Wifi MAC address-based authentication
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Wifi MAC address-based authentication

  1. #1
    Member
    Join Date
    Nov 2001
    Posts
    66

    Wifi MAC address-based authentication

    Sorry for asking such a noob question, but I figured I might get more help posting it here than in the Newbie section.

    Network cards come with MAC addresses, and some even allow you to change it. I was talking to that guy who told me that one of the best ways of securing a wireless network, is to allow connections based on the MAC address of the wifi cards.
    But in that case, isn't it possible to eavesdrop on a connection, grab the MAC address and then change yours to that? Or do wifi cards not allow you to change your MAC address?

    Apart from that and using WEP, any other suggestions on how to make a wireless network a bit more bulletproof?

    Thanks.
    -Friends come and go. Enemies accumulate-

  2. #2
    Senior Member
    Join Date
    Jul 2003
    Posts
    813
    The best thing I've read about WiFi is

    Dr. Cyrus Peikari and Seth Fogie - Wireless [Indiana: SAMS Publishing, 2003]

    Most decent libraries should have it [unless you are thinking of buying it - I am!]
    /\\

  3. #3
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    WPA (Not support by all Hardware Router and Card) is good alternatif for now.
    -Simon \"SDK\"

  4. #4
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    cold_connection: ya run it over a wire

    WEP or WPA are your best bets combined with MAC address based connections. beyond that use sound local and network security on your systems, no anon access, strong file level permisions ect. On your gateway/firewall box set user limits on internet access. When doing wireless understand that your footprint into the world is *very* big, your best bet for security is security in depth.
    Who is more trustworthy then all of the gurus or Buddha’s?

  5. #5
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Spoofing mac addresses is easy, on a scale of 1 to 5 with 5 being the most amount of knowledge needed to complete an intrusion attempt activity; I would rate it at 2. The factor in your favor is, the person has to be within range of the antenna to do anything. If you’re a high value target, I would think twice. I have a couple of decent papers I can did up, but just type "spoofing mac address" in google. Securing wireless connection by mac lockout is over rated. WEP has been all but made obsolete by cracker software and the method of authentication/communication is well documented. The real danger in wep is (my opinion) sniffing. An open wireless router easily becomes a funnel for sensitive information and depending on the motive of those listening, they may never make a move to give away their intention and set on it listening to email, authentication etc. I am discussing this from a point of view that sensitive information is not worth the risk of convenience. Wireless access should be segmented, like already pointed out. If it's your house, no big woop you can watch the connections but in a large environment that becomes difficult when compared with the benefit.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  6. #6
    Senior Member
    Join Date
    Feb 2004
    Posts
    105

    re: wi-fi security

    Why kind of devices comprise your wlan?

    i would suggest looking into (P)EAP if your Cisco based. The various EAP protocols (EAP, LEAP, and PEAP) can be used to secure wired switch ports as well.

    If your not in a Cisco architecture, some vendors support EAP but i don't think they're in the majority; especially if you're talking home market vs. enterprise. I believe almost all home market devices support MAC filtering, which means you have to hard code all possible 'good' MACs into it. If you're planning on servicing a large number of clients, the upkeep could become a headache.

    And MAC spoofing is trivial as RoadClosed pointed out.

    Always remember that no one device/technology is going to solve all of your security woes. Layer your defenses and know where residual risk is located.

    Cheers,
    <0
    Ego is the great Logic killer

  7. #7
    Member
    Join Date
    Nov 2001
    Posts
    66
    Thanks for the swift replies!

    It would be for a home network, and the machines would be as folllow:

    proxy
    fileserver
    3 other computers

    Most of the machines will be running a Windows of some sort, but the fileserver will definitely be running Linux.
    I'm still hesitating for the proxy. Either I make the fileserver also act as a proxy, or run the proxy with Windows, which I am not too keen on but I do not have another free computer.
    Alternatively, I suppose I could get a Wireless router, and that would take away the need of a proxy.

    Thanks again for the help!
    -Friends come and go. Enemies accumulate-

  8. #8
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    You will be ok, WPA is cheaper than it was a few months ago. I would get it and just look at the logs. Your risk is low and look for WPA wirelss routers and cards or USB devices for each PC that support it. Lock it down with MAC based access controls and encrypt it. It beats running Cat5 through a house already built. Since you are using winders and want to go a step further and utilize the OS. Check out this lady... nice article for home users. Hope you have newer versions of winders.

    http://www.microsoft.com/WindowsXP/e...n/03july28.asp
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  9. #9
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    One thing I did not see mentioned is that in order to really make use of MAC spoofing you have to be on a LAN for the ARP to route, so put a firewall between your AP and your internal LAN then ARP posioning will not be possible,also just having the MAC of an authorized client will not give you the WEP key so you cant just hop on. Also sniffing is not as big of concern where some kind of TLS based system is in place with rotating WEP keys (802.1X stuff)

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  10. #10
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    Originally posted here by Maestr0
    One thing I did not see mentioned is that in order to really make use of MAC spoofing you have to be on a LAN for the ARP to route, so put a firewall between your AP and your internal LAN then ARP posioning will not be possible,also just having the MAC of an authorized client will not give you the WEP key so you cant just hop on. Also sniffing is not as big of concern where some kind of TLS based system is in place with rotating WEP keys (802.1X stuff)

    -Maestr0
    This is probably one of the better sugestions, even if you are useing XEAP or WAP don't relay on just that , secure your boxes, if you are going to have a file server set it up as a domain server and set strong ntfs permisions on all your systems. Remember nothing is ever 100% secure the best bet is to make your system not worth the trouble it takes to break...security in depth.
    Who is more trustworthy then all of the gurus or Buddha’s?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •