On Fri, May 21, 2010 at 4:15 PM, Ziots, Edward <[email protected]> wrote: > Both of my wireless net’s are private and hidden MAC filtered and > firewalled. Using 802.11 N MIMO. Works like a charm, but its fun to see how > many in the neighborhood that aren’t.
The problem with MAC restrictions is that MAC addresses are transmitted cleartext. So if an attacker tries to connect but gets no response from the AP, but does see other nodes talking to the AP, they can easily deduce that you are filtering by MAC. So they note which MAC addresses are working, wait for one of them to go away, then spoof that MAC and continue. Sure, it will keep out the casual home users. But so will just using WPA2. Or even WEP. For home or other casual use, I say just use WPA2 with a strong passphrase. That lets you easily get on the network, and you can easily let your guest on the network. WPA2 is believed to be cryptographically sound. As long as that holds, it will keep out both a casual intruder (e.g., neighbor looking to mooch Internet) and a determined attacker. Anything else is just more work with no apparent gain. For corporate use, I recommend requiring a PKI VPN to get past the first IP gateway. Ideally, require two-factor authentication for the VPN. Firewall out anything else. Use link layer security if you want, or not. If someone does connect to the wifi net without authorization, they won't be able to sniff or connect to anything useful. I trust a good VPN a lot more than I trust most wireless equipment manufacturers. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
