RE: Mac Address filtering on a 3512XL [7:26398]
And I would like to add a comment about something I took for granted. I assumed that a wireless sniffer couldn't see traffic if its MAC address was not on the list of MAC addresses at the access point. I thought it wouldn't be able to join the wireless network. I was wrong. It can see traffic (unless the traffic is WEP or LEAP encrypted, I would guess). The host running the sniffer can't actually use the access point to reach the wired network (because of the MAC access control lists) but it can still see packets on the wireless RF side. I guess that makes sense, but it surprised me. One caveat: this testing was done with access control lists configured on a non-Cisco access point, so may not apply to a Cisco access point. Anyone know? (Also, it's a bit different from applying the access control lists on the wired switch which we were discussing. In that case, one wouldn't assume that there was any security on the wireless side, I guess.) Priscilla At 11:44 PM 11/15/01, Andras Bellak wrote: >I missed something in my last reply that some folks might not take for >granted - once you have sniffed the mac address of a wireless card, >changing your card to match is simple - I did it on a card integrated >into a notebook inside of 30 seconds - you set it in the GUI even. > >Andras > >-Original Message- >From: Chuck Larrieu [mailto:[EMAIL PROTECTED]] >Sent: Thursday, November 15, 2001 7:10 PM >To: [EMAIL PROTECTED] >Subject: RE: Mac Address filtering on a 3512XL [7:26398] > > >Ken, this comes up regularly with customers who want to do wireless, as >if >wireless will solve some great problem of theirs. well, in the case of >my >customers, there are indeed some great vertical applications that make >this >a wonderful technology. but... > >yes, mac filtering is one way to provide some modicum of security. >spoofing >mac's is not the first thing that enters the hacker's mind, so I've >heard, >but I would not rely on any one method to ensure a secure net. remember >that >there are several "wireless sniffers" available, so mac information can >be >decoded, and later spoofed. > >some folks I have spoken with do a number of things, including WEP, >LEAP, >and IPSec or L2TP from the wireless end device into the network, end to >end. >some folks go so far as to encrypt everything on storage devices, so >that >even if the wireless authentication is broken, it does hacker no good. > >if your app is hand-held based these may not be options. then you are >back >to the mac filtering. still, you might want to think about upping to 128 >WEP >anyway. how concerned are you about the integrity and confidentiality of >the >data going over the wireless? more so or less so than if that same data >were >available via VPN across the internet or via dial up access? > >Chuck > >-----Original Message- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of >Ken Diliberto >Sent: Thursday, November 15, 2001 3:18 PM >To: [EMAIL PROTECTED] >Subject: Re: Mac Address filtering on a 3512XL [7:26398] > > >Yes, I do have a goal in mind. I just purchased some wireless equipment >and >would like to restrict the MAC addresses allowed in. 40 bit encryption >is >not good enough for the paranoid like me. It seems the network name is >advertised. To me, that security really sucks. > >Besides, it's another challenge. Next, maybe a VPN tunnel. :-) > >Ken > > >>> "Howard C. Berkowitz" 11/15/01 02:24PM >>> > >I am wanting to configure a mac-address filter on my switch but need >some > >help. Has anyone done this? > > > >Thanks. > > > >Ken > >Well, yes. But to coin a phrase, and to put it into a better context, >what problem are you trying to solve? I find people learn better >when they have a goal in mind, then look at configuration >alternatives and how they relate to the problem. > >Howard Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26516&t=26398 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Mac Address filtering on a 3512XL [7:26398]
I missed something in my last reply that some folks might not take for granted - once you have sniffed the mac address of a wireless card, changing your card to match is simple - I did it on a card integrated into a notebook inside of 30 seconds - you set it in the GUI even. Andras -Original Message- From: Chuck Larrieu [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 15, 2001 7:10 PM To: [EMAIL PROTECTED] Subject: RE: Mac Address filtering on a 3512XL [7:26398] Ken, this comes up regularly with customers who want to do wireless, as if wireless will solve some great problem of theirs. well, in the case of my customers, there are indeed some great vertical applications that make this a wonderful technology. but... yes, mac filtering is one way to provide some modicum of security. spoofing mac's is not the first thing that enters the hacker's mind, so I've heard, but I would not rely on any one method to ensure a secure net. remember that there are several "wireless sniffers" available, so mac information can be decoded, and later spoofed. some folks I have spoken with do a number of things, including WEP, LEAP, and IPSec or L2TP from the wireless end device into the network, end to end. some folks go so far as to encrypt everything on storage devices, so that even if the wireless authentication is broken, it does hacker no good. if your app is hand-held based these may not be options. then you are back to the mac filtering. still, you might want to think about upping to 128 WEP anyway. how concerned are you about the integrity and confidentiality of the data going over the wireless? more so or less so than if that same data were available via VPN across the internet or via dial up access? Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ken Diliberto Sent: Thursday, November 15, 2001 3:18 PM To: [EMAIL PROTECTED] Subject: Re: Mac Address filtering on a 3512XL [7:26398] Yes, I do have a goal in mind. I just purchased some wireless equipment and would like to restrict the MAC addresses allowed in. 40 bit encryption is not good enough for the paranoid like me. It seems the network name is advertised. To me, that security really sucks. Besides, it's another challenge. Next, maybe a VPN tunnel. :-) Ken >>> "Howard C. Berkowitz" 11/15/01 02:24PM >>> >I am wanting to configure a mac-address filter on my switch but need some >help. Has anyone done this? > >Thanks. > >Ken Well, yes. But to coin a phrase, and to put it into a better context, what problem are you trying to solve? I find people learn better when they have a goal in mind, then look at configuration alternatives and how they relate to the problem. Howard Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26443&t=26398 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Mac Address filtering on a 3512XL [7:26398]
>Yes, I do have a goal in mind. I just purchased some wireless equipment and >would like to restrict the MAC addresses allowed in. 40 bit encryption is >not good enough for the paranoid like me. It seems the network name is >advertised. To me, that security really sucks. OK. I'll assume the filter is at the ingress switch, and you want to use the source address as a safeguard. First, let's review the command: access-list access-list-number {permit | deny} address mask 700-799 what confuses some people is the address is the 48-bit MAC address and the mask is also 48 bits. Otherwise, the masking logic is just like an IP access list. Let's say you want to permit all sources with the Cisco manufacturer code 0c (there are others). You don't care what the other 24 bits are. Therefore, your access list rule would be access-list 700 permit .0c00. .00FF. You could have an access-list rule for each device, with a .. mask. Think long and hard about how you would maintain that > >Besides, it's another challenge. Next, maybe a VPN tunnel. :-) > >Ken > "Howard C. Berkowitz" 11/15/01 02:24PM >>> >>I am wanting to configure a mac-address filter on my switch but need some >>help. Has anyone done this? >> >>Thanks. >> >>Ken > >Well, yes. But to coin a phrase, and to put it into a better context, >what problem are you trying to solve? I find people learn better >when they have a goal in mind, then look at configuration >alternatives and how they relate to the problem. > >Howard Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26440&t=26398 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Mac Address filtering on a 3512XL [7:26398]
Welcome to the next big security nightmare. There are so many issues with trying to secure the access point, at some point you'll just want to sit in a corner with your arms around your knees rocking. In the meantime, here are a couple of thoughts/issues to look at. 1. Running WEP is almost useless. At least with WEP you've left the key under the doormat, not in the lock. One issue that you'll run across with higher encryption levels with WEP is the variance in network card software across manufacturers. Of the 4 different cards that we've had on the network here, we've had 4 sets of maximum and minimum key lengths, and there is no happy medium. 2. Running MAC filtering is good, if you want to keep track of all the MACs that you'll end up with. Anyone who has ever worked a network that used it's own MAC scheme knows what I'm talking about. Another issue that we've run into with MAC filtering is the lack of ease of distributing your filter list across multiple access points. (I'm a bit of a hypocrite - we use MAC filtering on our network ;-} ) 3. The ability to disable responding to a broadcast on your access point is a great start. Our Orinoco (I know, Avaya sucks) access points have a setting that tells the unit to not respond to any requests unless the card is set with the same network name as the base station. This won't stop somebody sniffing, but it does hide the unit from the apps that initially find the access points. 4. Accept that you'll have to use a different method for security, and plan your platform/app around it. We have had great success with Movian on our WinCE handhelds, connecting to an interface on a VPN-3030 in order to access the network. I know that this setup also works with a PIX, as it was our test environment. 5. Watch out for cars with funny antennas and laptops on the front seat. (#3 takes care of part of this problem.) That all said, I think we as industry professionals have a lot to learn about deploying a secure wireless network. I do know that whenever I deploy one, I start the design process by putting on my paranoid hat. Good luck, and good learning. Andras -Original Message- From: Chuck Larrieu [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 15, 2001 7:10 PM To: [EMAIL PROTECTED] Subject: RE: Mac Address filtering on a 3512XL [7:26398] Ken, this comes up regularly with customers who want to do wireless, as if wireless will solve some great problem of theirs. well, in the case of my customers, there are indeed some great vertical applications that make this a wonderful technology. but... yes, mac filtering is one way to provide some modicum of security. spoofing mac's is not the first thing that enters the hacker's mind, so I've heard, but I would not rely on any one method to ensure a secure net. remember that there are several "wireless sniffers" available, so mac information can be decoded, and later spoofed. some folks I have spoken with do a number of things, including WEP, LEAP, and IPSec or L2TP from the wireless end device into the network, end to end. some folks go so far as to encrypt everything on storage devices, so that even if the wireless authentication is broken, it does hacker no good. if your app is hand-held based these may not be options. then you are back to the mac filtering. still, you might want to think about upping to 128 WEP anyway. how concerned are you about the integrity and confidentiality of the data going over the wireless? more so or less so than if that same data were available via VPN across the internet or via dial up access? Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ken Diliberto Sent: Thursday, November 15, 2001 3:18 PM To: [EMAIL PROTECTED] Subject: Re: Mac Address filtering on a 3512XL [7:26398] Yes, I do have a goal in mind. I just purchased some wireless equipment and would like to restrict the MAC addresses allowed in. 40 bit encryption is not good enough for the paranoid like me. It seems the network name is advertised. To me, that security really sucks. Besides, it's another challenge. Next, maybe a VPN tunnel. :-) Ken >>> "Howard C. Berkowitz" 11/15/01 02:24PM >>> >I am wanting to configure a mac-address filter on my switch but need some >help. Has anyone done this? > >Thanks. > >Ken Well, yes. But to coin a phrase, and to put it into a better context, what problem are you trying to solve? I find people learn better when they have a goal in mind, then look at configuration alternatives and how they relate to the problem. Howard Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26436&t=26398 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Mac Address filtering on a 3512XL [7:26398]
Ken, this comes up regularly with customers who want to do wireless, as if wireless will solve some great problem of theirs. well, in the case of my customers, there are indeed some great vertical applications that make this a wonderful technology. but... yes, mac filtering is one way to provide some modicum of security. spoofing mac's is not the first thing that enters the hacker's mind, so I've heard, but I would not rely on any one method to ensure a secure net. remember that there are several "wireless sniffers" available, so mac information can be decoded, and later spoofed. some folks I have spoken with do a number of things, including WEP, LEAP, and IPSec or L2TP from the wireless end device into the network, end to end. some folks go so far as to encrypt everything on storage devices, so that even if the wireless authentication is broken, it does hacker no good. if your app is hand-held based these may not be options. then you are back to the mac filtering. still, you might want to think about upping to 128 WEP anyway. how concerned are you about the integrity and confidentiality of the data going over the wireless? more so or less so than if that same data were available via VPN across the internet or via dial up access? Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ken Diliberto Sent: Thursday, November 15, 2001 3:18 PM To: [EMAIL PROTECTED] Subject: Re: Mac Address filtering on a 3512XL [7:26398] Yes, I do have a goal in mind. I just purchased some wireless equipment and would like to restrict the MAC addresses allowed in. 40 bit encryption is not good enough for the paranoid like me. It seems the network name is advertised. To me, that security really sucks. Besides, it's another challenge. Next, maybe a VPN tunnel. :-) Ken >>> "Howard C. Berkowitz" 11/15/01 02:24PM >>> >I am wanting to configure a mac-address filter on my switch but need some >help. Has anyone done this? > >Thanks. > >Ken Well, yes. But to coin a phrase, and to put it into a better context, what problem are you trying to solve? I find people learn better when they have a goal in mind, then look at configuration alternatives and how they relate to the problem. Howard Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26432&t=26398 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Mac Address filtering on a 3512XL [7:26398]
Yes, I do have a goal in mind. I just purchased some wireless equipment and would like to restrict the MAC addresses allowed in. 40 bit encryption is not good enough for the paranoid like me. It seems the network name is advertised. To me, that security really sucks. Besides, it's another challenge. Next, maybe a VPN tunnel. :-) Ken >>> "Howard C. Berkowitz" 11/15/01 02:24PM >>> >I am wanting to configure a mac-address filter on my switch but need some >help. Has anyone done this? > >Thanks. > >Ken Well, yes. But to coin a phrase, and to put it into a better context, what problem are you trying to solve? I find people learn better when they have a goal in mind, then look at configuration alternatives and how they relate to the problem. Howard Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26424&t=26398 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Mac Address filtering on a 3512XL [7:26398]
>I am wanting to configure a mac-address filter on my switch but need some >help. Has anyone done this? > >Thanks. > >Ken Well, yes. But to coin a phrase, and to put it into a better context, what problem are you trying to solve? I find people learn better when they have a goal in mind, then look at configuration alternatives and how they relate to the problem. Howard Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26409&t=26398 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Mac Address filtering on a 3512XL [7:26398]
I am wanting to configure a mac-address filter on my switch but need some help. Has anyone done this? Thanks. Ken Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26398&t=26398 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]