wireless network security
Moderator: General Moderators
wireless network security
I have a wired network. I just added I wireless access point for my media room to connect the wii and a laptop. Why should I bother with wpa or wpa2 setups if I can just filter by mac address. I add my 2 mac addresses and that it. Can someone get in into my unsecured network if I block by mac address?
Thank you
Thank you
Re: wireless network security
1. MAC address spoofing is a very easy task to do (even by kids
).
2. By not using encryption, everyone could snif the data packets between your PC and AP - that is username/passwords, etc.
2. By not using encryption, everyone could snif the data packets between your PC and AP - that is username/passwords, etc.
There are 10 types of people in this world, those who understand binary and those who don't
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: wireless network security
I knew VladSun would be the one to answer this... 
Programmer/system administrator extraordinaire.
I never would have guessed a Mac address could be spoofed...I thought it was a physical part of hte hardware on a computer, but i guess on a wireless network it's no different than an IP address...
So a Mac address is sent across the wire (or lack of) in a wireless network? Why? What purpose does an Mac address serve? My router assigns each node a internal IP address, that much I understand. My laptop or desktop or other computers simple connect to the wireless network as so long as they have the proper password WEP key whatever it's called...voila I'm in.
My wireless network isn't very strong though I can't even connect from the garage, you almost have to be indoors, even with a range booster in my room.
But anyways...I fail to see how the signature of a Mac card has anything to do with security. Altough I am curious as I have a wireless network.
You Mac address is never trasmitted (at least not in HTTP) otherwise we would be able to detect actual unique visitors guarnateed, as I understand there are no two Mac's the same, unless a manufacturing blip occurs.
How does a wireless network use a Mac address?
Programmer/system administrator extraordinaire.
I never would have guessed a Mac address could be spoofed...I thought it was a physical part of hte hardware on a computer, but i guess on a wireless network it's no different than an IP address...
So a Mac address is sent across the wire (or lack of) in a wireless network? Why? What purpose does an Mac address serve? My router assigns each node a internal IP address, that much I understand. My laptop or desktop or other computers simple connect to the wireless network as so long as they have the proper password WEP key whatever it's called...voila I'm in.
My wireless network isn't very strong though I can't even connect from the garage, you almost have to be indoors, even with a range booster in my room.
But anyways...I fail to see how the signature of a Mac card has anything to do with security. Altough I am curious as I have a wireless network.
You Mac address is never trasmitted (at least not in HTTP) otherwise we would be able to detect actual unique visitors guarnateed, as I understand there are no two Mac's the same, unless a manufacturing blip occurs.
How does a wireless network use a Mac address?
Re: wireless network security
When I am connected, My wireless router show me the mac address of my laptop and my nintendo wii.
I was having trouble with the security since my laptop kept dropping the connection with AES as a cypher, I changed it to tkip and now , no drops. So I will keep that setting.
Thanks
I was having trouble with the security since my laptop kept dropping the connection with AES as a cypher, I changed it to tkip and now , no drops. So I will keep that setting.
Thanks
Re: wireless network security
@PCSpectra - IP and MAC address are in different OSI layers: IP is in Layer 3—Network layer and MAC is in Layer 2—Data link layer.
http://en.wikipedia.org/wiki/MAC_address
MAC address is pseudo unique - AFAIR, it's made of manufacturer UID and a serial number. These serial numbers are reused after some time (e.g. 10 years) and there is a possibility (very small indeed) that in one network segment there may be two devices with equal MAC addresses.
MAC address is easy to spoof, because nowadays almost every NIC has its MAC stored in its software/firmware. Even, if it's not the case one can easily spoof his MAC by switching his NIC to promiscuous mode (that is, it will process every packet it receives even those not matching its MAC) and constructing ARP packets with the spoofed MAC as a source.

