MAC address filtering as only form of wireless security?

Alvis · 03-12-04, 08:16 AM

Currently, I am using just MAC address filtering to secure my wifi, no wep or wpa. What are the potential problems with this?

BigDave · 03-12-04, 09:16 AM

I would think that's pretty secure unless someone can figure out your MAC addresses.

Just make sure you have a good admin password on your wireless router.

cseyer · 03-12-04, 09:18 AM

Good question I do the same. I have had no problems for over a year and a half. From what I have read the only problem with this setup is that someone good (hacker) can mimic your MAC and gain access to the WAP. I just dont see that as a huge risk. The other potential is that the signal could be intercepted, such as inputs into web pages (CC#'s, personal info) and files that you transfer. I guess Im just not worried the range is fairly short and where I live there are only a couple of houses within range.

4KRG · 03-12-04, 09:36 AM

This will only stop someone that knows nothing about computers. MAC's are easy to capture and spoof from a wireless signal.

WEP is not very good either, but it would be the next 'level' of security.

Alyoshka · 03-12-04, 01:38 PM

I just use a mac filter on mine.

ianholm · 03-12-04, 03:08 PM

Same here, MAC filter and a non-broadcast SSID.

sniper308 · 03-12-04, 03:47 PM

I do MAC filtering, and WEP, and non broadcasting SSID, changed the default passwords, changed the default SSID, and turn off the wireless broadcast when I'm not using it.

Just paranoid I guess.

One of my neighbors apparently isn't doing any of this and his network is wide open... took all of 2 seconds to start using his connection.

Is there a reason you are not enabling everything? There is some overhead in using WEP and it can be cracked (apparently WPA is better in that area), but I'm thinking turn on all of the security you can unless you have specific issues when you enable some of it.

Alyoshka · 03-12-04, 04:19 PM

What does non-broadcast SSID mean?

I don't use WEP on mine because it makes my wireless drop much more frequently for whatever reason.

Nosmo Rex · 03-12-04, 05:21 PM

Non-broadcast means your WAP won't broadcast it's Network name. You need to specify the network name when connecting to it. I do pretty much the same thing as sniper308 on my WAP at home, plus all my PCs are firewalled.

belboz · 03-12-04, 05:59 PM

I don't know why everyone keeps suggesting MAC filtering as a protective measure. It's a huge hassle and it offers zero actual protection from even the n00biest of hackers. It'll only deter your casual users who may happen to be in the area and looking for a free broadband connection to use.

Alyoshka · 03-12-04, 06:27 PM

Quote:

Originally posted by belboz
I don't know why everyone keeps suggesting MAC filtering as a protective measure.

What is it that someone would want to do by getting on my network besides using the internet?

jfoobar · 03-12-04, 08:03 PM

Quote:

Originally posted by Alyoshka
What is it that someone would want to do by getting on my network besides using the internet?

Let's just start with three very, very ominous ones:

1. Using your Internet connection as a launching pad for cyber attacks or other illegal activity. This could be anything from defacing as government website to downloading child pornography or any number of other things that might result in the FBI or U.S. Secret Service showing up at your door after they got a warrant for your ISP's access logs which showed your assigned IP address.

2. Using their access to your network to break into other systems on your network. Got that copy of your tax returns from Quicken saved on your C: drive? Ooops.

3. Because you are using no encryption betwen client and router, he can sit there and sniff your traffic with NetStumbler or any of a dozen tools.

Unencrypted wireless is stooo-pid. Have a nice day.

Alyoshka · 03-12-04, 10:35 PM

Quote:

Originally posted by JustinS
Let's just start with three very, very ominous ones:

1. Using your Internet connection as a launching pad for cyber attacks or other illegal activity. This could be anything from defacing as government website to downloading child pornography or any number of other things that might result in the FBI or U.S. Secret Service showing up at your door after they got a warrant for your ISP's access logs which showed your assigned IP address.

2. Using their access to your network to break into other systems on your network. Got that copy of your tax returns from Quicken saved on your C: drive? Ooops.

3. Because you are using no encryption betwen client and router, he can sit there and sniff your traffic with NetStumbler or any of a dozen tools.

Unencrypted wireless is stooo-pid. Have a nice day.

But the first two would be out because of mac address filtering, correct? If not completely out then at least legally definsable on the first. Then on the second, I don't have any personal information on my computer so a big waste of time.

The third could be bad.

I would use a WEP protection if if it didn't drop my connection ever twenty minutes.

JM · 03-12-04, 10:55 PM

Quote:

Originally posted by Alyoshka
But the first two would be out because of mac address filtering, correct?

No. As others have pointed out, it is trivial to get around that level of protection by spoofing your MAC address.

Quote:

If not completely out then at least legally definsable on the first.

