MAC Address Filtering

Scorpion1031

Beta member
Messages
1
Hey I just have a question regarding MAC address filtering. I would like to add another layer of security to my verizon fios router by setting up MAC address filtering. My first question is that I would like to apply this filtering to every device that connects to the internet (1 laptop, 1 wireless desktop, ps3, and a hardwired pc), can i use hardwired devices as well as wireless devices for MAC address filtering? I only ask this because I checked out the settings of my fios router and the MAC address filtering was under a wireless tab. My 2nd question is when i set up MAC address filtering, do I also need to list the MAC of the router itself, or just the MAC's of the devices I want to connect to the internet. Any help is greatly appreciated!
 
Scorpion1031 said:
Hey I just have a question regarding MAC address filtering. I would like to add another layer of security to my verizon fios router by setting up MAC address filtering. My first question is that I would like to apply this filtering to every device that connects to the internet (1 laptop, 1 wireless desktop, ps3, and a hardwired pc), can i use hardwired devices as well as wireless devices for MAC address filtering?

Yes you can. I'm not sure what type of router you're using so I can't really assist with the specifics of setting it all up.

Scorpion1031 said:
My 2nd question is when i set up MAC address filtering, do I also need to list the MAC of the router itself, or just the MAC's of the devices I want to connect to the internet. Any help is greatly appreciated!

No, you don't have to list the router's mac.
 
I would like to add another layer of security to my verizon fios router by setting up MAC address filtering.
There's nothing wrong with it per se, but be aware that this isn't really a layer of security these days - anyone can bypass it by faking mac addresses, and it's a very easy thing to do!

Personally, I wouldn't bother (I don't.) It doesn't stop anyone breaking in, and it's just an annoyance whenever you want to allow another machine access to your network.
 
I disagree.

Honestly, I only run MAC filtering on my network. That and I disable the SSID broadcast. Sure, it's not hard to spoof a MAC and passive scan for an SSID, but if someone knows how to do that, they will probably know how to get into your network anyway. With the right tools, getting around just about ANY wireless security is pretty easy.

There is no way to keep everyone out. You just need to make it hard enough to keep most out. MAC filtering and disabling your SSID broadcast is more than enough IMO.

Edit: There is a way to keep everyone out...it's called RJ45...
 
Ouch. I'm afraid you've been very misguided - without meaning to sound condescending, I'd really suggest you go and do some research on wireless security!

MAC filtering and disabling your SSID broadcast is more than enough IMO.
You do realise then that anyone with access to backtrack, Google and youtube can come and break into your network with ease? Kismet and airodump both pick up hidden SSIDs when traffic's around, and macchanger takes care of spoofing your mac. With no encryption it's just a couple of simple commands and in less than a minute you're away...

With the right tools, getting around just about ANY wireless security is pretty easy.
Incorrect. Try getting past my WPA2 layer and I'll be damn impressed. I'll even give you a clue as to the key - it's 25 letters long and completely and utterly random. If you want to try and crack my other WPA network with a RADIUS server on it as well, be my guest. Neither of them are hidden and neither of them run mac filtering.

There is no way to keep everyone out. You just need to make it hard enough to keep most out. MAC filtering and disabling your SSID broadcast is more than enough IMO.
There may be no way to keep everyone out with 100% certainty - but it's still sensible to make things as secure as they can be. If I offered you a simple bit of metal that secured your door shut via two, normal flathead screws would you take it? Or would you take the proper lock that needed skill, time, patience and a lot more effort to crack? This situation is similar to taking the first - sure it'll probably keep most people out, because most people simply won't bother undoing the screws to get access to your home. But it makes no sense when you could have a much more robust and hard to crack lock in place for the same amount of effort...
 
berry120 said:
Ouch. I'm afraid you've been very misguided - without meaning to sound condescending, I'd really suggest you go and do some research on wireless security!

It's all good, man! Thank you for the courtesy.

I've done plenty of research. I'm a Data Networks Specialist for the United States Marine Corps.

berry120 said:
You do realise then that anyone with access to backtrack, Google and youtube can come and break into your network with ease? Kismet and airodump both pick up hidden SSIDs when traffic's around, and macchanger takes care of spoofing your mac. With no encryption it's just a couple of simple commands and in less than a minute you're away...

