Sign in with
Sign up | Sign in
Your question

MAC filtering safe enough?

Last response: in Wireless Networking
Share
Anonymous
September 15, 2005 2:10:04 AM

Archived from groups: (More info?)

Hi,

It seems that my WAP (LinkSys) is a lto more stable if I disable WEP
encryption.

Now that I don't bother about being 'listened' to, since I don't have secret
things at my wire, I don't care about encryption. In addition, windows has
been set to use string network encryption.

But is it safe to have solely MAC filtering on, so that my neighbours can't
misuse my network? Or are the simple tools to crack the allowed MAC
adresses?

Thanks!

More about : mac filtering safe

Anonymous
September 15, 2005 2:10:05 AM

Archived from groups: (More info?)

If you plan on using solely MAC filtering, keep in mind that a valid MAC
address will be found in just about every packet sent to the access point on
your network. While you may be alerted to the presence of another computer
on the LAN with the same MAC address after it is copied (they are supposed
to be unique), this is of little help while your computer is turned off.

You need to use encryption.

-Yves

"Egbert Nierop (MVP for IIS)" <egbert_nierop@nospam.invalid> wrote in
message news:%23t1XVhWuFHA.3660@tk2msftngp13.phx.gbl...
> Hi,
>
> It seems that my WAP (LinkSys) is a lto more stable if I disable WEP
> encryption.
>
> Now that I don't bother about being 'listened' to, since I don't have
> secret things at my wire, I don't care about encryption. In addition,
> windows has been set to use string network encryption.
>
> But is it safe to have solely MAC filtering on, so that my neighbours
> can't misuse my network? Or are the simple tools to crack the allowed MAC
> adresses?
>
> Thanks!
Anonymous
September 15, 2005 2:10:06 AM

Archived from groups: (More info?)

Hi

You probably have an old 802.11b.

Giving the prices of current 802.11g it might be a good idea to upgrade.

Newer 802.11g have WPA and this WEP problem is not presented.

Wireless Security - http://www.ezlan.net/Wireless_Security.html

WEP, WPA, and WPA2 - http://www.ezlan.net/wpa_wep.html

Jack (MVP-Networking).





"Yves Konigshofer" <ykoniREMOVEgshofer@hotmail.com> wrote in message
news:#fkp0rWuFHA.3756@tk2msftngp13.phx.gbl...
> If you plan on using solely MAC filtering, keep in mind that a valid MAC
> address will be found in just about every packet sent to the access point on
> your network. While you may be alerted to the presence of another computer
> on the LAN with the same MAC address after it is copied (they are supposed
> to be unique), this is of little help while your computer is turned off.
>
> You need to use encryption.
>
> -Yves
>
> "Egbert Nierop (MVP for IIS)" <egbert_nierop@nospam.invalid> wrote in
> message news:%23t1XVhWuFHA.3660@tk2msftngp13.phx.gbl...
> > Hi,
> >
> > It seems that my WAP (LinkSys) is a lto more stable if I disable WEP
> > encryption.
> >
> > Now that I don't bother about being 'listened' to, since I don't have
> > secret things at my wire, I don't care about encryption. In addition,
> > windows has been set to use string network encryption.
> >
> > But is it safe to have solely MAC filtering on, so that my neighbours
> > can't misuse my network? Or are the simple tools to crack the allowed MAC
> > adresses?
> >
> > Thanks!
>
>
Related resources
Anonymous
September 15, 2005 4:35:33 AM

Archived from groups: (More info?)

"Jack (MVP)" <Jack(MVP)@discussions.microsoft.com.> wrote in message
news:o OS9nlXuFHA.2504@tk2msftngp13.phx.gbl...
> Hi
>
> You probably have an old 802.11b.

No, I have 11g as well.
It is already my third WAP. This time a LinkSys and they all are very
instable (running some sort of GPL OS which is not able to stay stable).

> Giving the prices of current 802.11g it might be a good idea to upgrade.
>
> Newer 802.11g have WPA and this WEP problem is not presented.
>
> Wireless Security - http://www.ezlan.net/Wireless_Security.html
>
> WEP, WPA, and WPA2 - http://www.ezlan.net/wpa_wep.html
>
> Jack (MVP-Networking).
>
>
>
>
>
> "Yves Konigshofer" <ykoniREMOVEgshofer@hotmail.com> wrote in message
> news:#fkp0rWuFHA.3756@tk2msftngp13.phx.gbl...
>> If you plan on using solely MAC filtering, keep in mind that a valid MAC
>> address will be found in just about every packet sent to the access point
>> on
>> your network. While you may be alerted to the presence of another
>> computer
>> on the LAN with the same MAC address after it is copied (they are
>> supposed
>> to be unique), this is of little help while your computer is turned off.
>>
>> You need to use encryption.
>>
>> -Yves
>>
>> "Egbert Nierop (MVP for IIS)" <egbert_nierop@nospam.invalid> wrote in
>> message news:%23t1XVhWuFHA.3660@tk2msftngp13.phx.gbl...
>> > Hi,
>> >
>> > It seems that my WAP (LinkSys) is a lto more stable if I disable WEP
>> > encryption.
>> >
>> > Now that I don't bother about being 'listened' to, since I don't have
>> > secret things at my wire, I don't care about encryption. In addition,
>> > windows has been set to use string network encryption.
>> >
>> > But is it safe to have solely MAC filtering on, so that my neighbours
>> > can't misuse my network? Or are the simple tools to crack the allowed
>> > MAC
>> > adresses?
>> >
>> > Thanks!
>>
>>
>
>
Anonymous
September 15, 2005 4:35:34 AM

Archived from groups: (More info?)

