Wifi MAC address-based authentication

Sorry for asking such a noob question, but I figured I might get more help posting it here than in the Newbie section.

Network cards come with MAC addresses, and some even allow you to change it. I was talking to that guy who told me that one of the best ways of securing a wireless network, is to allow connections based on the MAC address of the wifi cards.
But in that case, isn't it possible to eavesdrop on a connection, grab the MAC address and then change yours to that? Or do wifi cards not allow you to change your MAC address?

Apart from that and using WEP, any other suggestions on how to make a wireless network a bit more bulletproof?

Thanks.

The best thing I've read about WiFi is

Dr. Cyrus Peikari and Seth Fogie - Wireless [Indiana: SAMS Publishing, 2003]

Most decent libraries should have it [unless you are thinking of buying it - I am!]

WPA (Not support by all Hardware Router and Card) is good alternatif for now.

cold_connection: ya run it over a wire :)

WEP or WPA are your best bets combined with MAC address based connections. beyond that use sound local and network security on your systems, no anon access, strong file level permisions ect. On your gateway/firewall box set user limits on internet access. When doing wireless understand that your footprint into the world is *very* big, your best bet for security is security in depth.

Spoofing mac addresses is easy, on a scale of 1 to 5 with 5 being the most amount of knowledge needed to complete an intrusion attempt activity; I would rate it at 2. The factor in your favor is, the person has to be within range of the antenna to do anything. If you’re a high value target, I would think twice. I have a couple of decent papers I can did up, but just type "spoofing mac address" in google. Securing wireless connection by mac lockout is over rated. WEP has been all but made obsolete by cracker software and the method of authentication/communication is well documented. The real danger in wep is (my opinion) sniffing. An open wireless router easily becomes a funnel for sensitive information and depending on the motive of those listening, they may never make a move to give away their intention and set on it listening to email, authentication etc. I am discussing this from a point of view that sensitive information is not worth the risk of convenience. Wireless access should be segmented, like already pointed out. If it's your house, no big woop you can watch the connections but in a large environment that becomes difficult when compared with the benefit.

Why kind of devices comprise your wlan?

i would suggest looking into (P)EAP if your Cisco based. The various EAP protocols (EAP, LEAP, and PEAP) can be used to secure wired switch ports as well.

If your not in a Cisco architecture, some vendors support EAP but i don't think they're in the majority; especially if you're talking home market vs. enterprise. I believe almost all home market devices support MAC filtering, which means you have to hard code all possible 'good' MACs into it. If you're planning on servicing a large number of clients, the upkeep could become a headache.

And MAC spoofing is trivial as RoadClosed pointed out.

Always remember that no one device/technology is going to solve all of your security woes. Layer your defenses and know where residual risk is located.

Cheers,
<0

Thanks for the swift replies!

It would be for a home network, and the machines would be as folllow:

proxy
fileserver
3 other computers

Most of the machines will be running a Windows of some sort, but the fileserver will definitely be running Linux.
I'm still hesitating for the proxy. Either I make the fileserver also act as a proxy, or run the proxy with Windows, which I am not too keen on but I do not have another free computer.
Alternatively, I suppose I could get a Wireless router, and that would take away the need of a proxy.

Thanks again for the help!

You will be ok, WPA is cheaper than it was a few months ago. I would get it and just look at the logs. Your risk is low and look for WPA wirelss routers and cards or USB devices for each PC that support it. Lock it down with MAC based access controls and encrypt it. It beats running Cat5 through a house already built. Since you are using winders and want to go a step further and utilize the OS. Check out this lady... nice article for home users. Hope you have newer versions of winders.

http://www.microsoft.com/WindowsXP/e...n/03july28.asp

One thing I did not see mentioned is that in order to really make use of MAC spoofing you have to be on a LAN for the ARP to route, so put a firewall between your AP and your internal LAN then ARP posioning will not be possible,also just having the MAC of an authorized client will not give you the WEP key so you cant just hop on. Also sniffing is not as big of concern where some kind of TLS based system is in place with rotating WEP keys (802.1X stuff)

-Maestr0

Quote:

---

Originally posted here by Maestr0
One thing I did not see mentioned is that in order to really make use of MAC spoofing you have to be on a LAN for the ARP to route, so put a firewall between your AP and your internal LAN then ARP posioning will not be possible,also just having the MAC of an authorized client will not give you the WEP key so you cant just hop on. Also sniffing is not as big of concern where some kind of TLS based system is in place with rotating WEP keys (802.1X stuff)

-Maestr0

---

This is probably one of the better sugestions, even if you are useing XEAP or WAP don't relay on just that , secure your boxes, if you are going to have a file server set it up as a domain server and set strong ntfs permisions on all your systems. Remember nothing is ever 100% secure the best bet is to make your system not worth the trouble it takes to break...security in depth.

