What happens if someone fakes an existing MAC address?

In our network, we had some problems possibily caused by intruders. So the
least thing we could do is to filter on MAC addresses. But what if one of
these intruders discover what MAC adresses are in use? (In fact not hard to
discover, even there is WEP. We can't use WPA because we have to replace all
of our clients equipment:-(
A MAC address is very easy to clone. If someone does this, will this block
an existing user? Is it possible for the intruder to gain access to the
(local) part of the network? (all other connections are VPN)


Regards,


Marcel


--
Posted by news://news.nb.nu

Marcel Joustra wrote:

> In our network, we had some problems possibily caused by intruders. So the
> least thing we could do is to filter on MAC addresses.
> But what if one of
> these intruders discover what MAC adresses are in use?

The intrudes will pass the MAC filter without any problem.

> (In fact not hard
> to discover, even there is WEP.

WEP will not hide the MAC address. It's still transmited with every packet.

> We can't use WPA because we have to
> replace all of our clients equipment:-(

WAP will not hide the MAC address also.
As you can see the MAC filter is one of the most insecure securety feature.

> A MAC address is very easy to clone.

Yep, on Linux the intruder just has to do a "ifconfig interface hw ether
new_mac_address".

> If someone does this, will this block
> an existing user?

That hardly depends on the firmware of the access point and how it reacts on
double authentication. And how the client reacts on receiving it's own
packets. In most cases the both system will keep working but there will be
some errors.

> Is it possible for the intruder to gain access to the
> (local) part of the network? (all other connections are VPN)

If he also has the WEP key he has the same access level as the faked user.
The WEP key can be retrieved with tools like airsnort by sniffing a big
amount of data from the WLAN.

Thomas

"Thomas Krüger" <(E-Mail Removed)> schreef in bericht
news:ch5chc$jrf$03$(E-Mail Removed)...

>
> The intrudes will pass the MAC filter without any problem.
>

Agree



>
> WEP will not hide the MAC address. It's still transmited with every
packet.
>

Hmm, thats waht i didn't know......

>
> WAP will not hide the MAC address also.
> As you can see the MAC filter is one of the most insecure securety
feature.
>
> > A MAC address is very easy to clone.
>
> Yep, on Linux the intruder just has to do a "ifconfig interface hw ether
> new_mac_address".
>

Most standalone wireless interfaces can do that also:-(


> > If someone does this, will this block
> > an existing user?
>
> That hardly depends on the firmware of the access point and how it reacts
on
> double authentication. And how the client reacts on receiving it's own
> packets. In most cases the both system will keep working but there will be
> some errors.
>


Hmm, that's something which can be tested at the office....



> If he also has the WEP key he has the same access level as the faked user.
> The WEP key can be retrieved with tools like airsnort by sniffing a big
> amount of data from the WLAN.
>


Yep. Thats why all traffic over the network are encrypted VPN tunnels.
He/she can't use the internetconnection, but he/she can jam the local
network which much off local traffic.


Marcel


--
Posted by news://news.nb.nu