Page 1 of 2
wireless network security
Posted: Wed Oct 15, 2008 5:37 pm
by yacahuma
I have a wired network. I just added I wireless access point for my media room to connect the wii and a laptop. Why should I bother with wpa or wpa2 setups if I can just filter by mac address. I add my 2 mac addresses and that it. Can someone get in into my unsecured network if I block by mac address?
Thank you
Re: wireless network security
Posted: Thu Oct 16, 2008 2:28 am
by VladSun
1. MAC address spoofing is a very
easy task to do (even by kids

).
2. By not using encryption, everyone could snif the data packets between your PC and AP - that is username/passwords, etc.
Re: wireless network security
Posted: Thu Oct 16, 2008 5:11 am
by alex.barylski
I knew VladSun would be the one to answer this...
Programmer/system administrator extraordinaire.
I never would have guessed a Mac address could be spoofed...I thought it was a physical part of hte hardware on a computer, but i guess on a wireless network it's no different than an IP address...
So a Mac address is sent across the wire (or lack of) in a wireless network? Why? What purpose does an Mac address serve? My router assigns each node a internal IP address, that much I understand. My laptop or desktop or other computers simple connect to the wireless network as so long as they have the proper password WEP key whatever it's called...voila I'm in.
My wireless network isn't very strong though I can't even connect from the garage, you almost have to be indoors, even with a range booster in my room.
But anyways...I fail to see how the signature of a Mac card has anything to do with security. Altough I am curious as I have a wireless network.
You Mac address is never trasmitted (at least not in HTTP) otherwise we would be able to detect actual unique visitors guarnateed, as I understand there are no two Mac's the same, unless a manufacturing blip occurs.
How does a wireless network use a Mac address?
Re: wireless network security
Posted: Thu Oct 16, 2008 8:31 am
by yacahuma
When I am connected, My wireless router show me the mac address of my laptop and my nintendo wii.
I was having trouble with the security since my laptop kept dropping the connection with AES as a cypher, I changed it to tkip and now , no drops. So I will keep that setting.
Thanks
Re: wireless network security
Posted: Thu Oct 16, 2008 9:03 am
by VladSun
@PCSpectra - IP and MAC address are in different OSI layers: IP is in Layer 3—Network layer and MAC is in Layer 2—Data link layer.
http://en.wikipedia.org/wiki/MAC_address
The following technologies use the MAC-48 identifier format:
Ethernet
802.11 wireless networks
Bluetooth
IEEE 802.5 token ring
most other IEEE 802 networks
FDDI
ATM (switched virtual connections only, as part of an NSAP address)
Fibre Channel and Serial Attached SCSI (as part of a World Wide Name)
You can't obtain the MAC address of non LAN user because his packets have been already routed by a router. And routing is done in Layer 3
MAC address is pseudo unique - AFAIR, it's made of manufacturer UID and a serial number. These serial numbers are reused after some time (e.g. 10 years) and there is a possibility (very small indeed) that in one network segment there may be two devices with equal MAC addresses.
MAC address is easy to spoof, because nowadays almost every NIC has its MAC stored in its software/firmware. Even, if it's not the case one can easily spoof his MAC by switching his NIC to promiscuous mode (that is, it will process every packet it receives even those not matching its MAC) and constructing ARP packets with the spoofed MAC as a source.

Re: wireless network security
Posted: Thu Oct 16, 2008 2:48 pm
by alex.barylski
You can't obtain the MAC address of non LAN user because his packets have been already routed by a router. And routing is done in Layer 3
That is what I wanted to know thanks or was curious about.

