MAC address filtering

OK, I'm trying to understand basic security..all I have is a di 524 with two
desktops connected via ethernet.. And then i have one laptop connected via
wireless.. Besides using WEP, I want to add MAC filtering.. My question, does
the MAC address stay the same when the laptop "log's on" or does it change
like an IP?. I was going to clone the MAC address and add it to the permit
this MAC address access to the network under mac filter rules

Do I make sense?

The client MAC address stays the same. Note, however, that MAC Address
Authentication is *NOT* a strong security measure. MAC addresses can be
easily spoofed.

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...


"mikey b from sd" <(E-Mail Removed)> wrote in message
news:9C8726AE-14B2-4956-BB38-(E-Mail Removed)...
> OK, I'm trying to understand basic security..all I have is a di 524 with
> two
> desktops connected via ethernet.. And then i have one laptop connected via
> wireless.. Besides using WEP, I want to add MAC filtering.. My question,
> does
> the MAC address stay the same when the laptop "log's on" or does it change
> like an IP?. I was going to clone the MAC address and add it to the permit
> this MAC address access to the network under mac filter rules
>
> Do I make sense?

"Sooner Al [MVP]" wrote:

> The client MAC address stays the same. Note, however, that MAC Address
> Authentication is *NOT* a strong security measure. MAC addresses can be
> easily spoofed.
>


Well, I got this gem of an idea from the linksys website.. But this where
I'm comming from: When the laptop starts, it is presented with 3 different
wirelss access "possibilities" that are located in my neighborhood. So I'm a
little bit stingy and would rather not share my 1.5 meg DSL line..

So what do you suggest?

Thnaks, mb sd

"mikey b from sd" <(E-Mail Removed)> wrote in message
news:9C8726AE-14B2-4956-BB38-(E-Mail Removed)...
> OK, I'm trying to understand basic security..all I have is a di 524 with
> two
> desktops connected via ethernet.. And then i have one laptop connected via
> wireless.. Besides using WEP, I want to add MAC filtering.. My question,
> does
> the MAC address stay the same when the laptop "log's on" or does it change
> like an IP?. I was going to clone the MAC address and add it to the permit
> this MAC address access to the network under mac filter rules
>
> Do I make sense?

Each network adaptor has a unique MAC address. All data packets sent by
WiFi include the MAC address, so anyone sniffing can grab that info, then
spoof it.

The best security is to have a strong WPA-PSK TKIP or better still, WPA-PSK
AES, passphrase, like "tlshuo891ixkaiuo22", or if you can get it to work,
include some other characters like "&" "£" "%" "!" etc.

Ok, thanks for response.. Let me ask a couple more questions..

A) When you say that the machine code or MAC addreses can be "sniffed" are
you saying that the laptop is broadcasting it's MAC address or is it comming
from the router itself?

B)The D-Link 512 offers WPA or WPA2 for security options with PSK or EAP.
The help page doesn't explain the differences.. As for the passphrase, is
there a limit on the character length that can be used for the passphrase?

C) And for my dumb ignorant question: It seems to me that if one enables 128
bit security, the charcter length in the Key entry should be somewhat
sufficient when using WEP. I suppose if somebody was parked outside my house
for several days, they could eventually crack it.. How about if I turn down
the antenna transmit power?

thanks for your time.

"__spc__" wrote:

>
> "mikey b from sd" <(E-Mail Removed)> wrote in message
> news:9C8726AE-14B2-4956-BB38-(E-Mail Removed)...
> > OK, I'm trying to understand basic security..all I have is a di 524 with
> > two
> > desktops connected via ethernet.. And then i have one laptop connected via
> > wireless.. Besides using WEP, I want to add MAC filtering.. My question,
> > does
> > the MAC address stay the same when the laptop "log's on" or does it change
> > like an IP?. I was going to clone the MAC address and add it to the permit
> > this MAC address access to the network under mac filter rules
> >
> > Do I make sense?
>
> Each network adaptor has a unique MAC address. All data packets sent by
> WiFi include the MAC address, so anyone sniffing can grab that info, then
> spoof it.
>
> The best security is to have a strong WPA-PSK TKIP or better still, WPA-PSK
> AES, passphrase, like "tlshuo891ixkaiuo22", or if you can get it to work,
> include some other characters like "&" "£" "%" "!" etc.
>
>
>

"mikey b from sd" <(E-Mail Removed)> wrote in message
news:B49C5AAA-C5E1-4F82-9163-(E-Mail Removed)...
> Ok, thanks for response.. Let me ask a couple more questions..
>
> A) When you say that the machine code or MAC addreses can be "sniffed" are
> you saying that the laptop is broadcasting it's MAC address or is it
> comming
> from the router itself?

All data packets sent from the laptop contain the MAC address (so that the
router can route the data correctly, I believe).

> B)The D-Link 512 offers WPA or WPA2 for security options with PSK or EAP.
> The help page doesn't explain the differences.. As for the passphrase, is
> there a limit on the character length that can be used for the passphrase?

WPA-PSK TKIP is WPA and WPA-PSK AES is WPA2

Within reason, I don't think that there's a limit on the WPA passphrase -
it's not like WEP which has to have certain length keys depending on the
bit-level of encryption.

> C) And for my dumb ignorant question: It seems to me that if one enables
> 128
> bit security, the charcter length in the Key entry should be somewhat
> sufficient when using WEP. I suppose if somebody was parked outside my
> house
> for several days, they could eventually crack it.. How about if I turn
> down
> the antenna transmit power?

Probably, and probably. But why not use WPA?

> thanks for your time.

[snip]

You're welcome.

mikey b from sd wrote:

> Ok, thanks for response.. Let me ask a couple more questions..
>
> A) When you say that the machine code or MAC addreses can be "sniffed" are
> you saying that the laptop is broadcasting it's MAC address or is it comming
> from the router itself?
>
> B)The D-Link 512 offers WPA or WPA2 for security options with PSK or EAP.
> The help page doesn't explain the differences.. As for the passphrase, is
> there a limit on the character length that can be used for the passphrase?
>
> C) And for my dumb ignorant question: It seems to me that if one enables 128
> bit security, the charcter length in the Key entry should be somewhat
> sufficient when using WEP. I suppose if somebody was parked outside my house
> for several days, they could eventually crack it.. How about if I turn down
> the antenna transmit power?
>
> thanks for your time.
>
> "__spc__" wrote:
>
>
>>"mikey b from sd" <(E-Mail Removed)> wrote in message
>>news:9C8726AE-14B2-4956-BB38-(E-Mail Removed)...
>>
>>>OK, I'm trying to understand basic security..all I have is a di 524 with
>>>two
>>>desktops connected via ethernet.. And then i have one laptop connected via
>>>wireless.. Besides using WEP, I want to add MAC filtering.. My question,
>>>does
>>>the MAC address stay the same when the laptop "log's on" or does it change
>>>like an IP?. I was going to clone the MAC address and add it to the permit
>>>this MAC address access to the network under mac filter rules
>>>
>>>Do I make sense?
>>
>>Each network adaptor has a unique MAC address. All data packets sent by
>>WiFi include the MAC address, so anyone sniffing can grab that info, then
>>spoof it.
>>
>>The best security is to have a strong WPA-PSK TKIP or better still, WPA-PSK
>>AES, passphrase, like "tlshuo891ixkaiuo22", or if you can get it to work,
>>include some other characters like "&" "£" "%" "!" etc.
>>
>>
>>

WEP is easier to crack than you might think, 128 bits notwithstanding:
http://www.tomsnetworking.com/Sections-article118.php