Duncan - I was traveling so I missed the first part of this thread. To clear up a couple of things that I hinted at in my previous message:
- MAF is only useful for keeping pesky neighbors from hogging your wifi. it will NOT prevent hackers or anyone who really wants to get in. - same thing applies to turning off SSID broadcast and/or using a screwy name. will only stop casual people, not hackers I am not sure why you are concerned with using MAF on your wired LAN to begin with. If you have the wireless disabled, then the only way someone can get into your LAN is to walk into your house and plug in their machine. And if they can do that you have bigger problems. --- Brian On Tue, Apr 28, 2009 at 4:47 PM, Brian Weeden <brian.wee...@gmail.com>wrote: > Turning off the said broadcast doesn't really work. I'm pretty sure the > ssid is in all the packet headers so anyone with a sniffer will still see > it. > > Same thing with filtering by mac address - the allowed macs are in all the > packet headers so all you have to do is sniff and then spoof your mac > address. > > The only true security for wireles is WPA. > > ------- > Brian Weeden > Technical Consultant > Secure World Foundation > > Sent from my iPhone > > On 28-Apr-09, at 4:01 PM, Gary Jackson <gjack...@visi.com> wrote: > > >> Two tips I have always heard for *wireless* networks, 1) Turn off SSID >> broadcasting and use a unique SSID. 2) If you have a static network ( >> meaning that you are not adding and deleting a lot of devices ) use Mac >> Address Filtering. >> >> As a former Network Admin, I have not encountered the use of Mac >> Address Filtering as a security method for wired networks, probably because >> keeping it up to date would be more of a pain then it is worth. >> >> If you have disabled the wireless side of your router, I don't think >> you need to worry about it as it isn't accessible. >> >> Regards.....Gary >> >> >> At 12:21 PM 4/27/2009, It was written by DHSinclair that this shall come >> to pass: >> >>> Bino, >>> >>> OK. I have back thru this whole thing. Thank you for your help, but I am >>> still confused. I see nothing in my docs for the router that explicitly >>> indicate that using MAF is truly for WLAN only. I will dig more later >>> today. >>> >>> Anyway. I can confirm that if I now drop my current clients off the MAF, >>> none of them will ever get thru the router to the WWW. This I have >>> confirmed several times. And, I have re-confirmed that I have all WLAN >>> business in the router disabled; I even left the external antennas in the >>> box! >>> >>> Yes, there is a new f/w available for my router (v1.9). I currently use >>> v1.8. I have read and re-read the release notes and do NOT see any >>> patches/bug fixes for a Wired LAN. Everything I read is for WLAN and VPN >>> tunnels. I use neither at all. So, I see little push to update the f/w of >>> my router ATM. >>> But, as you have mentioned some segregation between Wired and Wireless >>> NOW in the MAF logic, I will now go back and dig deeper.............perhaps >>> I missed something. Not like this has ever happened >>> before.................. LOL! >>> >>> Still listening. >>> Best, >>> Duncan >>> >>> At 09:28 04/27/2009 -0700, you wrote: >>> >>>> Ok, going inline with BG1> before my responses; the 1 is if we continue; >>>> then those will be BG2> and so on... ;) >>>> >>>> >>>> -----Original Message----- >>>> From: hardware-boun...@hardwaregroup.com >>>> [mailto:hardware-boun...@hardwaregroup.com] On Behalf Of DHSinclair >>>> Sent: Friday, April 24, 2009 8:23 PM >>>> To: hardware@hardwaregroup.com >>>> Subject: Re: [H] MAC Address Filter >>>> >>>> Bino, >>>> I gotta go inline below................. >>>> At 15:32 04/24/2009 -0700, you wrote: >>>> >According to the DGL-4300 manual (found the pdf online) the Filter >>>> settings >>>> >section (Advanced -> MAC Address Filter) lets you pick from filtering >>>> >wireless and wired clients separate from each other p.39). >>>> >>>> OK. Fair. I will go back to the docs once again.................. :) >>>> >>>> >John is right that some routers usually only let you do it for wireless >>>> >clients, but as it turns out yours definitely let's you do it for both. >>>> >>>> I am going to, ATM, trust you on this.................. :) >>>> My router did/does NOT give me a choice between WLAN / LAN............ >>>> >>>> >>>> BG1> IF you have a DGL-4300, since I found the pdf manual online and it >>>> had >>>> a screenshot that clearly showed selecting b/w wireless and wired >>>> clients >>>> for the MAF, then either you have a different model which doesn't have >>>> it, >>>> or you need a firmware update to enable that. >>>> >>>> >>>> >Oh and btw, your understanding of the MAF you wrote below is completely >>>> >wrong (just fyi). >>>> >>>> OMG!!! Please enlighten........ >>>> >>>> > What you described was NAT (Network Address >>>> >Translation)-that's what takes the PCs on the private address space of >>>> your >>>> >home network and translates them into the public IP that gives them >>>> access >>>> >to the internet. And it's NOT 2-way; i.e. just b/c the PCs can access >>>> the >>>> >internet, that doesn't mean that things on the internet can access your >>>> PCs. >>>> >>>> Thanks Bino. No. I do believe that NAT is THE clear concept here...... >>>> All my router's since 199x have use NAT. Perhaps NAT has changed....... >>>> Perhaps I may dick with it a bit, but I do believe I know what NAT logic >>>> still purports to do......even with SPI now!!...... :) >>>> >>>> >>>> BG1> NAT for the most part is the same as it was since 1999 or so...so >>>> if >>>> you're clear on NAT and how it works and what it does, then you're fine. >>>> Just remember that it doesn't automatically allow inbound connections >>>> back >>>> to your PC (which is a good thing, b/c otherwise it'd be too easy to >>>> hack >>>> people) unless you specifically set that up (well, AFAIK; maybe some >>>> newer >>>> routers do this, but that would be a BAAAD thing to do by default w/o >>>> making >>>> you enable it first...JM2C there). >>>> >>>> >>>> >So the MAF restricts who can get ONTO your network in the first place. >>>> >Typically it's more interesting/useful for wireless networks since >>>> anyone >>>> >can try and connect to your network that way, whereas it's a little >>>> harder >>>> >for random people to get the physical access to plug a cable into your >>>> >router/switch! ;) >>>> >>>> Yes, and this is why I still do NOT play Wire-less............... :) >>>> >>>> >>>> BG1> Well, if you don't broadcast your SSID, and then use MAF on >>>> wireless, >>>> and uses WPA2-PSK and/or client certs, it's practically impossible to >>>> hack >>>> your wireless network and it's a lot more convenient than running >>>> cables, or >>>> if you have laptops. But YMMV. >>>> >>>> >>>> >But you can also use it for wired connections just to be >>>> uber-safe/paranoid, >>>> >but it's almost kind of useless at that point-like I said if people >>>> have >>>> the >>>> >physical access to plug cables into your router/switch ports, you kind >>>> of >>>> >have bigger problems than worrying about whether you've got MAF >>>> enabled, >>>> you >>>> >know? ;) >>>> >>>> Well, NO. Please explain. I missed something. No one external to my >>>> home >>>> has access to my LAN,...that I believe, ATM. Access to my LAN is either >>>> a >>>> physical connection to my TSID, or, inside my home............Unless, I >>>> have grossly missed somthing............... ;) >>>> Best, >>>> Duncan >>>> >>>> >>>> BG1> Sorry! I was being a little too cheeky/smart here. So all I was >>>> trying to say was that having MAF for wired connections is kind of >>>> pointless, since the point at which MAF for wired matters, someone you >>>> don't >>>> know has to have physical access to plug in a cable and then you have >>>> bigger >>>> problems (b/c they've broken in at that point, etc), see? >>>> >>>> To put it another way, since you don't have random people coming in off >>>> the >>>> street trying to plug cables into your network, MAF for wired >>>> connections >>>> doesn't really buy you anything! Does that make it more clear? Sorry >>>> for >>>> being too snarky! ;P >>>> >>>> >>>> P.S. HWG email has been spotty for some time.....Stuff happens. The >>>> BIG >>>> PERSON only knows what is going on.......... :) I read this as >>>> "dead-time." But, that is JMHO. >>>> >>>> >>>> BG1> Yeah, but the weird thing is, I'm getting it fine to my gmail, but >>>> NOT >>>> to my hotmail...anyone else running into this? >>>> >>>> >>>> > BINO >>>> > >>>> >P.S. I haven't been getting any HWG emails to my hotmail.com account >>>> since >>>> >4/12/09--none at all. Anyone else on hotmail having this problem? I >>>> also >>>> >have it sent to my gmail account and that's how I even saw this >>>> message... >>>> > >>>> > >>>> > >>>> >-----Original Message----- >>>> >From: hardware-boun...@hardwaregroup.com >>>> >[mailto:hardware-boun...