Re: wireless network security
Posted: Thu Oct 16, 2008 4:08 pm
by jayshields
Still, the OPs original suggestion stands. If he only allows a few MAC addresses to be allowed to connect, then no one else will be able to connect, unless they know which MAC addresses are allowed, and can spoof it.
That said, and as mentioned, unencrypted wireless set ups would leave packet sniffing a wide open problem.
Re: wireless network security
Posted: Thu Oct 16, 2008 5:15 pm
by VladSun
MAC addresses, source and destination, are transmited in
every packet

It's data link layer

One just need to sniff it for a while.
Re: wireless network security
Posted: Thu Oct 16, 2008 5:42 pm
by jayshields
VladSun wrote:MAC addresses, source and destination, are transmited in
every packet

It's data link layer

One just need to sniff it for a while.
Well, I didn't know that. I thought only IP addresses were sent in TCP packets.
Re: wireless network security
Posted: Thu Oct 16, 2008 6:11 pm
by VladSun
MAC is in L2, IP is in L3, TCP is in L4
Let's have two PCs in connected in a single network segment (Ethernet). E.g.:
PC1:
Code: Select all
MAC: 11:11:11:11:11:11
IP: 192.168.1.10
Subnet mask: 192.168.1.255
Gateway: 192.168.1.1
PC2:
Code: Select all
MAC: 22:22:22:22:22:22
IP: 192.168.1.11
Subnet mask: 192.168.1.255
Gateway: 192.168.1.1
Gateway:
Code: Select all
MAC: 33:33:33:33:33:33
IP: 192.168.1.1
Subnet mask: 192.168.1.255
First case:
The PC1 want to establish TCP/IP connection to 192.168.2.222 - it's not in its subnet, so PC1 doesn't know how to route this packet (i.e. PC1 know that it is not connected directly to this IP). That's why PC1 must send this packet to the "router" - that is the gateway (GW) 192.168.1.1. But because it's Ethernet, PC1 must know the MAC address of GW, so it sends an ARP (Address Resolution Protocol) request (broadcast) - "who owns 192.168.1.1". In a properly working LAN, only the GW responds with "192.168.1.1 is owned by 33:33:33:33:33:33". Now PC1 know whats the MAC address of GW and constructs an Ethernet "packet" with source MAC 11:11:11:11:11:11 and destination MAC 33:33:33:33:33:33, while the TCP/IP packet contained by this Ethernet "packet" has: source 192.168.1.10, destination 192.168.2.222. The GW makes a routing decision and forwards the TCP/IP packet to another router or to the destination IP if it's in the router network segment (with its own (the router) MAC address).
Second case:
The PC1 want to establish TCP/IP connection to PC2 - it's in its subnet, so PC1 does know how to route this packet (i.e. PC1 knows that it is connected directly to this IP). That's why PC1 must send this packet directly to PC2 - that is 192.168.1.11. But because it's Ethernet, PC1 must know the MAC address of PC2, so it sends an ARP request (broadcast) - "who owns 192.168.1.11". In a properly working LAN, only the PC2 responds with "192.168.1.11 is owned by 22:22:22:22:22:22". Now PC1 know whats the MAC address of PC2 and constructs an Ethernet "packet" with source MAC 11:11:11:11:11:11 and destination MAC 22:22:22:22:22:22, while the TCP/IP packet contained by this Ethernet "packet" has: source 192.168.1.10, destination 192.168.1.11.
You can see that using MAC address is the way devices communicate in a network segment. And a PC and an AP communicate in a single network segment.
Re: wireless network security
Posted: Thu Oct 16, 2008 11:22 pm
by nickvd
Re: wireless network security
Posted: Fri Oct 17, 2008 7:54 am
by jayshields
Should've worked that out for myself I guess, just never thought about it in that much detail.
Thanks for that anyway, appreciated.
Re: wireless network security
Posted: Fri Oct 17, 2008 8:08 am
by yacahuma
Thank you All.
Re: wireless network security
Posted: Fri Oct 24, 2008 1:49 am
by novice4eva
Hats off to vladsun

that was very insightful. If i had understood that in my college days, i would have been able to explain to my boss why i couldn't get my hands on client's MAC address...

Re: wireless network security
Posted: Fri Oct 24, 2008 6:51 am
by VladSun
Hey, thank you all

If I had known it would be so helpful for you guys, I would have written it in more details
PS: Grrr, I hate these conditional sentences - have I managed to write it right?