What Are Two Valid Weaknesses Of Utilizing Mac Filtering For Controlling Wireless Network Access?10/21/2019
With MAC address filtering a router will first compare a device’s MAC address against an approved list of MAC addresses and only allow a device onto the Wi-Fi network if its MAC address has been specifically approved.
My question refers to the following article on Wikipedia:. The article states: MAC filtering is not effective control in wireless network as attackers can eavesdrop on wireless transmissions. However MAC filtering is more effective in wired networks, since it is more difficult for attackers to identify authorised MACs. The question is: Why would MAC filtering provide additional security in wired networks (opposed to wireless networks)? I am aware of the general flaws of this technique, and know about alternatives. I am only interested in the claimed difference in achieved security. In wireless networks, the signals travel through the air; anybody can listen to them and capture the source MAC address.
Therefore, it's easy for an attacker to find out the white-listed MAC addresses and impersonate them. Think of it this way: A group of friends talking to each others, and they only talk to people they know. When one of them says something, he always says his name in the beginning.
So, for example, Jack says 'Hey, I'm Jack. Today I blah blah blah'. If you happen to pass by them, you can hear one of their names and use it in the beginning of your sentence. They'd think that you're Jack. (Please ignore their ability to see you and recognize your voice). In wired networks (more specifically, switch-wired networks), the signals travel through the wires from the hosts to the switch; it's much more difficult for an attacker to listen to them an capture the source MAC address. Think of it this way: The same situation in the previous example, but instead of talking, the friends are sending each others post-it notes directly, hand-to-hand.
You, as an outsider, have no idea what they're talking about and their names are, so, theoretically, you cannot pretend to be one of them. In short, what makes MAC filtering ineffective is an attacker who knows a valid MAC address. By having a valid MAC address, the attacker is able to impersonate it and 'convince' the server/router/AP that he is the white-listed device. In wireless network it's easier to capture and acquire a valid MAC address than it is in wired netwroks. That's why MAC filtering is less effective in wireless networks than wired networks. Switches, Hubs, and Broadcast In old-style ethernet networks connected with a hub, all packets were broadcast to all stations on the network.
This is also the way wireless networks typically act today. But in order to improve network performance, switches have largely replaced hubs in connection stations together. Once a switch sees a packet originating from one of its physical ports, it makes a note of the sender's MAC address. From that point forward, traffic directed at that MAC address will only be sent down that one single wire, and none of the others.
This connection arrangement dramatically reduces the amount of traffic visible to a surreptitious listener. Instead of seeing all traffic on the network, the listener will only see broadcast traffic and traffic that isn't directed toward a MAC that the switch knows about. Workaround and Additional Problems This doesn't make MAC-spoofing impossible; a user can watch for broadcast frames (such as ARP packets) to see which MACs are allowed on the network. But once the attacker begins to use a stolen MAC, the effect on the switch becomes somewhat unpredictable and typically very unstable.
Since the policy on the switch is only send traffic down the wire from which the MAC address was recently seen, and since two stations are now claiming the same MAC, the behavior of the switch becomes undefined. While different switches handle this situation differently, typically what you'll see is some of the traffic goes to one computer, and some of it goes to the other, depending on which one spoke last. Combine this with the continuity and acknowledgement requirements of TCP, and this makes for a largely unusable connection for both parties. Further Mitigation To make matters even more difficult for an attacker, 'Managed Switches', typically found in higher-end network installations, can use more than just the naive algorithm mentioned above for routing ethernet traffic. Instead of determining MAC address routing by listening, these can be pre-configured by an admin to know were to expect a given MAC address to reside. This means that not only will an attacker have to find a valid MAC address, but he'll also have to plug his device into the same physical plug socket where the valid device was found. Plug your device into any other socket and it just won't work.
![]()
One of the biggest security flaws in a wired network is DHCP. Someone social engineers their way into your building, wanders into an empty conference room or office, and plugs their laptop into the wall. They get an IP automatically, and can exploit anything that may happen to be unsecured on your local network. The best way to combat this is to only assign addresses based on known systems, and the most accepted way of doing that is via Mac address. Getting a valid MAC address off the network is challenging: if you're already on the network, you might be able to sniff one out with NMAP, but then you're stuck, since that address is already claimed. You'd have to find that machine or force it offline to spoof it's MAC, and steal the IP address.
