• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

Explain why MAC filters don't work

C

Crashless

n00b
Joined
Feb 1, 2005
Messages
41
I'm so frustrated with my company's IT guy. We're a tiny production company, with a crappy 802.11b network (using WEP), and our IT guy won't budge on removing MAC filtering from our network.

Basically, he has the ear of the office manager (who for some reason is empowered with such decisions), and has convinced her that we HAVE to use MAC filtering on our network.

We constantly have freelancers going in and out of here, and they all want access to our network - but right now this requires us to get this IT guy over here (he's not on salary, so this usually takes days) check said computer, input MAC address and WEP password.

Obviously this guy is just trying to keep his job, because we have to pay him every time he comes out. How can I explain to our office manager (who is under the impression that the IT guy's MS cert is equal to frickin ivy league) that we are gaining no usefull security by using MAC filtering, and wasting more time/money than it's worth?

Am I wrong here? I've always thought MAC filtering was easily bypassed.

Thanks in advance.
 
If its easily bypassed, why don't your freelancers do it ;)

What you are looking to explain is MAC spoofing. Is it easy to bypass? Yes. Just about all Wireless security is easily bypassed, but why not have it there anyway? Prevents no nothing n00bs from getting on your network and messing something up. Think of it this way, a door lock and a door isn't necessarily a fool proof way to keep someone out of their house, but do you just unlock the door and leave it wide open when you leave the house.

/edit: why not get your boss to get the IT guy to give the information to someone in house to add workstations?
 
:) Because we're a television production company, not an IT company. First thing the office manager said in response to my claim though - my response, "I don't have time, I'm working." :)

I'm not arguing that MAC filtering is useless, but my point is: From a cost-benefit POV for this instance, the added security gained by MAC filtering is more than offset by the added PITA of getting this guy in to add addresses to the filter.

Besides, if someone wants to take the time to crack the 128-bit WEP (God help this guy if the p/w is: password), wouldn't spoofing a MAC address be trivial? Or am I missing an added benefit of combining WEP and MAC filtering?

edit:
I offered that, but she doesn't want anyone other than her to have that info - and she's technically illiterate. So having her messing with the admin prompt of the router would be a bad idea. ;)
 
Here's an article from 2003 dispelling "wireless security"

http://www.oreillynet.com/pub/a/wireless/excerpt/wirlsshacks_chap1/

Note that there are some people in the response area that dispute the speed of the hacks, but they have been proven wrong over time. There are even better software utilities out there that make WEP very weak. MAC filtering is barely a speedbump for any would be hacker.

"Wireless clients send their MAC address in the clear, regardless of whether the AP requires WEP or not."

The only person that is going to stop is a casual passer by.

If your consultant was serious about wireless security in the office he would use the new WAP and WAP2 protocols, or something like RADIUS or a VPN.
 
MAC filtering is only going to stop is a casual passer by or the technically-clueless contractor. Anyone who wants to gain access to your wireless will almost certainly try to imitate a known MAC address.
 
It's better to have the MAC filtering on in addition to WEP honestly because it does help a bit from the casual passer-by.

If you have people comming in on such a frequent basis, have your IT guy leave 2-3 laptop wireless cards that are added to the filter list (and the driver CDs for them) and have visitors install the card to connect, and turn it back in. A simple label on the cards (1, 2, 3 ABC, whatever) along with a file somewhere stating what the MAC was for that card can be kept so if a card grows legs that MAC can be turned off.
 
Yea I agree with having some cards around that are in the system. Hell if I remember right does xp have the drivers built in for the ORiNOCO silver and gold cards? Pretty much mac filtering just slows someone down but not by much. Hell you can change the mac address on a bunch of wireless cards with easy to use software. No need to do anything hard.
 
swatbat said:
Yea I agree with having some cards around that are in the system. Hell if I remember right does xp have the drivers built in for the ORiNOCO silver and gold cards? Pretty much mac filtering just slows someone down but not by much. Hell you can change the mac address on a bunch of wireless cards with easy to use software. No need to do anything hard.
Click to expand...

Good idea, did not even think of that....
 
Ok heres the deal. Yes MAC filtering will prevent the casual attempt, but so will WEP. If the person is able to defeat WEP, MAC filtering is just a little laugh for said person. So in the end what does MAC filtering give you? It gives you added management nightmares with no added security if already using WEP or WAP.
 
So then if all these protective measures are useless, is it really practical to have a private wireless network? In my area, I am the only one who uses WPA-PSK. All the other wifi networks are either WEP or unsecured.
 
N_Raged said:
So then if all these protective measures are useless, is it really practical to have a private wireless network? In my area, I am the only one who uses WPA-PSK. All the other wifi networks are either WEP or unsecured.
Click to expand...

