Ding ding. Disabling the SSID beacon and MAC filtering are utterly
pointless.
"The six dumbest ways to secure a wireless LAN"
http://blogs.zdnet.com/Ou/index.php?p=43
Greg
> -----Original Message-----
> From: hardware-boun...@hardwaregroup.com [mailto:hardware-
> > boun...@hardwaregroup.com] On Behalf Of Brian Weeden
> Sent: Tuesday, April 28, 2009 9:47 AM
> To: hwg
> Cc: hwg
> Subject: Re: [H] MAC Address Filter
>
> Turning off the said broadcast doesn't really work. I'm pretty sure
> the ssid is in all the packet headers so anyone with a sniffer will
> still see it.
>
> Same thing with filtering by mac address - the allowed macs are in all
> the packet headers so all you have to do is sniff and then spoof your
> mac address.
>
> The only true security for wireles is WPA.
>
> -------
> Brian Weeden
> Technical Consultant
> Secure World Foundation
>
> Sent from my iPhone
>
> On 28-Apr-09, at 4:01 PM, Gary Jackson <gjack...@visi.com> wrote:
>
> >
> > Two tips I have always heard for *wireless* networks, 1) Turn
> > off SSID broadcasting and use a unique SSID. 2) If you have a
> > static network ( meaning that you are not adding and deleting a lot
> > of devices ) use Mac Address Filtering.
> >
> > As a former Network Admin, I have not encountered the use of Mac
> > Address Filtering as a security method for wired networks, probably
> > because keeping it up to date would be more of a pain then it is
> > worth.
> >
> > If you have disabled the wireless side of your router, I don't
> > think you need to worry about it as it isn't accessible.
> >
> > Regards.....Gary
> >
> >
> > At 12:21 PM 4/27/2009, It was written by DHSinclair that this shall
> > come to pass:
> >> Bino,
> >> OK. I have back thru this whole thing. Thank you for your help,
> >> but I am still confused. I see nothing in my docs for the router
> >> that explicitly indicate that using MAF is truly for WLAN only. I
> >> will dig more later today.
> >>
> >> Anyway. I can confirm that if I now drop my current clients off the
> >> MAF, none of them will ever get thru the router to the WWW. This I
> >> have confirmed several times. And, I have re-confirmed that I have
> >> all WLAN business in the router disabled; I even left the external
> >> antennas in the box!
> >>
> >> Yes, there is a new f/w available for my router (v1.9). I currently
> >> use v1.8. I have read and re-read the release notes and do NOT see
> >> any patches/bug fixes for a Wired LAN. Everything I read is for
> >> WLAN and VPN tunnels. I use neither at all. So, I see little push
> >> to update the f/w of my router ATM.
> >> But, as you have mentioned some segregation between Wired and
> >> Wireless NOW in the MAF logic, I will now go back and dig
> >> deeper.............perhaps I missed something. Not like this has
> >> ever happened before.................. LOL!
> >>
> >> Still listening.
> >> Best,
> >> Duncan
> >>
> >> At 09:28 04/27/2009 -0700, you wrote:
> >>> Ok, going inline with BG1> before my responses; the 1 is if we
> >>> continue;
> >>> then those will be BG2> and so on... ;)
> >>>
> >>>
> >>> -----Original Message-----
> >>> From: hardware-boun...@hardwaregroup.com
> >>> [mailto:hardware-boun...@hardwaregroup.com] On Behalf Of DHSinclair
> >>> Sent: Friday, April 24, 2009 8:23 PM
> >>> To: hardware@hardwaregroup.com
> >>> Subject: Re: [H] MAC Address Filter
> >>>
> >>> Bino,
> >>> I gotta go inline below.................
> >>> At 15:32 04/24/2009 -0700, you wrote:
> >>> >According to the DGL-4300 manual (found the pdf online) the
> >>> Filter settings
> >>> >section (Advanced -> MAC Address Filter) lets you pick from
> >>> filtering
> >>> >wireless and wired clients separate from each other p.39).