Yup. Well aware of this. More than familiar with many hacking/cracking/packet tracing/packet sniffing/spoofing apps and techniques...however rusty I am with them now.

berry120 said:
Incorrect. Try getting past my WPA2 layer and I'll be damn impressed. I'll even give you a clue as to the key - it's 25 letters long and completely and utterly random. If you want to try and crack my other WPA network with a RADIUS server on it as well, be my guest. Neither of them are hidden and neither of them run mac filtering.

Very true. WPA2-PSK is about is about as good as it gets now for most basic users and it is quite tough to crack. Even still, all it takes is the right equipment, a bit of luck and time.

I will explain my reasoning behind not worrying about all this. You have all this (even a RADIUS SERVER?!!??!!?) for your home network...why? Why bother? What do you have that is so private? Why are you such a target? I'm not. I don't worry about it. I have all my files and apps installed and saved to a secure external hdd. Only thing on the computer's hdd is system files. If I get a virus or something goes wrong with windows, I don't care. I just wipe and reinstall. No problem.

berry120 said:
There may be no way to keep everyone out with 100% certainty - but it's still sensible to make things as secure as they can be. If I offered you a simple bit of metal that secured your door shut via two, normal flathead screws would you take it? Or would you take the proper lock that needed skill, time, patience and a lot more effort to crack? This situation is similar to taking the first - sure it'll probably keep most people out, because most people simply won't bother undoing the screws to get access to your home. But it makes no sense when you could have a much more robust and hard to crack lock in place for the same amount of effort...

I think you have a bit of a false sense of security. However small the possibility of penetration may be (even though you've gone to impressively great measures to secure your network), a small possibility is still a possibility. You should really think of the bit of metal you mention as WPA/WEP/etc and RJ45 cable in conduit (or possibly even beyond THAT into the military grade crypto equipment for wired systems) as the deadbolt.

There is ALWAYS a risk of intrusion when employing wireless. That's why, if I was guarding something (people's info at a hospital, sensitive bank information, etc), wireless would not be a consideration. I only do what I do to keep n00b (which the 95% of people that give a shit about it anyway are) wardrivers and the neighbors from sucking up my precious, precious bandwidth.
 
t's all good, man! Thank you for the courtesy.
I've done plenty of research. I'm a Data Networks Specialist for the United States Marine Corps.
Thanks for the pleasant response (and no that's not sarcastic!) I'm all up for debating in an informed manner :)

Yup. Well aware of this. More than familiar with many hacking/cracking/packet tracing/packet sniffing/spoofing apps and techniques...however rusty I am with them now.
Fair play - you clearly understand the risks so that's your decision.

Very true. WPA2-PSK is about is about as good as it gets now for most basic users and it is quite tough to crack. Even still, all it takes is the right equipment, a bit of luck and time.

I will explain my reasoning behind not worrying about all this. You have all this (even a RADIUS SERVER?!!??!!?) for your home network...why? Why bother? What do you have that is so private? Why are you such a target? I'm not. I don't worry about it. I have all my files and apps installed and saved to a secure external hdd. Only thing on the computer's hdd is system files. If I get a virus or something goes wrong with windows, I don't care. I just wipe and reinstall. No problem.
The RADIUS server was a result of me messing around a couple of years back. It just works pretty nicely and as such it's stayed! It's not something I'd say that everyone neeeds to install on their home network ;)
Incidentally, I also take the same approach as you for wiping and reinstalling if I get a virus or something similar - I agree with you there. But in my mind that's a different issue altogether. Having a virus trash my box isn't something I really care about, I can just rebuild it. Giving the outside world free access to everything inside my network? I just don't like the sound of that.

Long WPA2 keys however I would say are worth having. While I'm aware there are techniques to break these, they're few and far between, take a lot more effort than WEP or simple WPA(2) passwords and aren't always guaranteed to work. (At least that was the case last time I looked a few months back, if you know differently feel free to correct me.) If such keys slowed things down, were ridiculously difficult to set up or were somehow dangerous to set up I may well take your route of claiming they're unnecessary. However, they're easier to set up on all home routers I know of than mac address filtering, and more secure! I can see the reasoning behind your theory, but in practice why choose something that's less secure and more hassle to set up? I'm afraid you've lost me a bit there.

I think you have a bit of a false sense of security. However small the possibility of penetration may be (even though you've gone to impressively great measures to secure your network), a small possibility is still a possibility. You should really think of the bit of metal you mention as WPA/WEP/etc and RJ45 cable in conduit (or possibly even beyond THAT into the military grade crypto equipment for wired systems) as the deadbolt.
Don't get me wrong - I completley know and understand that no wireless system is completely safe. I'd take that a step further and say that even completely cabled networks aren't 100% safe either, if anyone wants to grab some information that much then they could well break into your house and physically access your network anyway!