Hence why when I moved into my apartment earlier this month, I ran ethernet cabling everywhere and turned off the wireless, aint worth the trouble.
 
N_Raged said:
So then if all these protective measures are useless, is it really practical to have a private wireless network? In my area, I am the only one who uses WPA-PSK. All the other wifi networks are either WEP or unsecured.
Click to expand...

NO they are not useless. WEP while it can be cracked with easily avialable tools, it is by no means a simple I see you network I have your WEP key type thing. It takes monitoring of a good bit of traffic. I cracked my own 128bit WEP key, but it took me about 2 weeks of sniffing the network while having an active 1.4 mbps stream of data for that FULL 2 weeks, hardly normal usage for a home network. So WEP will stop your drive by hackers and your casual users. WEP will NOT stop the guy who lives next door and wants to serve kidding porn off your network, but neither will MAC filtering.

The best way to secure a WIFI network is via VPN. Put your wifi in its own dedicated network completely firewalled from incoming or outgoing packets, and ONLY allow VPN traffic. Then setup a VPN on your network. This does two things for you, prevents guys from doing anything on your wifi without VPN access, AND prevent anyone from sniffing your data since it is encrypted. Downside is this does not work with lots of home toys like wifi PDAs (unless they have vpn software), wireless appliances like a wifi Squeezebox. This also adds another piece of software to configure for people who want to hop on your network.

My arguement is if the guy can get past WEP, he can get past the MAC filter, so why have the MAC filter? I place the same argument for disabling SSID broadcast. The guy who can defeat the WEP will see your WIFI regardless if you disable SSID, because in order to defeat WEP you must actively sniff the packets.
 
m1abram said:
I cracked my own 128bit WEP key, but it took me about 2 weeks of sniffing the network while having an active 1.4 mbps stream of data for that FULL 2 weeks, hardly normal usage for a home network.
Click to expand...

Not anymore.


WEP can be cracked in less than 10 mins with new techniques and tools, one ex.
http://www.netstumbler.org/showthread.php?t=12489

WEP isn't even a hurdle anymore.
 
Tell your boss to use WPA with preshared key and get rid of the rest. It will be more secure and a lot cheaper to manage.
Click to expand...
I've mentioned this. The response was, "well, the current system seems to work." This is what I'm dealing with - completely misinformed management being educated by an IT guy who just wants to keep billing to add computers to a MAC filter.

FWIW, I also subscribe to this security method at home - enable the SSID, no MAC filter, just a solid p/w and WPA-PSK. Anything else is too much a PITA to be usefull.

Ok heres the deal. Yes MAC filtering will prevent the casual attempt, but so will WEP. If the person is able to defeat WEP, MAC filtering is just a little laugh for said person. So in the end what does MAC filtering give you? It gives you added management nightmares with no added security if already using WEP or WAP.
Click to expand...
I agree. Now how do I convince management? After I had a sitdown with the office manager, who seemed convinced that my reasoning was sound, she called the IT guy. Next day, she's telling everyone to email him their MAC addresses. So he won that round. I feel like I'm talking to a wall - is there anything out there I can show this lady to convince her beyond a doubt that this IT guy is ripping the company off?

Thanks so much for the great replies, it's cool to learn other people's security philosophies.
 
That's actually a great idea.

I think I'll try it next week and see what she says.

Thanks!
 
Before you try and crack it, please get it in WRITING that you have permission to do so.
 
Gee, I can't imagine an IT guy who actually wants to validate a mschine isn't infected and is configured correctly before attaching it to his network. Especially with a shared 11 Mbps network that can be flooded to uselessness by a single infected machine.

It's much more important to have an easy to use network!

Power to the process busting masses!
 
nessus said:
Gee, I can't imagine an IT guy who actually wants to validate a mschine isn't infected and is configured correctly before attaching it to his network. Especially with a shared 11 Mbps network that can be flooded to uselessness by a single infected machine.

It's much more important to have an easy to use network!

Power to the process busting masses!
Click to expand...

You give this guy way too much credit. I watched him put my laptop on, 'Run...->cmd->ipconfig /all->MAC in router table->128bit WEP key -> done. Didn't check to make sure I got an IP or anything. He doesn't care about 'problem systems'. Though this is a good take on this I didn't think of - but I'm 100% sure it's not the case.

Besides - we're a television production company - most our producers use Macs. Not that they don't get infected, I'm just saying...

Thanks for the tip to get permisison BTW. Under most/all circumstances that's exactly what should be done in light of that poor guy getting slaped with a felony for using a wide open AP.

IceWind - Right now I'm thinking: Rogue AP... I'm sick of this too. Mine would be properly secured, and 802.11g at least. Geez... :rolleyes:
 
You must log in or register to reply here.
Back
Top