MAC filtering safe enough?

Hi,

It seems that my WAP (LinkSys) is a lto more stable if I disable WEP
encryption.

Now that I don't bother about being 'listened' to, since I don't have secret
things at my wire, I don't care about encryption. In addition, windows has
been set to use string network encryption.

But is it safe to have solely MAC filtering on, so that my neighbours can't
misuse my network? Or are the simple tools to crack the allowed MAC
adresses?

Thanks!

If you plan on using solely MAC filtering, keep in mind that a valid MAC
address will be found in just about every packet sent to the access point on
your network. While you may be alerted to the presence of another computer
on the LAN with the same MAC address after it is copied (they are supposed
to be unique), this is of little help while your computer is turned off.

You need to use encryption.

-Yves

"Egbert Nierop (MVP for IIS)" <(E-Mail Removed)> wrote in
message news:%(E-Mail Removed)...
> Hi,
>
> It seems that my WAP (LinkSys) is a lto more stable if I disable WEP
> encryption.
>
> Now that I don't bother about being 'listened' to, since I don't have
> secret things at my wire, I don't care about encryption. In addition,
> windows has been set to use string network encryption.
>
> But is it safe to have solely MAC filtering on, so that my neighbours
> can't misuse my network? Or are the simple tools to crack the allowed MAC
> adresses?
>
> Thanks!

Hi

You probably have an old 802.11b.

Giving the prices of current 802.11g it might be a good idea to upgrade.

Newer 802.11g have WPA and this WEP problem is not presented.

Wireless Security - http://www.ezlan.net/Wireless_Security.html

WEP, WPA, and WPA2 - http://www.ezlan.net/wpa_wep.html

Jack (MVP-Networking).





"Yves Konigshofer" <(E-Mail Removed)> wrote in message
news:#(E-Mail Removed)...
> If you plan on using solely MAC filtering, keep in mind that a valid MAC
> address will be found in just about every packet sent to the access point on
> your network. While you may be alerted to the presence of another computer
> on the LAN with the same MAC address after it is copied (they are supposed
> to be unique), this is of little help while your computer is turned off.
>
> You need to use encryption.
>
> -Yves
>
> "Egbert Nierop (MVP for IIS)" <(E-Mail Removed)> wrote in
> message news:%(E-Mail Removed)...
> > Hi,
> >
> > It seems that my WAP (LinkSys) is a lto more stable if I disable WEP
> > encryption.
> >
> > Now that I don't bother about being 'listened' to, since I don't have
> > secret things at my wire, I don't care about encryption. In addition,
> > windows has been set to use string network encryption.
> >
> > But is it safe to have solely MAC filtering on, so that my neighbours
> > can't misuse my network? Or are the simple tools to crack the allowed MAC
> > adresses?
> >
> > Thanks!
>
>

"Jack (MVP)" <Jack(MVP)@discussions.microsoft.com.> wrote in message
news:(E-Mail Removed)...
> Hi
>
> You probably have an old 802.11b.

No, I have 11g as well.
It is already my third WAP. This time a LinkSys and they all are very
instable (running some sort of GPL OS which is not able to stay stable).

> Giving the prices of current 802.11g it might be a good idea to upgrade.
>
> Newer 802.11g have WPA and this WEP problem is not presented.
>
> Wireless Security - http://www.ezlan.net/Wireless_Security.html
>
> WEP, WPA, and WPA2 - http://www.ezlan.net/wpa_wep.html
>
> Jack (MVP-Networking).
>
>
>
>
>
> "Yves Konigshofer" <(E-Mail Removed)> wrote in message
> news:#(E-Mail Removed)...
>> If you plan on using solely MAC filtering, keep in mind that a valid MAC
>> address will be found in just about every packet sent to the access point
>> on
>> your network. While you may be alerted to the presence of another
>> computer
>> on the LAN with the same MAC address after it is copied (they are
>> supposed
>> to be unique), this is of little help while your computer is turned off.
>>
>> You need to use encryption.
>>
>> -Yves
>>
>> "Egbert Nierop (MVP for IIS)" <(E-Mail Removed)> wrote in
>> message news:%(E-Mail Removed)...
>> > Hi,
>> >
>> > It seems that my WAP (LinkSys) is a lto more stable if I disable WEP
>> > encryption.
>> >
>> > Now that I don't bother about being 'listened' to, since I don't have
>> > secret things at my wire, I don't care about encryption. In addition,
>> > windows has been set to use string network encryption.
>> >
>> > But is it safe to have solely MAC filtering on, so that my neighbours
>> > can't misuse my network? Or are the simple tools to crack the allowed
>> > MAC
>> > adresses?
>> >
>> > Thanks!
>>
>>
>
>

