Wireless: Is MAC Address Filtering Enough?

[p_l]

On my home wireless-N network, I don't use WEP or WPA, because I have two older wireless devices, an old computer and a D-Link DSM-320 wireless media extender that are still on the G protocol, although the three remaining computers all have N cards. Not only is the DSM-320 a "G," but it only has WEP, not WPA. I think I had read something along the lines that turning on WEP encryption for a mixed G and N network would slow it down to G speeds, so I've been using only MAC address filtering, along with not broadcasting the SSID and using a software firewall.

In theory, MAC address filtering precludes any machine other than those I've identified and allowed from connecting to my network, right? Am I safe enough?

[guns1inger]

I know that for b/g cards, enabling b, even without encryption, reduces all traffic to b speeds. Unless something has changed with g/n, I would suspect that same happens there, even without turning on encryption.

Hiding the ssid works for general users (although Windows 7 beta sees it and calls it an "unidentified network"), but won't hide it from someone who really wants in. The same for MAC address only security. MAC addresses can be easily spoofed. If someone really wanted in, all they have to do is listen for traffic on your wireless, find a valid MAC address, and pretend to be it.

The question, do you have anything worthwhile that would make someone want to go to those lengths ?

[disturbed1]

In theory, MAC address filtering precludes any machine other than those I've identified and allowed from connecting to my network, right? Am I safe enough?

You're fine. To a point

As guns1inger posted,

You can still spoof MAC IDs, sniff the wireless packets, and not broadcasting the SSID doesn't mean anything, it still shows up in a sweep. BUT anyone that could spoof your MAC ID, and get in, would also be able to crack WEP and WPA. These encryption schemes are trivial to crack. That's why WPA2 AES with PSK encryption methods are what's used now. These can still be brute forced, but that takes much more time than simple WEP or WPA. WEP and WPA can be cracked in under 4 hours with right equipment.

Your entire network will slow to the slowest connection - at least that's how it is with b/g routers. These new b/g/n routers are most all MIMO (multi-in multi-out) and they are able to handle multiple speeds as long as the manufacturer included the options.

[gadgetguy]

The question, do you have anything worthwhile that would make someone want to go to those lengths ?

High speed Internet access is the only requirement for someone to go to those lengths. Chances are they don't care what's on your PC. They're more interested in you getting blamed for their nefarious activities.

[guns1inger]

In my local area I can see at least 4 different networks at any given time, out of around 8 total. At any time, at least one of these will unprotected. If a hacker is looking for a free ride, they don't have to work too hard at it.

[AlanHK]

On my home wireless-N network, I don't use WEP or WPA, because I have two older wireless devices, an old computer and a D-Link DSM-320 wireless media extender that are still on the G protocol, although the three remaining computers all have N cards. Not only is the DSM-320 a "G," but it only has WEP, not WPA. I think I had read something along the lines that turning on WEP encryption for a mixed G and N network would slow it down to G speeds,

I'm pretty sure that if any devices are using G, regardless of encryption, the whole system works at G speed.
I'd enable WEP and see if you can tell the difference. I doubt you will. (But WEP is cracked without to much difficulty.)

so I've been using only MAC address filtering, along with not broadcasting the SSID and using a software firewall. In theory, MAC address filtering precludes any machine other than those I've identified and allowed from connecting to my network, right? Am I safe enough?

No, it's easy to sniff and spoof a MAC address. Doesn't hurt to do it, will stop your neighbours accidentally connecting.

Not broadcasting SSID is bad practice, makes it harder for legitimate connections while not impeding hacking. (But make up your own SSID, don't use the default, which will tell everyone what kind of router you have.)

And read this: Wireless LAN security myths that won't die

Regardless, make sure you have changed the router password to a non-default, and you might turn off remote administration (via Internet, only allow via LAN, and preferably only wired, not wifi if the router makes that distinction).

On your PCs, turn off any network protocols you don't use (Control Panel/Network) -- I turn off everything except TCP/IP. Microsoft's protocols are a backdoor I don't need. If you use them, take care.

[gll99]

I'm running my new wireless N as wired for now but I bought one usb N adapter just to test and learn before switching over. I have a pci G adapter but frankly for proper speed and security why bother? 2 of the PCs are a couple of feet from the router so they'll stay wired for the near future but 2 are in other rooms. I just need to pick up one more adapter to cover the 2 more distant connections.

There are at least 15 networks with varying degrees of connectivity in my area. One even put is home address in his SSID, 2 are unprotected and only 2 aside from me have left the SSID blank.

I use all of the limiting options, some among them are: change the router password, choose a new SSID and don't broadcast it, use the wireless MAC filter, select security mode WPA2-PSK and choose a very long connection phrase above 60 characters hidden on the adapter side, lower the transmission power if it doesn't effect your own connections stability, and since it's for my home, I disable the wireless mode when I know the wireless connections are not needed which in either case has no effect on the 2 wired connections.

Obviously except for shutting it off, the best is the WPA2-PSK security encryption method available with the wireless N. A usb N adapter for my router is about $30 in Canada. Why not just upgrade the last 2 PCs and be done with it?

[p_l]

Thanks guys, fascinating reading. I did rename the SSID and changed the default administrator password, BTW. My router is a one-year old Linksys WRT300N V1.1. It has MIMO (so perhaps it could do both N and G without taking a speed hit) and WPA2, and three of my networked home computers also have N wireless adapter cards, and a fourth computer is plugged into the router. Problem is with the remaining two devices on my network, an old desktop with a G card, which I suppose i could upgrade to N, but especially the D-Link DSM-320 Wireless Media Server, which is G and only has WEP.

If I implement WAP2 on the network, won't I lose the ability to connect to this device? Whereas now, I can at least use MAC address filtering with it. However, after reading what you guys are posting and linking to, although I've felt pretty secure up to now and haven't noticed any obvious security problems, all of a sudden I don't feel so secure anymore.

[stiltman]

I have a honey pot set up
DHCP default gateway points to it for shits and grins
I have to specify the real gateway to get to the net

Basically, they will get to a linux box hosting a website full of spyware


What better way than to screw your nieghbor
















not really, but I did think more than once about it