http://en.wikipedia.org/wiki/MAC_address
You can't obtain the MAC address of non LAN user because his packets have been already routed by a router. And routing is done in Layer 3The following technologies use the MAC-48 identifier format:
Ethernet
802.11 wireless networks
Bluetooth
IEEE 802.5 token ring
most other IEEE 802 networks
FDDI
ATM (switched virtual connections only, as part of an NSAP address)
Fibre Channel and Serial Attached SCSI (as part of a World Wide Name)
MAC address is pseudo unique - AFAIR, it's made of manufacturer UID and a serial number. These serial numbers are reused after some time (e.g. 10 years) and there is a possibility (very small indeed) that in one network segment there may be two devices with equal MAC addresses.
MAC address is easy to spoof, because nowadays almost every NIC has its MAC stored in its software/firmware. Even, if it's not the case one can easily spoof his MAC by switching his NIC to promiscuous mode (that is, it will process every packet it receives even those not matching its MAC) and constructing ARP packets with the spoofed MAC as a source.
There are 10 types of people in this world, those who understand binary and those who don't
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: wireless network security
That is what I wanted to know thanks or was curious about.You can't obtain the MAC address of non LAN user because his packets have been already routed by a router. And routing is done in Layer 3
- jayshields
- DevNet Resident
- Posts: 1912
- Joined: Mon Aug 22, 2005 12:11 pm
- Location: Leeds/Manchester, England
Re: wireless network security
Still, the OPs original suggestion stands. If he only allows a few MAC addresses to be allowed to connect, then no one else will be able to connect, unless they know which MAC addresses are allowed, and can spoof it.
That said, and as mentioned, unencrypted wireless set ups would leave packet sniffing a wide open problem.
That said, and as mentioned, unencrypted wireless set ups would leave packet sniffing a wide open problem.
Re: wireless network security
MAC addresses, source and destination, are transmited in every packet 
It's data link layer
One just need to sniff it for a while.
It's data link layer
There are 10 types of people in this world, those who understand binary and those who don't
- jayshields
- DevNet Resident
- Posts: 1912
- Joined: Mon Aug 22, 2005 12:11 pm
- Location: Leeds/Manchester, England
Re: wireless network security
Well, I didn't know that. I thought only IP addresses were sent in TCP packets.VladSun wrote:MAC addresses, source and destination, are transmited in every packet
It's data link layerOne just need to sniff it for a while.
Re: wireless network security
MAC is in L2, IP is in L3, TCP is in L4 
Let's have two PCs in connected in a single network segment (Ethernet). E.g.:
PC1:
PC2:
Gateway:
First case:
The PC1 want to establish TCP/IP connection to 192.168.2.222 - it's not in its subnet, so PC1 doesn't know how to route this packet (i.e. PC1 know that it is not connected directly to this IP). That's why PC1 must send this packet to the "router" - that is the gateway (GW) 192.168.1.1. But because it's Ethernet, PC1 must know the MAC address of GW, so it sends an ARP (Address Resolution Protocol) request (broadcast) - "who owns 192.168.1.1". In a properly working LAN, only the GW responds with "192.168.1.1 is owned by 33:33:33:33:33:33". Now PC1 know whats the MAC address of GW and constructs an Ethernet "packet" with source MAC 11:11:11:11:11:11 and destination MAC 33:33:33:33:33:33, while the TCP/IP packet contained by this Ethernet "packet" has: source 192.168.1.10, destination 192.168.2.222. The GW makes a routing decision and forwards the TCP/IP packet to another router or to the destination IP if it's in the router network segment (with its own (the router) MAC address).
Second case:
The PC1 want to establish TCP/IP connection to PC2 - it's in its subnet, so PC1 does know how to route this packet (i.e. PC1 knows that it is connected directly to this IP). That's why PC1 must send this packet directly to PC2 - that is 192.168.1.11. But because it's Ethernet, PC1 must know the MAC address of PC2, so it sends an ARP request (broadcast) - "who owns 192.168.1.11". In a properly working LAN, only the PC2 responds with "192.168.1.11 is owned by 22:22:22:22:22:22". Now PC1 know whats the MAC address of PC2 and constructs an Ethernet "packet" with source MAC 11:11:11:11:11:11 and destination MAC 22:22:22:22:22:22, while the TCP/IP packet contained by this Ethernet "packet" has: source 192.168.1.10, destination 192.168.1.11.