@hardwaregroup.com] On Behalf Of DHSinclair >>>> >Sent: Friday, April 24, 2009 2:58 PM >>>> >To: hardware@hardwaregroup.com >>>> >Subject: Re: [H] MAC Address Filter >>>> > >>>> >John, >>>> >I so appreciate your share. BUT, it seems to be focused at >>>> >Wire-less/AccessPoint/WLAN business.............? >>>> >I do get this for a LAN that has WLAN access. I do NOT. Still >>>> moderately >>>> >confused....... >>>> > >>>> >Is MAC Address Filter really ONLY good for WLAN? >>>> > >>>> >I freely accept that my current router is totally focused toward >>>> >WLAN! And, Gaming! Neither of which I use it for. I bought it on the >>>> >recc from HayesElkins............. >>>> >Best, >>>> >Duncan >>>> > >>>> >At 14:22 04/24/2009 -0700, you wrote: >>>> > >Most Wi-Fi access points and routers ship with a feature called >>>> hardware >>>> > >or MAC address filtering. >>>> > >This feature is normally turned "off" by the manufacturer, because it >>>> > >requires a bit of effort to set up properly. >>>> > > >>>> > >However, to improve the >>>> > >security of your Wi-Fi LAN (WLAN), strongly consider enabling and >>>> using >>>> > >MAC address filtering. >>>> > > >>>> > >Without MAC address filtering, any wireless client can join >>>> (authenticate >>>> > >with) a Wi-Fi network if they know the network name (also called the >>>> SSID) >>>> > >and perhaps a few other security parameters like encryption keys. >>>> > > >>>> > > >>>> > >When >>>> > >MAC address filtering is enabled, however, the access point or router >>>> > >performs an additional check on a different parameter. Obviously the >>>> > >more checks that are made, the greater the likelihood of preventing >>>> > >network break-ins. >>>> > > >>>> > >To set up MAC address filtering, you as a WLAN administrator >>>> > >must configure a list of clients that will be allowed to join the >>>> > >network. First, obtain the MAC addresses of each client from its >>>> > >operating system or configuration utility. Then, they enter those >>>> > >addresses into a configuratin screen of the wireless access point or >>>> > >router. Finally, switch on the filtering option. >>>> > > >>>> > >Once enabled, whenever the wireless access point or router >>>> > >receives a request to join with the WLAN, it compares the MAC address >>>> > >of that client against the administrator's list. Clients on the list >>>> > >authenticate as normal; clients not on the list are denied any access >>>> > >to the WLAN. >>>> > > >>>> > >MAC addresses on wireless clients can't be changed as they are >>>> > >burned into the hardware. However, some wireless clients allow their >>>> > >MAC address to be "impersonated" or "spoofed" in software. It's >>>> > >certainly possible for a determined hacker to break into your WLAN by >>>> > >configuring their client to spoof one of your MAC addresses. Although >>>> > >MAC address filtering isn't bulletproof, still it remains a helpful >>>> > >additional layer of defense that improves overall Wi-Fi network >>>> > >security. >>>> > > -- >>>> > >JRS >>>> > >stei...@pacbell.net >>>> > > >>>> > > >>>> > >Facts do not cease to exist just >>>> > >because they are ignored. >>>> > > >>>> > > >>>> > > >>>> > >----- Original Message ---- >>>> > > > From: DHSinclair <dsinc...@bellsouth.net> >>>> > > > To: Hardware Group <hardware@hardwaregroup.com> >>>> > > > Sent: Friday, April 24, 2009 1:42:04 PM >>>> > > > Subject: [H] MAC Address Filter >>>> > > > >>>> > > > I use a d-link dgl-4300 router. I have disabled the wire-less >>>> > > section. I only >>>> > > > do wired LAN business. >>>> > > > The router is currently at F/W v1.8. I do know that F/W 1.9 is >>>> > > available, but >>>> > > > as I read the docs, it seems to only deal with wire-less >>>> > > > business/bug-fixes........ >>>> > > > >>>> > > > Can anyone point me to some reading about MAC Address Filters? I >>>> do >>>> > > have one; >>>> > > > and, I DO use it. >>>> > > > But, now have questions................ :) >>>> > > > >>>> > > > MyCurrentUnderstanding: I 'think' that my router's MAF is what >>>> allows >>>> > > my LAN >>>> > > > objects to gain access to the WWW (thru my router) via my Service >>>> > > > Provider.....(when enabled!)... Is this correct? >>>> > > > >>>> > > > AND, I accept that this MAF access is completely 2-Way, with >>>> agreed >>>> > > > comprehension of non-routeable IP-Addy's? >>>> > > > >>>> > > > I feel like I am walking into a black hole here. .... :) >>>> > > > Best, >>>> > > > Duncan >>>> > > >>>> > >__________ NOD32 4034 (20090424) Information __________ >>>> > > >>>> > >This message was checked by NOD32 antivirus system. >>>> > >http://www.eset.com >>>> > >>>> > >>>> >__________ NOD32 4034 (20090424) Information __________ >>>> > >>>> >This message was checked by NOD32 antivirus system. >>>> >http://www.eset.com >>>> >>>> >>>> __________ NOD32 4036 (20090427) Information __________ >>>> >>>> This message was checked by NOD32 antivirus system. >>>> http://www.eset.com >>>> >>> >>> >> >> >>