> >>>
> >>> OK. Fair. I will go back to the docs once again..................
> :)
> >>>
> >>> >John is right that some routers usually only let you do it for
> >>> wireless
> >>> >clients, but as it turns out yours definitely let's you do it for
> >>> both.
> >>>
> >>> I am going to, ATM, trust you on this.................. :)
> >>> My router did/does NOT give me a choice between WLAN /
> >>> LAN............
> >>>
> >>>
> >>> BG1> IF you have a DGL-4300, since I found the pdf manual online
> >>> and it had
> >>> a screenshot that clearly showed selecting b/w wireless and wired
> >>> clients
> >>> for the MAF, then either you have a different model which doesn't
> >>> have it,
> >>> or you need a firmware update to enable that.
> >>>
> >>>
> >>> >Oh and btw, your understanding of the MAF you wrote below is
> >>> completely
> >>> >wrong (just fyi).
> >>>
> >>> OMG!!! Please enlighten........
> >>>
> >>> > What you described was NAT (Network Address
> >>> >Translation)-that's what takes the PCs on the private address
> >>> space of your
> >>> >home network and translates them into the public IP that gives
> >>> them access
> >>> >to the internet. And it's NOT 2-way; i.e. just b/c the PCs can
> >>> access the
> >>> >internet, that doesn't mean that things on the internet can
> >>> access your
> >>> PCs.
> >>>
> >>> Thanks Bino. No. I do believe that NAT is THE clear concept
> >>> here......
> >>> All my router's since 199x have use NAT. Perhaps NAT has
> >>> changed.......
> >>> Perhaps I may dick with it a bit, but I do believe I know what NAT
> >>> logic
> >>> still purports to do......even with SPI now!!...... :)
> >>>
> >>>
> >>> BG1> NAT for the most part is the same as it was since 1999 or
> >>> so...so if
> >>> you're clear on NAT and how it works and what it does, then you're
> >>> fine.
> >>> Just remember that it doesn't automatically allow inbound
> >>> connections back
> >>> to your PC (which is a good thing, b/c otherwise it'd be too easy
> >>> to hack
> >>> people) unless you specifically set that up (well, AFAIK; maybe
> >>> some newer
> >>> routers do this, but that would be a BAAAD thing to do by default
> >>> w/o making
> >>> you enable it first...JM2C there).
> >>>
> >>>
> >>> >So the MAF restricts who can get ONTO your network in the first
> >>> place.
> >>> >Typically it's more interesting/useful for wireless networks
> >>> since anyone
> >>> >can try and connect to your network that way, whereas it's a
> >>> little harder
> >>> >for random people to get the physical access to plug a cable into
> >>> your
> >>> >router/switch! ;)
> >>>
> >>> Yes, and this is why I still do NOT play Wire-less...............
> :)
> >>>
> >>>
> >>> BG1> Well, if you don't broadcast your SSID, and then use MAF on
> >>> wireless,
> >>> and uses WPA2-PSK and/or client certs, it's practically impossible
> >>> to hack
> >>> your wireless network and it's a lot more convenient than running
> >>> cables, or
> >>> if you have laptops. But YMMV.
> >>>
> >>>
> >>> >But you can also use it for wired connections just to be
> >>> uber-safe/paranoid,
> >>> >but it's almost kind of useless at that point-like I said if
> >>> people have
> >>> the
> >>> >physical access to plug cables into your router/switch ports, you
> >>> kind of
> >>> >have bigger problems than worrying about whether you've got MAF
> >>> enabled,
> >>> you
> >>> >know? ;)
> >>>
> >>> Well, NO. Please explain. I missed something. No one external
> >>> to my home
> >>> has access to my LAN,...that I believe, ATM. Access to my LAN is
> >>> either a
> >>> physical connection to my TSID, or, inside my
> >>> home............Unless, I
> >>> have grossly missed somthing............... ;)
> >>> Best,
> >>> Duncan
> >>>
> >>>
> >>> BG1> Sorry! I was being a little too cheeky/smart here. So all I
> >>> was
> >>> trying to say was that having MAF for wired connections is kind of
> >>> pointless, since the point at which MAF for wired matters, someone
> >>> you don't
> >>> know has to have physical access to plug in a cable and then you
> >>> have bigger
> >>> problems (b/c they've broken in at that point, etc), see?