You can see that using MAC address is the way devices communicate in a network segment. And a PC and an AP communicate in a single network segment.
Let's have two PCs in connected in a single network segment (Ethernet). E.g.:
PC1:
Code: Select all
MAC: 11:11:11:11:11:11
IP: 192.168.1.10
Subnet mask: 192.168.1.255
Gateway: 192.168.1.1Code: Select all
MAC: 22:22:22:22:22:22
IP: 192.168.1.11
Subnet mask: 192.168.1.255
Gateway: 192.168.1.1Code: Select all
MAC: 33:33:33:33:33:33
IP: 192.168.1.1
Subnet mask: 192.168.1.255The PC1 want to establish TCP/IP connection to 192.168.2.222 - it's not in its subnet, so PC1 doesn't know how to route this packet (i.e. PC1 know that it is not connected directly to this IP). That's why PC1 must send this packet to the "router" - that is the gateway (GW) 192.168.1.1. But because it's Ethernet, PC1 must know the MAC address of GW, so it sends an ARP (Address Resolution Protocol) request (broadcast) - "who owns 192.168.1.1". In a properly working LAN, only the GW responds with "192.168.1.1 is owned by 33:33:33:33:33:33". Now PC1 know whats the MAC address of GW and constructs an Ethernet "packet" with source MAC 11:11:11:11:11:11 and destination MAC 33:33:33:33:33:33, while the TCP/IP packet contained by this Ethernet "packet" has: source 192.168.1.10, destination 192.168.2.222. The GW makes a routing decision and forwards the TCP/IP packet to another router or to the destination IP if it's in the router network segment (with its own (the router) MAC address).
Second case:
The PC1 want to establish TCP/IP connection to PC2 - it's in its subnet, so PC1 does know how to route this packet (i.e. PC1 knows that it is connected directly to this IP). That's why PC1 must send this packet directly to PC2 - that is 192.168.1.11. But because it's Ethernet, PC1 must know the MAC address of PC2, so it sends an ARP request (broadcast) - "who owns 192.168.1.11". In a properly working LAN, only the PC2 responds with "192.168.1.11 is owned by 22:22:22:22:22:22". Now PC1 know whats the MAC address of PC2 and constructs an Ethernet "packet" with source MAC 11:11:11:11:11:11 and destination MAC 22:22:22:22:22:22, while the TCP/IP packet contained by this Ethernet "packet" has: source 192.168.1.10, destination 192.168.1.11.
You can see that using MAC address is the way devices communicate in a network segment. And a PC and an AP communicate in a single network segment.
Last edited by VladSun on Fri Oct 17, 2008 3:27 am, edited 1 time in total.
There are 10 types of people in this world, those who understand binary and those who don't
-
nickvd
- DevNet Resident
- Posts: 1027
- Joined: Thu Mar 10, 2005 5:27 pm
- Location: Southern Ontario
- Contact:
Re: wireless network security
VERY VERY nice write up...
- jayshields
- DevNet Resident
- Posts: 1912
- Joined: Mon Aug 22, 2005 12:11 pm
- Location: Leeds/Manchester, England
Re: wireless network security
Should've worked that out for myself I guess, just never thought about it in that much detail.
Thanks for that anyway, appreciated.
Thanks for that anyway, appreciated.
Re: wireless network security
Thank you All.
- novice4eva
- Forum Contributor
- Posts: 327
- Joined: Thu Mar 29, 2007 3:48 am
- Location: Nepal
Re: wireless network security
Hats off to vladsun
that was very insightful. If i had understood that in my college days, i would have been able to explain to my boss why i couldn't get my hands on client's MAC address... 
Re: wireless network security
Hey, thank you all 
If I had known it would be so helpful for you guys, I would have written it in more details
PS: Grrr, I hate these conditional sentences - have I managed to write it right?
If I had known it would be so helpful for you guys, I would have written it in more details
PS: Grrr, I hate these conditional sentences - have I managed to write it right?
There are 10 types of people in this world, those who understand binary and those who don't