On Thu, 15 Sep 2005 00:35:33 +0200, Egbert Nierop (MVP for IIS) wrote:

> No, I have 11g as well.
> It is already my third WAP. This time a LinkSys and they all are very
> instable (running some sort of GPL OS which is not able to stay stable).

Ah, Linksys. I had a Linksys BEFSR11 which would lock up randomly. I tried
to set up a friend's Linksys WAP54G, but I could never get the wireless
computer to pull an IP address through the Linksys.

I gave up on the Linksys BEFSR11 and got myself an SMC Barricade 7004BR. I
have never had a router lockup since.

I had my friend exchange his brand new Linksys WAP54G for a D-Link
DWL-2100A. I had his wireless LAN running in under thirty minutes. Would
have been under ten; but my confidence was so shaken from beating my head
against the wall over the Linksys WAP for six hours, without success, that
I took extra time to be sure that everything was properly configured for
the D-Link WAP.

BTW, if your devices can manage it, WPA-AES is better. I had to resort to
WPA-TKIP for my friend because his laptop lacks WPA-AES. I haven't seen a
wireless device with WPA2; I assume that would be best.

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

"N. Miller" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed).. .
> On Thu, 15 Sep 2005 00:35:33 +0200, Egbert Nierop (MVP for IIS) wrote:
>
>> No, I have 11g as well.
>> It is already my third WAP. This time a LinkSys and they all are very
>> instable (running some sort of GPL OS which is not able to stay stable).
>
> Ah, Linksys. I had a Linksys BEFSR11 which would lock up randomly. I tried
> to set up a friend's Linksys WAP54G, but I could never get the wireless
> computer to pull an IP address through the Linksys.
>
> I gave up on the Linksys BEFSR11 and got myself an SMC Barricade 7004BR. I
> have never had a router lockup since.
>
> I had my friend exchange his brand new Linksys WAP54G for a D-Link
> DWL-2100A. I had his wireless LAN running in under thirty minutes. Would
> have been under ten; but my confidence was so shaken from beating my head
> against the wall over the Linksys WAP for six hours, without success, that
> I took extra time to be sure that everything was properly configured for
> the D-Link WAP.
>
> BTW, if your devices can manage it, WPA-AES is better. I had to resort to
> WPA-TKIP for my friend because his laptop lacks WPA-AES. I haven't seen a
> wireless device with WPA2; I assume that would be best.

Hi,

I have WAG54G (with firmware 1.01.5). It says: "Sorry, this software doesn't
support AES yet"...


ANd funny enouhg (thanks for your hint!), the WPA with TKIP does not lockup,
so, it seems that the WAG54G has problems with stability when using WEP...

"Egbert Nierop (MVP for IIS)" <(E-Mail Removed)> wrote in
message news:%(E-Mail Removed)...
> Hi,
>
> It seems that my WAP (LinkSys) is a lto more stable if I disable WEP
> encryption.
>
> Now that I don't bother about being 'listened' to, since I don't have
> secret things at my wire, I don't care about encryption. In addition,
> windows has been set to use string network encryption.
>
> But is it safe to have solely MAC filtering on, so that my neighbours
> can't misuse my network? Or are the simple tools to crack the allowed MAC
> adresses?
>
> Thanks!