In terms of just keeping the annoying wardrivers away and neighbours from sucking up bandwidth - I agree that for 99% of people that's all they need to worry about. That's why I use strong WPA2 keys, novice wardrivers simply won't bother (and probably wouldn't get far if they did,) they'll take on the bunch of WEP "secured" networks instead. I'm pretty sure however that even novice wardrivers could get past mac filtering and a lack of SSID broadcast.
 
berry120 said:
Thanks for the pleasant response (and no that's not sarcastic!) I'm all up for debating in an informed manner :)

Me too! I've found it to be a rapid way of learning and is one of my main draws to forums.

berry120 said:
The RADIUS server was a result of me messing around a couple of years back. It just works pretty nicely and as such it's stayed! It's not something I'd say that everyone neeeds to install on their home network ;)
Incidentally, I also take the same approach as you for wiping and reinstalling if I get a virus or something similar - I agree with you there. But in my mind that's a different issue altogether. Having a virus trash my box isn't something I really care about, I can just rebuild it. Giving the outside world free access to everything inside my network? I just don't like the sound of that.

Yea...RADIUS servers are far beyond the scope of most people's home networks. Hell...most people's networks PERIOD. Pretty cool though.

berry120 said:
Long WPA2 keys however I would say are worth having. While I'm aware there are techniques to break these, they're few and far between, take a lot more effort than WEP or simple WPA(2) passwords and aren't always guaranteed to work. (At least that was the case last time I looked a few months back, if you know differently feel free to correct me.) If such keys slowed things down, were ridiculously difficult to set up or were somehow dangerous to set up I may well take your route of claiming they're unnecessary. However, they're easier to set up on all home routers I know of than mac address filtering, and more secure! I can see the reasoning behind your theory, but in practice why choose something that's less secure and more hassle to set up? I'm afraid you've lost me a bit there.

True...it is easy enough to set up and all. It definately is a "hey why not" kinda thing. I don't really think it's any harder or easier than MAC filtering though. In my experience, you click the "MAC Filter" tab, open the list, populate the list with MACs already connected to the network and you're good to go. Takes 2 min...and there are no passwords to forget. (I forgot the password to my Ssgt's network that I set up recently...oops...lol)

berry120 said:
Don't get me wrong - I completley know and understand that no wireless system is completely safe. I'd take that a step further and say that even completely cabled networks aren't 100% safe either, if anyone wants to grab some information that much then they could well break into your house and physically access your network anyway!

True. Any time you have data in the open, you run a risk of intrusion but, with a wired network with buried cables in conduit, it'd be (for all intensive purposes) impossible to get at the data. If security is a priority, you lock the server room that houses all your servers, switches, routers and the like and run all cabling through conduit buried a minimum of 2 feet under ground. Then, if you wanna get REALLY crazy, get some military crypto gear and encrypt all the data. Now...my home network doesn't house any classified info...doesn't hold anything at all, really. Hence my asking "why bother".

berry120 said:
In terms of just keeping the annoying wardrivers away and neighbours from sucking up bandwidth - I agree that for 99% of people that's all they need to worry about. That's why I use strong WPA2 keys, novice wardrivers simply won't bother (and probably wouldn't get far if they did,) they'll take on the bunch of WEP "secured" networks instead. I'm pretty sure however that even novice wardrivers could get past mac filtering and a lack of SSID broadcast.

95% of people see an open network and think "hey...I'll use this till my net gets turned on/till I get home/forever/etc". By disabling the SSID broadcast, they're SOL. By MAC filtering, some/most of the ones that are looking for hidden SSIDs are SOL. That leaves the .5% of people that know how to MAC spoof. Is it hard to do? No. Not at all...if you know how to do it. The VAST majority of people don't. Hell...the vast majority of people contribute to what I call the world's largest hotspot..."linksys". I have it permanently saved in my phone as a trusted network and can't even count how many times I've been pleasently surprised to see that my phone has a WiFi connection. This is the biggest part of what I'm trying to avoid. Accidental/easy connection to my network...not the ones that are actually TRYING to get in. I feel that they're too few and far between to worry about in my situation.
 
Back
Top Bottom