Is a repeater a security hole?

Hi wifi guru's...

I've discovered a few days ago that I created a security hole in my
personal home wifi network by changing the wireless security from WEP
to Mac Address filtering. I decided this changed because I'm living in
the country side, with only few close neighbours and the probability of
havin them sniffing or cracking into my personal network is close from
zero. But I don't want them to use my internet connexion so I have
obviously to secure my network. I used to do it with a 128 bits Wep
encryption key but decided to change it to a Mac Address filtering for
performance reason. Actually I'm using a phone/PDA (Qtek 9100) to
wirelessly connect to skype at home and the little device seemed quite
slow using the WEP encryption.

So I changed the config, added the mac address of my personal laptop
and the pda device in the list and all worked fine. Then I decided to
configure my repeater (I forgot to mention that I'm using a repeater to
bounce the signal everywhere in the house). So I added the repeater's
Mac address in the list of permitted addresses and everything worked
fine also. Then I tried to connect with a friend's laptop to the
internet, and I succeeded immediately even if the Mac address is not
listed in the permitted values... It seems (and it makes sense to me)
that all request passing through the repeater are permitted by the
router... So the repeater's action is not really transparent since it
seems to change the Original requestor's mac address by its own mac
address and lets it connect...

Have you guy any advies or shall I have to go back to Wep Encryption??

Thanks for your help,

Stephane

svl2706 wrote:

> I've discovered a few days ago that I created a security hole in my
> personal home wifi network by changing the wireless security from WEP
> to Mac Address filtering.

Definitely. I only need to capture one packet from your transmission to
know a valid MAC address, and I can make my adapter mimic your MAC
address...

> I decided this changed because I'm living in
> the country side, with only few close neighbours and the probability of
> havin them sniffing or cracking into my personal network is close from
> zero. But I don't want them to use my internet connexion so I have
> obviously to secure my network. I used to do it with a 128 bits Wep
> encryption key

Neither method is really "security". WEP or MAC filtering will stop them
accidentally connecting, but won't stop anybody from "cracking".

> Then I tried to connect with a friend's laptop to the
> internet, and I succeeded immediately even if the Mac address is not
> listed in the permitted values... It seems (and it makes sense to me)
> that all request passing through the repeater are permitted by the
> router... So the repeater's action is not really transparent since it
> seems to change the Original requestor's mac address by its own mac
> address and lets it connect...

The repeater would need MAC filtering itself.
>
> Have you guy any advies or shall I have to go back to Wep Encryption??

There's really no point in going back to WEP, but I haven't been able to
make WPA work over a WDS repeater.
--
derek

Hi Derek,

thanks for your analysis, it seems that we finaly arrive at the same
ending point. So, if my sole concern is to block anonymous (or not
permitted) access to my network (actually I don't want to share my DSL
connexion with neighbours...), is there another way of blocking this
access with my current configuration (DLS Router + Repeater) without
setting back the WEP Encryption?

Any other comment?

Thanks,

Stéphane

svl2706 wrote:

> Hi Derek,
>
Please quote...

> thanks for your analysis, it seems that we finaly arrive at the same
> ending point. So, if my sole concern is to block anonymous (or not
> permitted) access to my network (actually I don't want to share my DSL
> connexion with neighbours...), is there another way of blocking this
> access with my current configuration (DLS Router + Repeater) without
> setting back the WEP Encryption?

"block"? Maybe not - without encryption you _can't_ keep your neighbors
out. If you just want to accept the insecure nature of MAC restrictions,
then I told you what you needed to do. You have to have the repeater (not
just the AP) block the individual MACs. Since you haven't told us anything
about the hardware or software you're using, we can't possibly tell you
more than that.
--
derek

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

In <(E-Mail Removed). com> on 26 Apr 2006
06:38:08 -0700, "svl2706" <(E-Mail Removed)> wrote:

>Hi Derek,
>
>thanks for your analysis, it seems that we finaly arrive at the same
>ending point. So, if my sole concern is to block anonymous (or not
>permitted) access to my network (actually I don't want to share my DSL
>connexion with neighbours...), is there another way of blocking this
>access with my current configuration (DLS Router + Repeater) without
>setting back the WEP Encryption?

No. You need either WEP (preferably 128 bits, but even that is weak and
easily cracked) or WPA (which is better than WEP if [and only if] a strong
pass phrase is used).

>Any other comment?

MAC address filtering in the repeater would only keep the honest folks honest.

--
Best regards, SEE THE FAQ FOR ALT.INTERNET.WIRELESS AT
John Navas <http://en.wikibooks.org/wiki/FAQ_for_alt.internet.wireless>

> Please quote...

Sorry Derek, I'm a real newbie in forums and groups. I read the faq and
other posts on this, it should be better now... I hope.


>You have to have the repeater (not
> just the AP) block the individual MACs. Since you haven't told us anything
> about the hardware or software you're using, we can't possibly tell you
> more than that.

The device I use as a repeater is a D-link DWL-2000 AP+ that I
configured as a repeater in this case. My router is a Linksys WRT54G
(or WRT54GS) which is wired to my DSL Modem.
I've been through the (very short) documentation about the D-Link AP
and also into the configuration options and it seems once turned into a
repeater, there isn't any security option anymore... Seems like it's
not possible to have Mac Address filtering at the Dlink device's level
once set as a repeater.

--
Stéphane

svl2706 wrote:

>> Please quote...
>
> Sorry Derek, I'm a real newbie in forums and groups. I read the faq and
> other posts on this, it should be better now... I hope.

Thanks. It just makes things a little simpler.


>>You have to have the repeater (not
>> just the AP) block the individual MACs. Since you haven't told us
>> anything about the hardware or software you're using, we can't possibly
>> tell you more than that.
>
> The device I use as a repeater is a D-link DWL-2000 AP+ that I
> configured as a repeater in this case. My router is a Linksys WRT54G
> (or WRT54GS) which is wired to my DSL Modem.
> I've been through the (very short) documentation about the D-Link AP
> and also into the configuration options and it seems once turned into a
> repeater, there isn't any security option anymore... Seems like it's
> not possible to have Mac Address filtering at the Dlink device's level
> once set as a repeater.

Then I'd have to guess you're out of luck, unless somebody else knows about
undocumented options :-(
--
derek