We got a message from a Security Professional working on a system near us that said I see your network...We called the guy and said we know our WiFi is "unprotected" we use MAC filtering. I told my Boss at the time we said MAC was OK that NIC's can clone a MAC adddress but you would need to know a valid MAC to begin with. The Security Professional said he could ARP to see a MAC. I think he is selling FUD. Could a hacker get a MAC address from our system without a pretty sophisticated packet sniffer? Wouldn't they then need to decipher the packet?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Does MAC filtering really work? 1
- Thread starter Dirtbike
- Start date
-
1
- #2
Somewhat helpful link on this subject.
I think MAC address spoofing is easier than we think. . .
is just one of the programs available to change your mac. Couldnt you use a program like ethereal for packet analyzing? I would enable WPA filtering. Like everything else if someone really wants in they will get in.
The analogy I like to use is childproof lighters.
They aren't child "proof", just child resistant enough so that they can't light them in 30 seconds or whatever. By that time, the child will probably give up.
If somebody wants in, of course they'll get in, but I like to make it as much of a pain in the a$$ as possible so the hackers or whoever, like the impatient five year olds, just give up before they start a big fire.
MAC filtering is good, and will dissuade some people but other measures need to be taken.
Hope this helps,
Martin
They aren't child "proof", just child resistant enough so that they can't light them in 30 seconds or whatever. By that time, the child will probably give up.
If somebody wants in, of course they'll get in, but I like to make it as much of a pain in the a$$ as possible so the hackers or whoever, like the impatient five year olds, just give up before they start a big fire.
MAC filtering is good, and will dissuade some people but other measures need to be taken.
Hope this helps,
Martin
You really need to think about what you are broadcasting on your wifi network which in unprotected espessially if any of your data is sensitive
basically any one with a wireless card and ethereal can record all traffic that is passing between wifi clients and the AP they DO NOT need to join the network.
anology is you are using a loud hailer to talk to your boss in the office not the telephone any one in the office can here what you are saying.
Mac spoofing is easy makmakeup or smac are free again use ethereal again free sniff for a while noting valid macs when client ends session clone mac and join network thank you very much.
as a guide the following should be considered: from my faq:
Change the default SSID in access points to something that does not reflect anything obvious such as the organization’s, building's or street's name.
Disable sending the SSID in the AP's broadcast beacon. This prevents showing the SSID to unauthorized wireless clients.
Configure strong administrative passwords, and if possible, turn off remote administration features.
Locate the AP in an area where the signal will not be picked by unauthorized clients. If possible, limit the AP's service area by reducing its power.
Reserving MAC addresses (in DHCP or an AP) to require a valid MAC address for clients is not a secure solution on itself because MAC addresses can be spoofed easily and are send in clear-text even when WEP encryption is enabled.
Consider disabling the AP's DCHP feature and assign static IP addresses to all wireless clients.
Implement a firewall and intrusion detection system between the wireless and wired networks.
Enable WEP (Wired Equivalent Privacy). Although it doesn't provide very strong security, it should be enabled nevertheless. Use 128-bit WEP encryption keys and rotate the keys often. Don't rely on WEP as your only means of encryption.
Use VPN technology, such as IPSec or L2TP. Note: the use of a VPN will greatly decrease the throughput of a wireless network.
If available, use WPA (Wireless Protected Access) with TKIP in place of WEP.
When possible, use the 802.1X port-based authentication protocol in combination with EAP (Extended Authentication Protocol) to negotiate an authentication method, such as username and password logon or the use of smartcards, and for example, a RADIUS server.
basically any one with a wireless card and ethereal can record all traffic that is passing between wifi clients and the AP they DO NOT need to join the network.
anology is you are using a loud hailer to talk to your boss in the office not the telephone any one in the office can here what you are saying.
Mac spoofing is easy makmakeup or smac are free again use ethereal again free sniff for a while noting valid macs when client ends session clone mac and join network thank you very much.
as a guide the following should be considered: from my faq:
Change the default SSID in access points to something that does not reflect anything obvious such as the organization’s, building's or street's name.
Disable sending the SSID in the AP's broadcast beacon. This prevents showing the SSID to unauthorized wireless clients.
Configure strong administrative passwords, and if possible, turn off remote administration features.
Locate the AP in an area where the signal will not be picked by unauthorized clients. If possible, limit the AP's service area by reducing its power.
Reserving MAC addresses (in DHCP or an AP) to require a valid MAC address for clients is not a secure solution on itself because MAC addresses can be spoofed easily and are send in clear-text even when WEP encryption is enabled.
Consider disabling the AP's DCHP feature and assign static IP addresses to all wireless clients.
Implement a firewall and intrusion detection system between the wireless and wired networks.
Enable WEP (Wired Equivalent Privacy). Although it doesn't provide very strong security, it should be enabled nevertheless. Use 128-bit WEP encryption keys and rotate the keys often. Don't rely on WEP as your only means of encryption.
Use VPN technology, such as IPSec or L2TP. Note: the use of a VPN will greatly decrease the throughput of a wireless network.
If available, use WPA (Wireless Protected Access) with TKIP in place of WEP.
When possible, use the 802.1X port-based authentication protocol in combination with EAP (Extended Authentication Protocol) to negotiate an authentication method, such as username and password logon or the use of smartcards, and for example, a RADIUS server.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question