wireless network security

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

User avatar
yacahuma
Forum Regular
Posts: 870
Joined: Sun Jul 01, 2007 7:11 am

wireless network security

Post by yacahuma »

I have a wired network. I just added I wireless access point for my media room to connect the wii and a laptop. Why should I bother with wpa or wpa2 setups if I can just filter by mac address. I add my 2 mac addresses and that it. Can someone get in into my unsecured network if I block by mac address?


Thank you
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: wireless network security

Post by VladSun »

1. MAC address spoofing is a very easy task to do (even by kids ;) ).
2. By not using encryption, everyone could snif the data packets between your PC and AP - that is username/passwords, etc.
There are 10 types of people in this world, those who understand binary and those who don't
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: wireless network security

Post by alex.barylski »

I knew VladSun would be the one to answer this... :P

Programmer/system administrator extraordinaire.

I never would have guessed a Mac address could be spoofed...I thought it was a physical part of hte hardware on a computer, but i guess on a wireless network it's no different than an IP address...

So a Mac address is sent across the wire (or lack of) in a wireless network? Why? What purpose does an Mac address serve? My router assigns each node a internal IP address, that much I understand. My laptop or desktop or other computers simple connect to the wireless network as so long as they have the proper password WEP key whatever it's called...voila I'm in.

My wireless network isn't very strong though I can't even connect from the garage, you almost have to be indoors, even with a range booster in my room.

But anyways...I fail to see how the signature of a Mac card has anything to do with security. Altough I am curious as I have a wireless network. :)

You Mac address is never trasmitted (at least not in HTTP) otherwise we would be able to detect actual unique visitors guarnateed, as I understand there are no two Mac's the same, unless a manufacturing blip occurs.

How does a wireless network use a Mac address?
User avatar
yacahuma
Forum Regular
Posts: 870
Joined: Sun Jul 01, 2007 7:11 am

Re: wireless network security

Post by yacahuma »

When I am connected, My wireless router show me the mac address of my laptop and my nintendo wii.
I was having trouble with the security since my laptop kept dropping the connection with AES as a cypher, I changed it to tkip and now , no drops. So I will keep that setting.


Thanks
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: wireless network security

Post by VladSun »

@PCSpectra - IP and MAC address are in different OSI layers: IP is in Layer 3—Network layer and MAC is in Layer 2—Data link layer.

http://en.wikipedia.org/wiki/MAC_address
The following technologies use the MAC-48 identifier format:
Ethernet
802.11 wireless networks

Bluetooth
IEEE 802.5 token ring
most other IEEE 802 networks
FDDI
ATM (switched virtual connections only, as part of an NSAP address)
Fibre Channel and Serial Attached SCSI (as part of a World Wide Name)
You can't obtain the MAC address of non LAN user because his packets have been already routed by a router. And routing is done in Layer 3 ;)

MAC address is pseudo unique - AFAIR, it's made of manufacturer UID and a serial number. These serial numbers are reused after some time (e.g. 10 years) and there is a possibility (very small indeed) that in one network segment there may be two devices with equal MAC addresses.

MAC address is easy to spoof, because nowadays almost every NIC has its MAC stored in its software/firmware. Even, if it's not the case one can easily spoof his MAC by switching his NIC to promiscuous mode (that is, it will process every packet it receives even those not matching its MAC) and constructing ARP packets with the spoofed MAC as a source.

:)
There are 10 types of people in this world, those who understand binary and those who don't
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: wireless network security

Post by alex.barylski »

You can't obtain the MAC address of non LAN user because his packets have been already routed by a router. And routing is done in Layer 3
That is what I wanted to know thanks or was curious about. :)
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Re: wireless network security

Post by jayshields »

Still, the OPs original suggestion stands. If he only allows a few MAC addresses to be allowed to connect, then no one else will be able to connect, unless they know which MAC addresses are allowed, and can spoof it.