> >>>
> >>> To put it another way, since you don't have random people coming
> >>> in off the
> >>> street trying to plug cables into your network, MAF for wired
> >>> connections
> >>> doesn't really buy you anything! Does that make it more clear?
> >>> Sorry for
> >>> being too snarky! ;P
> >>>
> >>>
> >>> P.S. HWG email has been spotty for some time.....Stuff happens.
> >>> The BIG
> >>> PERSON only knows what is going on.......... :) I read this as
> >>> "dead-time." But, that is JMHO.
> >>>
> >>>
> >>> BG1> Yeah, but the weird thing is, I'm getting it fine to my
> >>> gmail, but NOT
> >>> to my hotmail...anyone else running into this?
> >>>
> >>>
> >>> > BINO
> >>> >
> >>> >P.S. I haven't been getting any HWG emails to my hotmail.com
> >>> account since
> >>> >4/12/09--none at all. Anyone else on hotmail having this
> >>> problem? I also
> >>> >have it sent to my gmail account and that's how I even saw this
> >>> message...
> >>> >
> >>> >
> >>> >
> >>> >-----Original Message-----
> >>> >From: hardware-boun...@hardwaregroup.com
> >>> >[mailto:hardware-boun...@hardwaregroup.com] On Behalf Of
> DHSinclair
> >>> >Sent: Friday, April 24, 2009 2:58 PM
> >>> >To: hardware@hardwaregroup.com
> >>> >Subject: Re: [H] MAC Address Filter
> >>> >
> >>> >John,
> >>> >I so appreciate your share. BUT, it seems to be focused at
> >>> >Wire-less/AccessPoint/WLAN business.............?
> >>> >I do get this for a LAN that has WLAN access. I do NOT. Still
> >>> moderately
> >>> >confused.......
> >>> >
> >>> >Is MAC Address Filter really ONLY good for WLAN?
> >>> >
> >>> >I freely accept that my current router is totally focused toward
> >>> >WLAN! And, Gaming! Neither of which I use it for. I bought it
> >>> on the
> >>> >recc from HayesElkins.............
> >>> >Best,
> >>> >Duncan
> >>> >
> >>> >At 14:22 04/24/2009 -0700, you wrote:
> >>> > >Most Wi-Fi access points and routers ship with a feature called
> >>> hardware
> >>> > >or MAC address filtering.
> >>> > >This feature is normally turned "off" by the manufacturer,
> >>> because it
> >>> > >requires a bit of effort to set up properly.
> >>> > >
> >>> > >However, to improve the
> >>> > >security of your Wi-Fi LAN (WLAN), strongly consider enabling
> >>> and using
> >>> > >MAC address filtering.
> >>> > >
> >>> > >Without MAC address filtering, any wireless client can join
> >>> (authenticate
> >>> > >with) a Wi-Fi network if they know the network name (also
> >>> called the
> >>> SSID)
> >>> > >and perhaps a few other security parameters like encryption
> keys.
> >>> > >
> >>> > >
> >>> > >When
> >>> > >MAC address filtering is enabled, however, the access point or
> >>> router
> >>> > >performs an additional check on a different parameter.
> >>> Obviously the
> >>> > >more checks that are made, the greater the likelihood of
> >>> preventing
> >>> > >network break-ins.
