PDA

View Full Version : I've told my Router my MAC address, do I still need WEP / WPA??


Feneris
12th Jun 2007, 21:27
I've today installed a new broadband router; the old one keeps dropping the internet connection.

I've told it to only connect to the MAC addresses of the 2 laptops I have. I've also password protected the access to the router. All I want is internet on the 2 computers, nothing else.

Do I still need to set up further security?? I'm assuming I only want to protect my broadband from being used by others, but is having it unsecured opening up my laptop to vulnerabilities??

Looking at previous pprune threads, people seem to advocate the MAC address security as an extra option, not the 'only' one. What do you recon??

Thanks, Simon

Saab Dastard
12th Jun 2007, 22:40
Simon,

It would be very simple to capture the packets on the wifi network without connecting to it. From these - unencrypted - packets the MAC address(es) can be read off. Almost all network cards can have a "soft" MAC address entered to override the hard-coded address.

Given the above, it is therefore trivial for a 3rd party to access your wifi network and connect to it.

WEP (Wired Equivalent Privacy) is a very weak form of encryption (the key is static) and susceptible to brute-force cracking in a matter of minutes.

What you should implement is WPA (Wi-Fi Protected Access), which is a far stronger form of wireless encryption, as the key is dynamically updated.

Of course you can - and should - limit access to known MAC addresses on the basis that you can't have too much security!

You can also limit the IP address range in the DHCP scope on your wifi access point and create reservations for the MAC addresses above.

You could even configure the wifi network to be a smaller subnet than the default, and use a non-standard internal network address instead of the ubiquitous 192.168.0.0 - but you have to fully understand IP networking to do so!

SD

Wader2
13th Jun 2007, 08:34
Simon, the short answer is yes you do.

Download a piece of free software called NETSTUMBLER. Fire this up and it will detect ALL networks within range including your own. It will tell you whether they are secured, it will give the name of the network and the channel they are on. It will also give signal to noise ratio.

I live in a fairly detached house, ie not in a modern close community. My nearest neighbours do not have wifi. The nearest possible after that are 60 m or more distant. My own signal does not reach across my house through 4 walls which just goes to show how you might think you are safe.

Some networks that I have stumbled on have generic or default names like Belkin or Linksys. With names such as these a 'war walker' already has an IN as the Admin feature will probably be left with the default password.

Others actually use the house name or the name of the user. Chuck's for instance would enable more direct targeting and you may even be keener to hack into Chuck's than Joe's.

More legitimately Netstumbler enables you to deconflict from other channels and also try different channels to get the best signal to noise ratio.

IO540
13th Jun 2007, 20:52
Not to disagree with above advice, but let me make a few points:

While a MAC-based whitelist is very insecure, it will keep out at least 99% of casual Joe Publics who get a new laptop home, switch it on, and hey presto "I have free internet!!!" on the back of your service. It also never creates any incompatibility, IME.

I would do WEP (64-bit) in all cases. Yet it's true that a hack was published a couple of years ago, which involves forcing the access point to transmit a huge number of messages and, after a gig or two of data have been emitted, revealing enough data to crack the key. But 99.999% of people won't know how to do this, and why should they bother when they can drive another 20 yards down the road and get a totally open service by parking outside that house?

Beyond WEP, going to the much more secure WPA/PSK, you get compatibility issues. Even today, a lot of kit doesn't work with it. I have had numerous laptops which don't connect unless you reboot them while the access point is active (ok for many people, fair enough). Also anything slightly older won't support WPA so you have to set the access point to the lowest common denominator anyway (WEP). The plot thickens further given that WPA support is normally done within XP and not by the wifi network hardware, but 3rd party wifi cards usually come with their own software....

The final measure, disabling SSID broadcast, is nice (it makes your network invisible to most people) but creates much incompatibility. This requires the SSID and password etc to be preconfigured in the PC (obviously) but a lot of PCs will never find the access point anyway. I have a brand new XP machine right here (a Motion LS800 tablet) which doesn't find it.

Finally, the SSID will be visible to anybody within range, so I choose an SSID which does not reveal my address. I tend to use some filthy phrase ;)

If you have seriously sensitive data then you need to do this properly, and corporate users don't use even WPA/PSK.

Saab Dastard
13th Jun 2007, 22:11
It is very easy to find out all you need to crack WEP - just google "Crack WEP"!!