On Thu, 15 Sep 2005 00:35:33 +0200, Egbert Nierop (MVP for IIS) wrote:

> No, I have 11g as well.
> It is already my third WAP. This time a LinkSys and they all are very
> instable (running some sort of GPL OS which is not able to stay stable).

Ah, Linksys. I had a Linksys BEFSR11 which would lock up randomly. I tried
to set up a friend's Linksys WAP54G, but I could never get the wireless
computer to pull an IP address through the Linksys.

I gave up on the Linksys BEFSR11 and got myself an SMC Barricade 7004BR. I
have never had a router lockup since.

I had my friend exchange his brand new Linksys WAP54G for a D-Link
DWL-2100A. I had his wireless LAN running in under thirty minutes. Would
have been under ten; but my confidence was so shaken from beating my head
against the wall over the Linksys WAP for six hours, without success, that
I took extra time to be sure that everything was properly configured for
the D-Link WAP.

BTW, if your devices can manage it, WPA-AES is better. I had to resort to
WPA-TKIP for my friend because his laptop lacks WPA-AES. I haven't seen a
wireless device with WPA2; I assume that would be best.

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint
Anonymous
September 15, 2005 3:05:31 PM

Archived from groups: (More info?)

"N. Miller" <anonymous@discussions.microsoft.com> wrote in message
news:1fm6v4qg6rour.dlg@discussions.microsoft.com...
> On Thu, 15 Sep 2005 00:35:33 +0200, Egbert Nierop (MVP for IIS) wrote:
>
>> No, I have 11g as well.
>> It is already my third WAP. This time a LinkSys and they all are very
>> instable (running some sort of GPL OS which is not able to stay stable).
>
> Ah, Linksys. I had a Linksys BEFSR11 which would lock up randomly. I tried
> to set up a friend's Linksys WAP54G, but I could never get the wireless
> computer to pull an IP address through the Linksys.
>
> I gave up on the Linksys BEFSR11 and got myself an SMC Barricade 7004BR. I
> have never had a router lockup since.
>
> I had my friend exchange his brand new Linksys WAP54G for a D-Link
> DWL-2100A. I had his wireless LAN running in under thirty minutes. Would
> have been under ten; but my confidence was so shaken from beating my head
> against the wall over the Linksys WAP for six hours, without success, that
> I took extra time to be sure that everything was properly configured for
> the D-Link WAP.
>
> BTW, if your devices can manage it, WPA-AES is better. I had to resort to
> WPA-TKIP for my friend because his laptop lacks WPA-AES. I haven't seen a
> wireless device with WPA2; I assume that would be best.

Hi,

I have WAG54G (with firmware 1.01.5). It says: "Sorry, this software doesn't
support AES yet"...


ANd funny enouhg (thanks for your hint!), the WPA with TKIP does not lockup,
so, it seems that the WAG54G has problems with stability when using WEP...
September 16, 2005 3:31:39 AM

Archived from groups: (More info?)

"Egbert Nierop (MVP for IIS)" <egbert_nierop@nospam.invalid> wrote in
message news:%23t1XVhWuFHA.3660@tk2msftngp13.phx.gbl...
> Hi,
>
> It seems that my WAP (LinkSys) is a lto more stable if I disable WEP
> encryption.
>
> Now that I don't bother about being 'listened' to, since I don't have
> secret things at my wire, I don't care about encryption. In addition,
> windows has been set to use string network encryption.
>
> But is it safe to have solely MAC filtering on, so that my neighbours
> can't misuse my network? Or are the simple tools to crack the allowed MAC
> adresses?
>
> Thanks!

Mac filtering is OK but what you SHOULD do is turn broadcast off to make it
harder to find. It isn't a total solution but it certainly helps.
Anonymous
September 16, 2005 3:31:40 AM

Archived from groups: (More info?)

On Thu, 15 Sep 2005 23:31:39 +1000, Greg wrote:

> Mac filtering is OK but what you SHOULD do is turn broadcast off to make it
> harder to find. It isn't a total solution but it certainly helps.

MAC filtering is better than disabling SSID broadcast. If it was one, or
the other, MAC filtering would be the way to go.

If you use WPA-AES you don't really need to disable SSID broadcast.

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint
September 16, 2005 3:31:41 AM

Archived from groups: (More info?)

MAC filtering isn't really a security solution at all, since every packet
sent across your wireless network includes your MAC address. Anyone with a
good sniffer WILL discover your MAC or ANY MAC on your wireless network. MAC
addresses CAN be spoofed, this isn't very hard to do at all, Thus MAC
filtering doesn't offer any security at all.