> >>> > >
> >>> > >To set up MAC address filtering, you as a WLAN administrator
> >>> > >must configure a list of clients that will be allowed to join
> the
> >>> > >network. First, obtain the MAC addresses of each client from its
> >>> > >operating system or configuration utility. Then, they enter
> those
> >>> > >addresses into a configuratin screen of the wireless access
> >>> point or
> >>> > >router. Finally, switch on the filtering option.
> >>> > >
> >>> > >Once enabled, whenever the wireless access point or router
> >>> > >receives a request to join with the WLAN, it compares the MAC
> >>> address
> >>> > >of that client against the administrator's list. Clients on the
> >>> list
> >>> > >authenticate as normal; clients not on the list are denied any
> >>> access
> >>> > >to the WLAN.
> >>> > >
> >>> > >MAC addresses on wireless clients can't be changed as they are
> >>> > >burned into the hardware. However, some wireless clients allow
> >>> their
> >>> > >MAC address to be "impersonated" or "spoofed" in software. It's
> >>> > >certainly possible for a determined hacker to break into your
> >>> WLAN by
> >>> > >configuring their client to spoof one of your MAC addresses.
> >>> Although
> >>> > >MAC address filtering isn't bulletproof, still it remains a
> >>> helpful
> >>> > >additional layer of defense that improves overall Wi-Fi network
> >>> > >security.
> >>> > > --
> >>> > >JRS
> >>> > >stei...@pacbell.net
> >>> > >
> >>> > >
> >>> > >Facts do not cease to exist just
> >>> > >because they are ignored.
> >>> > >
> >>> > >
> >>> > >
> >>> > >----- Original Message ----
> >>> > > > From: DHSinclair <dsinc...@bellsouth.net>
> >>> > > > To: Hardware Group <hardware@hardwaregroup.com>
> >>> > > > Sent: Friday, April 24, 2009 1:42:04 PM
> >>> > > > Subject: [H] MAC Address Filter
> >>> > > >
> >>> > > > I use a d-link dgl-4300 router. I have disabled the wire-
> less
> >>> > > section. I only
> >>> > > > do wired LAN business.
> >>> > > > The router is currently at F/W v1.8. I do know that F/W 1.9
> >>> is
> >>> > > available, but
> >>> > > > as I read the docs, it seems to only deal with wire-less
> >>> > > > business/bug-fixes........
> >>> > > >
> >>> > > > Can anyone point me to some reading about MAC Address
> >>> Filters? I do
> >>> > > have one;
> >>> > > > and, I DO use it.
> >>> > > > But, now have questions................ :)
> >>> > > >
> >>> > > > MyCurrentUnderstanding: I 'think' that my router's MAF is
> >>> what allows
> >>> > > my LAN
> >>> > > > objects to gain access to the WWW (thru my router) via my
> >>> Service
> >>> > > > Provider.....(when enabled!)... Is this correct?
> >>> > > >
> >>> > > > AND, I accept that this MAF access is completely 2-Way, with
> >>> agreed
> >>> > > > comprehension of non-routeable IP-Addy's?
> >>> > > >
> >>> > > > I feel like I am walking into a black hole here. .... :)
> >>> > > > Best,
> >>> > > > Duncan
> >>> > >
> >>> > >__________ NOD32 4034 (20090424) Information __________
> >>> > >
> >>> > >This message was checked by NOD32 antivirus system.
> >>> > >http://www.eset.com
> >>> >
> >>> >
> >>> >__________ NOD32 4034 (20090424) Information __________
> >>> >
> >>> >This message was checked by NOD32 antivirus system.
> >>> >http://www.eset.com
> >>>
> >>>
> >>> __________ NOD32 4036 (20090427) Information __________
> >>>
> >>> This message was checked by NOD32 antivirus system.
> >>> http://www.eset.com
> >>
> >
> >
> >
__________ NOD32 4040 (20090428) Information __________
This message was checked by NOD32 antivirus system.
http://www.eset.com