Quote:

---

i would suggest looking into (P)EAP if your Cisco based

---

Yes, this would be the cheapest thing to do since all you will need additionally is a shittly little linux box running free RADIUS. I have this in use now and I haven't had a single issue....yet. :)

Cisco's implementation is LEAP, which is very similar to PEAP but unless you are using a Cisco card (Which comes with the ACU) you will need third party software to such as Odyssey Client to make use of LEAP. PEAP however is supported by Microsoft as of Win2K_SP4 and WinXP_SP1 and can also be used to auth against a Radius server, I too would reccomend looking at FreeRadius as TH13 suggested.

-Maestr0

I don't follow your comments Maestr0...are you stating that Cisco doesn't support (P)EAP...or that they had nothing to do w/ it?

I respectively disagee- Cisco co-authored the PEAP specifications w/ MS and RSA to compensate for the dictionary attack vs. EAP/LEAP.

Here's one of the best documents I've ever read re: Wireless Security and clearly supports the above statements:

http://www.cisco.com/en/US/products/...8009c8b3.shtml

FYI-I'm not a Cisco employee :) I just really enjoy their products.

Cheers,
<0

I'm not saying Cisco doesnt support PEAP, I'm saying Microsoft does not support LEAP (not counting the miserable excuse for LEAP/PEAP in the new WinMobile 2003) LEAP is Cisco's EAP protocol, where as PEAP is based on EAP but co-authored by Cisco, Microsoft, RSA and some other chaps and is an open RFC protocol. So you can use LEAP if you have a cisco card and the ACU (Aeronet Client Utility) or you can purchase a 3rd party client(Odyssesy) to allow other wireless cards to negotiate LEAP authentication with Cisco AP's. If you do not intend to use Cisco cards exclusively I would use PEAP which is supported natively now by MS so you dont have to purchase any third party clients.

-Maestr0

Also, you mentioned PEAP was developed in response to the LEAP dictionary attack, this may be true I havent researched that, but I'm fairly certain PEAP was under way long before that vulnerability was disclosed.

Thanks for taking the time to explain your position- your comments are clear to me now. I hope I didn't come across as abrasive as I was simply attempting to interpret your comments.

I agree with your summary. Furthermore, and for clarification on my side, I was under the impression that PEAP was developed to answer possible attack vectors such as the what was eventually proven in the dictionary attack. I didn't intend to potray PEAP as a direct answer to the specific vulnerability announcement. :)


Cheers,
<0

hey,

" Dont go so deep in forest that you loose ur way back " ;-) , Its only abt home security.

-- A Basic 128 bit WEP with TKIP (Cisco) / CKIP (Wi-Fi) is what is common to all devices and
best for home networking.
-- Another Step that can be added is MAC authentication, with the above options is another
outstanding way to defend ur home network.
-- It would be really tough for any one to break into this.

Well nothing is computers is 100% secure no matter whatever u do, but this shud be more than enough to save you from newbies and mid level hackers etc. ( why wud they run after u at the first place ... its ur fear that will kill u no one else.. lol)

That Said there are further standards for Corporate Deployment

-- XEAP , Cisco EAP - TLS, Cisco LEAP , Cisco PEAP, Microsoft Host Based EAP ( same crap as Cisco PEAP) ..... he he he.. not this alone, add this also , if still discontented , then go for certifiacte authentication , use Token RSA Servers (OTP) with Funk Radius, Microsoft IAS, or Cisco ACS. ( just getin senti :-)) etc.

Finally with least cost and normal residential config choose the top options.

To crack them choose the following - Airospeek , Airsnort, Net Stumbler.

Let me know if you need any thing else...

Smile , u never know when someone falls in love with your smile. :)