[MLB-WIRELESS] MAC security - how good is it?
Nath P
nathp at optushome.com.au
Wed Feb 12 09:34:42 EST 2003
"In regards to Mac filtering I recommend it all the time... Now, correct me if I
am wrong, this is just an idea I was pondering last night, spoofing Mac
addresses only affects the application layer and cannot change the Address in
the Mac layer of the OSI model. So, if the access point drilled down to the Mac
layer for the real address, you would be safe? I have not bounced this off our
tech guys, so forgive me if it sounds foolish."
that was what i was thinking too, but there are (wired) network cards around with programmable macs.
so the conclusion i'm getting from all these replies is that mac is only to stop the most casual interference. fair enough.
is there any major drawbacks to using something like freeSwan? does it take a big speed hit or just a little one like 5% or something?
thanks, Nathan
----- Original Message -----
From: Michael_Florence at dlink.com.au
To: melbwireless at wireless.org.au
Sent: Wednesday, February 12, 2003 8:47 AM
Subject: Re: [MLB-WIRELESS] MAC security - how good is it?
Nath,
Use a number of built in and non built in security measures.
My analogy is that of a car, it has door locks, alarm, engine immobiliser, fuel
tap, secret switch, you may have a club lock etc. By themselves, these offer
little protection, however a combination will ensure that the thief (hacker)
goes elsewhere. However, depending on what you use, the more you put on may slow
your network considerably.
* Using something like Airsnort will take forever to sniff enough packets.
Airsnort report in their FAQ that for 128 bit encryption, to hack a wireless
network of 4 people who surf the web constantly all day will take between 10 &
33 days. Sure, once it has the "interesting packets" it can crack it in seconds,
however it needs the packets first and this takes time. Devices with 256 bit
encryption are available from D-Link.
* Use D-Link AirPlus products that have PBCC modulation. As far as I know there
is no software that can sniff this modulation scheme And it's 22MB.
* Use an AP with Authentication. The D-Link DWL-1000AP+ has Radius
authentication support. (another plug for D-Link)
* Run IPSEC across the WLAN (not recomended to use with WEP because of speed.
Use one or the other). Should be close to bulletproof.
* Create policies on your network so no-one adds rogue access points without
your configuration.
In regards to Mac filtering I recommend it all the time... Now, correct me if I
am wrong, this is just an idea I was pondering last night, spoofing Mac
addresses only affects the application layer and cannot change the Address in
the Mac layer of the OSI model. So, if the access point drilled down to the Mac
layer for the real address, you would be safe? I have not bounced this off our
tech guys, so forgive me if it sounds foolish.
-Michael Florence
"Nath P" <nathp at optushome.com.au> on 11/02/2003 07:26:11 PM
To: "'melbwireless'" <melbwireless at wireless.org.au>
cc: (bcc: Michael Florence/Sales/DLINK-AUST)
Subject: [MLB-WIRELESS] MAC security - how good is it?
Hey everyone,
I was wondering, how good is mac security by itself with no other security?
thanks,
Nathan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wireless.org.au/pipermail/melbwireless/attachments/20030212/36e4bfb3/attachment.html>
More information about the Melbwireless
mailing list