The point is not necessarily that you would ultimately get in legal trouble for such a thing even though you didn't do it--hopefully the authorities would be able to figure that out eventually--but that it could lead to all kinds of hassle in the meantime that you just don't want to have to deal with at all.

Quote:

Then on the second, I don't have any personal information on my computer so a big waste of time.

I think most people--even the careful ones--would be surprised at the info one could find on their computer given enough time.

Quote:

I would use a WEP protection if if it didn't drop my connection ever twenty minutes.

The solution to this is to get a better wireless router and/or wireless PC card. Even so, WEP is fairly weak encryption and is pretty easily broken. However, it is a lot better than nothing and MAC filtering.

Alyoshka · 03-13-04, 12:06 AM

My wireless router is a brand spankin new Linksys G so I'm not really sure I can get a "better" wireless router or card.. It still doesn't work with WEP. I doubt it is worth really working hard to get it to work if it is fairly weak encryption. Wireless seems more tedious than worth it at this point, however, I split the connection with my roommate who has the dsl in his room.

Todd B. · 03-21-04, 08:26 PM

Without encryption, such as WEP or WPA, it is trivial to "sniff" your clear-text wireless traffic as it zooms back and forth between your Computer and the Wireless Access Point. Every time you log onto you POP e-mail server to retrieve your e-mail? Yup, your username and password go in clear text. Bing, the sniffer now has your username and password. Every web page you browse that is not HTTPS goes in clear text to your computer. They can sniff copies of that too.

With a sniffer, you can also easily capture the MAC addresses of all devices on the wireless network. It's trivial to then spoof that MAC address and gain access to the network. Same with SSID. That can be easily sniffed.

While not broadcasting SSID and using a MAC address table can be useful tools to control access to a wireless network, they will only deter casual passers-by. A determined hacker can defeat these in seconds. Plus neither one of these tactics addresses encryption. All your traffic is easily readable to anyone with a sniffer.

All wireless networks should be used with WEP or WPA. While WEP is fundamentally broken, it is still better than using nothing. It takes a non-trivial amount of effort to break, and it encrypts all your traffic. The way I see WEP, it makes your network much less desirable. Why would a hacker want to spend time and effort trying to analyze enough traffic to break your WEP key, when he can just go next door and use your neighbor's open wireless network?

If you have a Wireless Access Point and Wireless clients (cards) that support WPA, you should definitely use WPA over WEP. WPA addresses all the major shortcomings of WEP, and it is easier to implement. The weakest link of WPA is the access password. Make sure you don't choose a password that is too easy to crack.

I recommend using WPA (use WEP only if you have to) along with MAC Address control. If you have to use WEP, try to change the WEP key every couple weeks, if it's feasible.

As Justin S pointed out, open wireless networks make it easy to do all kinds of nasty things. Even though you think it might not have any impact on you, it will. I've seen open networks used to do everything from sending spam to serving porn to hacking servers. If that stuff happens on your network, it looks like it originated from you, and can get you in trouble with your service provider and the authorities.

Aloyshka, you said you have a Linksys G router. With the latest firmware, this supports WPA. Make sure your wireless card also support WPA, or buy a Linksys G card (about $50), and turn on WPA on your network.

03-12-04, 08:16 AM	#1
Alvis DVD Talk Ultimate Edition Join Date: Jun 2000 Posts: 4,005	MAC address filtering as only form of wireless security? Currently, I am using just MAC address filtering to secure my wifi, no wep or wpa. What are the potential problems with this? __________________ Me, I'm just a lawnmower - you can tell me by the way I walk. My photoblog: http://meandalvis.blogspot.com

03-12-04, 09:16 AM	#2
BigDave DVD Talk Limited Edition Join Date: Feb 2000 Location: College Station, TX Posts: 6,223	I would think that's pretty secure unless someone can figure out your MAC addresses. Just make sure you have a good admin password on your wireless router. __________________ Photos \| Gamertag: dave99ag \| Wii Code: 5730 2354 5554 2056

03-12-04, 09:18 AM	#3
cseyer DVD Talk Special Edition Join Date: Aug 2003 Location: Bloomington, IN Posts: 1,009	Good question I do the same. I have had no problems for over a year and a half. From what I have read the only problem with this setup is that someone good (hacker) can mimic your MAC and gain access to the WAP. I just dont see that as a huge risk. The other potential is that the signal could be intercepted, such as inputs into web pages (CC#'s, personal info) and files that you transfer. I guess Im just not worried the range is fairly short and where I live there are only a couple of houses within range. __________________ My DVD's

03-12-04, 01:38 PM	#5
Alyoshka DVD Talk Hall of Fame Join Date: Jul 2000 Location: Houston, TX Posts: 9,777	I just use a mac filter on mine. __________________ Tell me again why we're here.

