I am personally about to get my first MT system (from Eje) to enhance
the security of my network.

With that said, I have found that the internal MAC authentication works
VERY well.  I obviously have WEP enabled as well...together is very
effective.

I don't care what people say about airSnort breaking WEP and such.  The
fact is, most freeloaders will just keep moving along looking for the
open networks (plenty of them in my area).  So...why would they care to
break my WEP, and then spoof someone's MAC and IP???  Too much work.

BTW...I used airSnort on my pure sB network for 4 days.  I captured 1
interesting packet (you need thousands, if not millions to break WEP).

Back to internal MAC.  As long as you are NOT using the very old
airBridge firmware (that passes the single internal MAC), then only the
MAC of the airBridge will show up at the aPPo-AP mode.  If your clients
are using aPindoors or aPPo-CB mode then the MAC address of the internal
clients will show in your ARP on your gateway, but still only the MAC of
the sB device need be in the aPPo's MAC authentication table.  I have 53
clients with 53 MAC addresses in my internal MAC table.  All works VERY
well.

However...being that I am finishing up my comp sci masters with emphasis
in Wireless Security, I have to acknowledge the weakness of WEP, and
therefore am migrating to PPPoE, then eventually purely VPNs (maybe).
Another reason to migrate off of internal MAC authentication is to save
processor time.  I just want the aPPo to worry about being an AP and
that's it.

Sully

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eje Gustafsson
Sent: Saturday, September 06, 2003 10:24 PM
To: Greg Sims
Subject: Re: [smartBridges] Internal Mac Authorization

yes the aPPo should be provided with the MAC of the aB. that list is
used to specify WHO are allowed to associate with your APPo and the
APPo only care about the remote radios mac address and not the mac
address of any systems BEHIND the remote radio.

However important to keep in mind is that MAC addresses are easily
spoofed and the only really good way to secure your network is to use
a pppoe or hotspot server. This way you can do MAC address based on
your aPPO then username/password/mac combination on your gateway unit.

MikroTik is a good pppoe server that is not extremely hard to get
going and works with most radius servers or you can start by using the
internal database however you might consider using a radius server
that way you can use the radius server for the aPPO as well as for the
PPPoE server to allow connections.

I have a radius server solution and administration system that I offer
for "sale" (I will install it configure it and help you get going with
it) if your interested or you can of course do it yourself.

If you decide you want a MikroTik unit and do pppoe or just simple mac
authentication then well you need not to look any futher then to me as
well. I'm a MikroTik OEM solutions provider and I have helped
numerous people on this list as well as many other wisps not on this
list to improve their performance of their networks as well secure
their networks from freeloaders and hackers.

Best regards,
 Eje Gustafsson                       mailto:[EMAIL PROTECTED]
The Family Entertainment Network      http://www.fament.com
Phone : 620-231-7777                  Fax   : 620-231-4066
     - Your Full Time Professionals -
MikroTik OEM - Online Store http://www.fament.net/
--
GS> We're starting to see a number of freeloaders on our network so it
is time
GS> to tighten security.  I'm considering use the Internal Mac
Authorization
GS> feature to get started.

GS> I read the aPPO documentation section on this subject.  It is not
clear what
GS> set of Mac addresses need to be entered into the aPPO.  Let's say
you enter
GS> the Mac addresses of all the client devices on the network (aBOs in
our
GS> case).  This should allow communication between the aPPO and the
aBOs.  I
GS> hope this will also allow communications with the client PCs that
are
GS> attached to the wired side of the aBOs.  Is this in fact the case?

GS> I can't imaging using Internal Mac Authorization if you need to
specify the
GS> Mac address of each PC attached to the wired side of the aBOs.  It
would
GS> really be a hassle keeping the table up-to-date each time a client
buys a
GS> new PC -or- a guest attaches to a client network while staying
overnight.

GS> Please help me understand how this feature works in the aPPO.

GS> Thanks, Greg


GS> ----------ANNOUNCEMENT----------
GS> Don't forget to register for WISPCON IV
GS> http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm

GS> The PART-15.ORG smartBridges Discussion List
GS> To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe
smartBridges <yournickname>
GS> To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe
smartBridges)
GS> Archives: http://archives.part-15.org  

-- 
[This E-mail scanned for viruses by Declude Virus]

----------ANNOUNCEMENT----------
Don't forget to register for WISPCON IV
http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm

The PART-15.ORG smartBridges Discussion List
To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe
smartBridges <yournickname>
To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe
smartBridges)
Archives: http://archives.part-15.org  

----------ANNOUNCEMENT----------
Don't forget to register for WISPCON IV
http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm

The PART-15.ORG smartBridges Discussion List
To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges 
<yournickname>
To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges)
Archives: http://archives.part-15.org  

Reply via email to