That said, and as mentioned, unencrypted wireless set ups would leave packet sniffing a wide open problem.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: wireless network security

Post by VladSun »

MAC addresses, source and destination, are transmited in every packet ;)
It's data link layer ;) One just need to sniff it for a while.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Re: wireless network security

Post by jayshields »

VladSun wrote:MAC addresses, source and destination, are transmited in every packet ;)
It's data link layer ;) One just need to sniff it for a while.
Well, I didn't know that. I thought only IP addresses were sent in TCP packets.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: wireless network security

Post by VladSun »

MAC is in L2, IP is in L3, TCP is in L4 ;)

Let's have two PCs in connected in a single network segment (Ethernet). E.g.:
PC1:

Code: Select all

MAC: 11:11:11:11:11:11
IP: 192.168.1.10
Subnet mask: 192.168.1.255
Gateway: 192.168.1.1
PC2:

Code: Select all

MAC: 22:22:22:22:22:22
IP: 192.168.1.11
Subnet mask: 192.168.1.255
Gateway: 192.168.1.1
Gateway:

Code: Select all

MAC: 33:33:33:33:33:33
IP: 192.168.1.1
Subnet mask: 192.168.1.255
First case:

The PC1 want to establish TCP/IP connection to 192.168.2.222 - it's not in its subnet, so PC1 doesn't know how to route this packet (i.e. PC1 know that it is not connected directly to this IP). That's why PC1 must send this packet to the "router" - that is the gateway (GW) 192.168.1.1. But because it's Ethernet, PC1 must know the MAC address of GW, so it sends an ARP (Address Resolution Protocol) request (broadcast) - "who owns 192.168.1.1". In a properly working LAN, only the GW responds with "192.168.1.1 is owned by 33:33:33:33:33:33". Now PC1 know whats the MAC address of GW and constructs an Ethernet "packet" with source MAC 11:11:11:11:11:11 and destination MAC 33:33:33:33:33:33, while the TCP/IP packet contained by this Ethernet "packet" has: source 192.168.1.10, destination 192.168.2.222. The GW makes a routing decision and forwards the TCP/IP packet to another router or to the destination IP if it's in the router network segment (with its own (the router) MAC address).

Second case:

The PC1 want to establish TCP/IP connection to PC2 - it's in its subnet, so PC1 does know how to route this packet (i.e. PC1 knows that it is connected directly to this IP). That's why PC1 must send this packet directly to PC2 - that is 192.168.1.11. But because it's Ethernet, PC1 must know the MAC address of PC2, so it sends an ARP request (broadcast) - "who owns 192.168.1.11". In a properly working LAN, only the PC2 responds with "192.168.1.11 is owned by 22:22:22:22:22:22". Now PC1 know whats the MAC address of PC2 and constructs an Ethernet "packet" with source MAC 11:11:11:11:11:11 and destination MAC 22:22:22:22:22:22, while the TCP/IP packet contained by this Ethernet "packet" has: source 192.168.1.10, destination 192.168.1.11.

You can see that using MAC address is the way devices communicate in a network segment. And a PC and an AP communicate in a single network segment.
Last edited by VladSun on Fri Oct 17, 2008 3:27 am, edited 1 time in total.
There are 10 types of people in this world, those who understand binary and those who don't
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Re: wireless network security

Post by nickvd »

:teach: :teach: :teach: :teach:

VERY VERY nice write up... :drunk:
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Re: wireless network security

Post by jayshields »

Should've worked that out for myself I guess, just never thought about it in that much detail.

Thanks for that anyway, appreciated.
User avatar
yacahuma
Forum Regular
Posts: 870
Joined: Sun Jul 01, 2007 7:11 am

Re: wireless network security

Post by yacahuma »

Thank you All.
User avatar
novice4eva
Forum Contributor
Posts: 327
Joined: Thu Mar 29, 2007 3:48 am
Location: Nepal

Re: wireless network security

Post by novice4eva »

Hats off to vladsun :bow: that was very insightful. If i had understood that in my college days, i would have been able to explain to my boss why i couldn't get my hands on client's MAC address... :drunk:
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: wireless network security

Post by VladSun »

Hey, thank you all :)
If I had known it would be so helpful for you guys, I would have written it in more details :)

PS: Grrr, I hate these conditional sentences - have I managed to write it right?
There are 10 types of people in this world, those who understand binary and those who don't
Post Reply