03-12-04, 04:19 PM	#8
Alyoshka DVD Talk Hall of Fame Join Date: Jul 2000 Location: Houston, TX Posts: 9,777	What does non-broadcast SSID mean? I don't use WEP on mine because it makes my wireless drop much more frequently for whatever reason. __________________ Tell me again why we're here.

03-12-04, 09:36 AM	#4
4KRG DVD Talk Legend Join Date: Jan 2000 Posts: 15,430	This will only stop someone that knows nothing about computers. MAC's are easy to capture and spoof from a wireless signal. WEP is not very good either, but it would be the next 'level' of security.

03-12-04, 03:08 PM	#6
ianholm DVD Talk Special Edition Join Date: Feb 2001 Posts: 1,499	Same here, MAC filter and a non-broadcast SSID.

03-12-04, 03:47 PM	#7
sniper308 DVD Talk Gold Edition Join Date: Mar 2000 Posts: 2,827	I do MAC filtering, and WEP, and non broadcasting SSID, changed the default passwords, changed the default SSID, and turn off the wireless broadcast when I'm not using it. Just paranoid I guess. One of my neighbors apparently isn't doing any of this and his network is wide open... took all of 2 seconds to start using his connection. Is there a reason you are not enabling everything? There is some overhead in using WEP and it can be cracked (apparently WPA is better in that area), but I'm thinking turn on all of the security you can unless you have specific issues when you enable some of it.

03-12-04, 05:21 PM	#9
Nosmo Rex DVD Talk Gold Edition Join Date: Oct 1999 Location: Beaverton, OR, USA Posts: 2,536	Non-broadcast means your WAP won't broadcast it's Network name. You need to specify the network name when connecting to it. I do pretty much the same thing as sniper308 on my WAP at home, plus all my PCs are firewalled. __________________ XBL Gamertag: NosmoRex711

03-12-04, 05:59 PM	#10
belboz DVD Talk Gold Edition Join Date: Feb 1999 Location: HB, CA Posts: 2,592	I don't know why everyone keeps suggesting MAC filtering as a protective measure. It's a huge hassle and it offers zero actual protection from even the n00biest of hackers. It'll only deter your casual users who may happen to be in the area and looking for a free broadband connection to use.

03-13-04, 12:06 AM	#15
Alyoshka DVD Talk Hall of Fame Join Date: Jul 2000 Location: Houston, TX Posts: 9,777	My wireless router is a brand spankin new Linksys G so I'm not really sure I can get a "better" wireless router or card.. It still doesn't work with WEP. I doubt it is worth really working hard to get it to work if it is fairly weak encryption. Wireless seems more tedious than worth it at this point, however, I split the connection with my roommate who has the dsl in his room. __________________ Tell me again why we're here.

03-21-04, 08:26 PM	#16
Todd B. DVD Talk Limited Edition Join Date: Feb 2000 Location: Honolulu, HI Posts: 5,148	Without encryption, such as WEP or WPA, it is trivial to "sniff" your clear-text wireless traffic as it zooms back and forth between your Computer and the Wireless Access Point. Every time you log onto you POP e-mail server to retrieve your e-mail? Yup, your username and password go in clear text. Bing, the sniffer now has your username and password. Every web page you browse that is not HTTPS goes in clear text to your computer. They can sniff copies of that too. With a sniffer, you can also easily capture the MAC addresses of all devices on the wireless network. It's trivial to then spoof that MAC address and gain access to the network. Same with SSID. That can be easily sniffed. While not broadcasting SSID and using a MAC address table can be useful tools to control access to a wireless network, they will only deter casual passers-by. A determined hacker can defeat these in seconds. Plus neither one of these tactics addresses encryption. All your traffic is easily readable to anyone with a sniffer. All wireless networks should be used with WEP or WPA. While WEP is fundamentally broken, it is still better than using nothing. It takes a non-trivial amount of effort to break, and it encrypts all your traffic. The way I see WEP, it makes your network much less desirable. Why would a hacker want to spend time and effort trying to analyze enough traffic to break your WEP key, when he can just go next door and use your neighbor's open wireless network? If you have a Wireless Access Point and Wireless clients (cards) that support WPA, you should definitely use WPA over WEP. WPA addresses all the major shortcomings of WEP, and it is easier to implement. The weakest link of WPA is the access password. Make sure you don't choose a password that is too easy to crack. I recommend using WPA (use WEP only if you have to) along with MAC Address control. If you have to use WEP, try to change the WEP key every couple weeks, if it's feasible. As Justin S pointed out, open wireless networks make it easy to do all kinds of nasty things. Even though you think it might not have any impact on you, it will. I've seen open networks used to do everything from sending spam to serving porn to hacking servers. If that stuff happens on your network, it looks like it originated from you, and can get you in trouble with your service provider and the authorities. Aloyshka, you said you have a Linksys G router. With the latest firmware, this supports WPA. Make sure your wireless card also support WPA, or buy a Linksys G card (about $50), and turn on WPA on your network.