Mac filtering is OK but what you SHOULD do is turn broadcast off to make it
harder to find. It isn't a total solution but it certainly helps.

On Thu, 15 Sep 2005 23:31:39 +1000, Greg wrote:

> Mac filtering is OK but what you SHOULD do is turn broadcast off to make it
> harder to find. It isn't a total solution but it certainly helps.

MAC filtering is better than disabling SSID broadcast. If it was one, or
the other, MAC filtering would be the way to go.

If you use WPA-AES you don't really need to disable SSID broadcast.

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

MAC filtering isn't really a security solution at all, since every packet
sent across your wireless network includes your MAC address. Anyone with a
good sniffer WILL discover your MAC or ANY MAC on your wireless network. MAC
addresses CAN be spoofed, this isn't very hard to do at all, Thus MAC
filtering doesn't offer any security at all.

Disabling SSID doesn't offer any security either, since every packet sent
across your wireless network includes the SSID, even when turn off
broadcasting SSID is set to off.. Again, anyone with a good sniffer WILL
find your SSID. Also, turning off SSID broadcast(which you think your doing,
but really it can't be done, due to 802.11 standards) can cause connectivity
problems with WinXP. Disabling SSID broadcast would be the same as:
Buying a house, turning off the outside light( thus no one can see your
house) and leaving the front door unlocked. When someone FINDS the house,
they will come in and you really haven't secured the home at all.

Use encryption for security. That's what it's for and that IS the only
solution for wireless security.WEP at the very least, WPA, WPA-PSK, or even
better use WPA2(802.11i standard). Encryption IS the only way to keep others
out of your network.

Think of it this way. If someone can gain access to your wireless signal and
connect to it, then they also have access to any internal network shares
that you may have. If you don't share anything on your network, keep in mind
that ALL windows machines have hidden administrative shares, and anyone with
the proper knowledge, can access your complete systems on your network.

YOU bought the computers. YOU bought the network hardware. This equipment
belongs to YOU. Why then wouldn't you want to protect your investment and
secure it properly using the encryption already built into the hardware that
you already purchased. I have heard this so many times. Is turning off SSID
good enough? Is limiting DHCP scope good enough? Is MAC filtering good
enough? The answer to ALL of these is NO. None of these offer ANY security.
Use Encryption. That is the ONLY solution.

That's my .02
TW


"N. Miller" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed).. .
> On Thu, 15 Sep 2005 23:31:39 +1000, Greg wrote:
>
>> Mac filtering is OK but what you SHOULD do is turn broadcast off to make
>> it
>> harder to find. It isn't a total solution but it certainly helps.
>
> MAC filtering is better than disabling SSID broadcast. If it was one, or
> the other, MAC filtering would be the way to go.
>
> If you use WPA-AES you don't really need to disable SSID broadcast.
>
> --
> Norman
> ~Win dain a lotica, En vai tu ri, Si lo ta
> ~Fin dein a loluca, En dragu a sei lain
> ~Vi fa-ru les shutai am, En riga-lint

"N. Miller" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed).. .
> On Thu, 15 Sep 2005 23:31:39 +1000, Greg wrote:
>
>> Mac filtering is OK but what you SHOULD do is turn broadcast off to make
>> it
>> harder to find. It isn't a total solution but it certainly helps.
>
> MAC filtering is better than disabling SSID broadcast. If it was one, or
> the other, MAC filtering would be the way to go.
>
> If you use WPA-AES you don't really need to disable SSID broadcast.
>

You don't need to do ANYTHING at all if you "don't need to...." apply
thought.

You DO need some sort of protection, WEP at the very least but more than
that is obviously better. You DO need to MAC filter and you DO need to
disable SSID broadcast. If you don't do any of the things available to you
to protect yourself if you are that paranoid about it all, then you really
aren't trying.