currently at F/W v1.8. I do know that F/W 1.9
> > >>> is
> > >>> > > available, but
> > >>> > > > as I read the docs, it seems to only deal with wire-less
> > >>> > > > business/bug-fixes........
> > >>> > > >
> > >>> > > > Can anyone point me to some reading about MAC Address
> > >>> Filters? I do
> > >>> > > have one;
> > >>> > > > and, I DO use it.
> > >>> > > > But, now have questions................ :)
> > >>> > > >
> > >>> > > > MyCurrentUnderstanding: I 'think' that my router's MAF is
> > >>> what allows
> > >>> > > my LAN
> > >>> > > > objects to gain access to the WWW (thru my router) via my
> > >>> Service
> > >>> > > > Provider.....(when enabled!)... Is this correct?
> > >>> > > >
> > >>> > > > AND, I accept that this MAF access is completely 2-Way, with
> > >>> agreed
> > >>> > > > comprehension of non-routeable IP-Addy's?
> > >>> > > >
> > >>> > > > I feel like I am walking into a black hole here. .... :)
> > >>> > > > Best,
> > >>> > > > Duncan
> > >>> > >
> > >>> > >__________ NOD32 4034 (20090424) Information __________
> > >>> > >
> > >>> > >This message was checked by NOD32 antivirus system.
> > >>> > >http://www.eset.com
> > >>> >
> > >>> >
> > >>> >__________ NOD32 4034 (20090424) Information __________
> > >>> >
> > >>> >This message was checked by NOD32 antivirus system.
> > >>> >http://www.eset.com
> > >>>
> > >>>
> > >>> __________ NOD32 4036 (20090427) Information __________
> > >>>
> > >>> This message was checked by NOD32 antivirus system.
> > >>> http://www.eset.com
> > >>
> > >
> > >
> > >
>
>
>
>__________ NOD32 4040 (20090428) Information __________
>
>This message was checked by NOD32 antivirus system.
>http://www.eset.com
__________ NOD32 4041 (20090428) Information __________
This message was checked by NOD32 antivirus system.
http://www.eset.com