Disabling SSID doesn't offer any security either, since every packet sent
across your wireless network includes the SSID, even when turn off
broadcasting SSID is set to off.. Again, anyone with a good sniffer WILL
find your SSID. Also, turning off SSID broadcast(which you think your doing,
but really it can't be done, due to 802.11 standards) can cause connectivity
problems with WinXP. Disabling SSID broadcast would be the same as:
Buying a house, turning off the outside light( thus no one can see your
house) and leaving the front door unlocked. When someone FINDS the house,
they will come in and you really haven't secured the home at all.

Use encryption for security. That's what it's for and that IS the only
solution for wireless security.WEP at the very least, WPA, WPA-PSK, or even
better use WPA2(802.11i standard). Encryption IS the only way to keep others
out of your network.

Think of it this way. If someone can gain access to your wireless signal and
connect to it, then they also have access to any internal network shares
that you may have. If you don't share anything on your network, keep in mind
that ALL windows machines have hidden administrative shares, and anyone with
the proper knowledge, can access your complete systems on your network.

YOU bought the computers. YOU bought the network hardware. This equipment
belongs to YOU. Why then wouldn't you want to protect your investment and
secure it properly using the encryption already built into the hardware that
you already purchased. I have heard this so many times. Is turning off SSID
good enough? Is limiting DHCP scope good enough? Is MAC filtering good
enough? The answer to ALL of these is NO. None of these offer ANY security.
Use Encryption. That is the ONLY solution.

That's my .02
TW


"N. Miller" <anonymous@discussions.microsoft.com> wrote in message
news:1gf7x3cslqk2s.dlg@discussions.microsoft.com...
> On Thu, 15 Sep 2005 23:31:39 +1000, Greg wrote:
>
>> Mac filtering is OK but what you SHOULD do is turn broadcast off to make
>> it
>> harder to find. It isn't a total solution but it certainly helps.
>
> MAC filtering is better than disabling SSID broadcast. If it was one, or
> the other, MAC filtering would be the way to go.
>
> If you use WPA-AES you don't really need to disable SSID broadcast.
>
> --
> Norman
> ~Win dain a lotica, En vai tu ri, Si lo ta
> ~Fin dein a loluca, En dragu a sei lain
> ~Vi fa-ru les shutai am, En riga-lint
September 19, 2005 11:25:53 AM

Archived from groups: (More info?)

"N. Miller" <anonymous@discussions.microsoft.com> wrote in message
news:1gf7x3cslqk2s.dlg@discussions.microsoft.com...
> On Thu, 15 Sep 2005 23:31:39 +1000, Greg wrote:
>
>> Mac filtering is OK but what you SHOULD do is turn broadcast off to make
>> it
>> harder to find. It isn't a total solution but it certainly helps.
>
> MAC filtering is better than disabling SSID broadcast. If it was one, or
> the other, MAC filtering would be the way to go.
>
> If you use WPA-AES you don't really need to disable SSID broadcast.
>

You don't need to do ANYTHING at all if you "don't need to...." apply
thought.

You DO need some sort of protection, WEP at the very least but more than
that is obviously better. You DO need to MAC filter and you DO need to
disable SSID broadcast. If you don't do any of the things available to you
to protect yourself if you are that paranoid about it all, then you really
aren't trying.
September 19, 2005 11:31:27 AM

Archived from groups: (More info?)

"TW" <twilckenATmsnDOTcom> wrote in message
news:eUXAjXluFHA.2792@tk2msftngp13.phx.gbl...
> MAC filtering isn't really a security solution at all, since every packet
> sent across your wireless network includes your MAC address. Anyone with a
> good sniffer WILL discover your MAC or ANY MAC on your wireless network.
> MAC addresses CAN be spoofed, this isn't very hard to do at all, Thus MAC
> filtering doesn't offer any security at all.
>

That isnt 100% true. It offers SOME protection and depending on where you
live, it may or may not be just an added extra. If you live in NYC, you need
it and every single thing else that you can get but if you live in rural
Australia like I do then the level of protection you "need" is a lot less
simply because rural people have a hell of a lot more to worry about than
hacking each other. Also, because there is not a lot of anything out here,
good hackers tend to migrate to Sydney and other capitals in each state. So
why bother doing ANY protection at all? Well, because there ARE people who
wouldnt find it impossible to use YOUR internet to download their illegal
and/or immoral stuff through YOUR connection and let YOU take the blame for
it.

> Disabling SSID doesn't offer any security either, since every packet sent
> across your wireless network includes the SSID, even when turn off
> broadcasting SSID is set to off.. Again, anyone with a good sniffer WILL

Try thinking about need first. Get to know your client, your area and what
is needed. In rural Australia, for example, a certain company of 4 people
like to tell people that everything you said is needed. They lose more
customers than they impress because it ISN'T all "needed" here and certainly
does play havoc with certain customers depending on what they are doing at
the time. Don't automatically assume, with wi-fi, that you need everything
going.
!