Even I could do it ;)

SD

Bushfiva
13th Jun 2007, 23:35
I tend to use some filthy phrase

One of the 40+ SSIDs around me is "F... DELL", so that's someone with an unhappy past :}

IO540
14th Jun 2007, 06:07
It is very easy to find out all you need to crack WEP

For an old unix hand like you, certainly :) I stand by what I wrote about most people being unable to do it. What has happened is what I predicted a while ago: some relatively easy to use software tools have appeared just for the job.

The basic point is that unless you are trying to hide something seriously confidential, the objective is to prevent people freeloading off your ADSL connection, and WEP will do that just fine.

To steal something, even if somebody cracked the wifi security, they would then have to gain access to the PCs. Which should not be completely trivial, if you have set up a login+password on each one. In fact it "should" be impossible - remaining windoze back doors aside.

One more thing I forgot to mention in my last post: configure the DHCP client count in the router to the actual number of your PCs. By default it is set to something like 100.

Saab Dastard
14th Jun 2007, 12:15
IO540, I agree - it's deterrence that counts. But the internet does make it very easy for the 0.01% to obtain seriously "useful" tools!

I mentioned the DHCP range, but failed to explicitly state that you should limit it to the number of PCs on your network - I add a small extra, by creating reservations for each PC.

Every little helps...

SD

Feneris
14th Jun 2007, 19:33
Thanks for all the advice above. I'm mainly just trying to stop anyone free loading on my broadband. I've got XP on 1 laptop, and Vista on the girl next doors, which I'm trying to get to work. My laptop always works. Hers drops the connection every 5 mins. I've now tried WEP, WPA, told router to use 802.11g only and generally fiddled with the settings, to no avail. Her laptop always connects but drops to limited connection, no internet after about 5 mins. Even with her laptop in the same room as the router, the signal is often indicated as 'fair' (compared to excellent on my one) and it still keeps randomly dropping out. Any ideas? (I am going back through pprune threads looking for ideas).

Keef
14th Jun 2007, 19:55
Sounds like a duff WiFi unit in her machine. Do you have a PCMCIA or a USB WiFi unit you can try instead?

Or something wacky in Vista - not a package I've ever dealt with (or ever likely to).

Saab Dastard
14th Jun 2007, 22:14
the girl next doors

It sounds like a good excuse to keep visiting - if you want to! ;) Sure you want to find the solution?

Ensure that only Vista or the wifi card software is trying to manage the connection - or as keef suggests, try a different wifi adapter.

Uninstall the existing wifi adapter and re-install? Set the router to b and g, see if hers connects at b?

SD

BEagle
15th Jun 2007, 03:58
There isn't some "Disconnect if idle for more than ( ) minutes" option set up on her machine, I suppose?

Were some spotty little geek to 'crack' MAC address limited access to a wireless router, would his MAC show up in the 'client list'?

I only have 3 addresses permitted to access my router - 2 laptops and a Canon i5200R printer. If a geek got in, would I know?

Unixman
15th Jun 2007, 06:31
MAC address filtering is a a very weak form of protection: the MAC address is transmitted in clear - any scanner can detect it and since it is trivial to change a MAC address (most forms of Unix including Linux come with this ability) you leave yourself wide open. I in fact don't even bother with MAC address filtering but have implemented strong encryption using WPA. Even WEP - which is acknowledged to be crackable - is vastly better than MAC address filtering

Shunter
17th Jun 2007, 18:54
Third party driver support for Wireless in Vista is a joke. Even top end Cisco gear has the same problem - dropped connections. It's not Vista's fault per se, although I started laughing when it landed on my desk in November and still haven't stopped.

Vendors are rapidly releasing new Vista drivers, so make sure you keep upto date.

Personally I wouldn't put Windoze on my machines if you paid me (well ok, depends how much). Unixman is right, any recent version of Linux can assign the MAC of its choice with a single command. This is regularly abused in wifi hotspots to hijack other peoples' paid for airtime.

Saab Dastard
17th Jun 2007, 20:44
it is trivial to change a MAC address (most forms of Unix including Linux come with this ability)

Not that I support Windows particularly, but so can every release of Windows since Win 95 and NT3.0!!!

It's a feature of the card, not the OS.

SD

IO540
18th Jun 2007, 20:25
The best solution must surely depend on what the girl next door is like.