If you're not on the network, then you're forced to try to exploit a local machine, and having done that, why wouldn't you just use that machine? With wireless, you're either dealing with a completely unsecured connection, in which case you don't care what's going on with the computer or the switch, or you're dealing with an encrypted connection which is orders of magnitude more secure than the DHCP/MAC thing.
In either case the MAC address is unimportant.
![]()
Hi, I will be getting the first nintendo DS WiFi enabled game on 11/14. I had configured my home airport extreme network as WPA, Hidden, and limited access to specific MAC IDs. The DS will apparently only support WEP and I'm not sure if I can enter my network name in the DS set up.
I also don't know if the DS has a way to display it's own MAC ID. OK now for the question. Assuming that I am willing to decrease my security to WEP (still an unanswered question in my mind), is there any way to read a MAC ID from the signal the DS puts out, rather than looking it up on the device itself? Thanks in advance for your help and yes, even though I play video games I am over the age of 13! Yes, there is a way to read the MAC ID from the signal the DS puts out - and that is the very reason why MAC address filtering provides no useful security on top of a more effective security protocol like WEP or WPA.
Anyone can run a data packet sniffer on your wireless network, learn all the valid MAC addresses for devices on your network, and clone one of those addresses to the wireless interface of another computer - thus cracking your MAC address filtering security in short order. My suggestion - save yourself a lot of grief and just do away with the MAC access control completely. Same goes for creating a 'hidden network' - anyone can find your so-called 'hidden network' in an instant while cruising your neighborhood using readily available software. Therefore, complicating your life by creating a 'hidden network' isn't worth the bother either. Bottom line - only WEP or WPA will provide any measure of real security for your wireless network.
I'm thinking about getting a DS with wireless too. I have an iBook and no wireless router yet, we may get one after christmas once our 12 month AOL contract is up. AOL + routers + mac + PC =. I'll have airport express, will I be able to use my internet connection on the iBook (through a cable) and then connect via the airport card in my iBook wirelessly?
I don't think the extra cash for the usb dongle that doesn't actually work with macs probablyu is worth it. Or will i have to wait for the router? Hi Henry, Thanks for your information. I know about the weakness of MAC addressing but do it to prevent casual snooping. I may decide to take your advice and remove the MAC requirement, and un-hiding the network. But, JIC, what software would you recommend I use if I want to find out the DS MAC ID? It is unfortunate that nintendo only supports WEP (hopefully 128 at least) rather than WPA.
I'll have to see how much online gaming I do to determine whether to downgrade to WEP full time, or only when I'm gaming. Thanks for the time to provide such as useful answer.
You said that you want to use MAC address filtering to 'prevent casual snooping'. My point is that WEP or WPA security will also prevent casual snooping - but in a far more effective manner. Therefore, why even bother with MAC address filtering?
Anyway - to find out the MAC address of your Nintendo DS, see the advice posted and use. While researching this, I also came across a phenomenal amount of misinformation being passed along about wireless networking in some of the Nintendo DS discussion forums 🙂. Wow, this has been eye opening. I have enough practical knowledge of networking to configure my home set up (airport, vonage router, USB to ethernet bridge for HP all in one printer and two computers), but not enough deep knowledge of security. I have checked out Macstumbler, and that led to trying 3 more programs. Sure enough one of the programs found my hidden network, and named it, another claimed (didn't try it) that it would make a brute force attempt to crack the WPA or WEP security. All this in a few minutes of googling.
BTW, none of the programs so far can see the DS in wireless mode, but, after your information, and what I've seen for myself, I will probably remove the MAC and hidden settings of the network. Thanks again for the time and expertise, Bruce. You all probably know this but the DS MAC address can be looked up on the DS in a matter of seconds opposed to going through this cumbersome scheme of third party software. When I got my copy of Mario Kart I simply looked up the MAC address and added it to the allow list in my filter. As for the USB WiFi adapter, it's almost the same price as a Linksys WRT54G (far better investment) so do your homework before you buy it.
I'm sure someone will figure a work around to make it MAC friendly but a WiFi router is already Mac friendly and useful for more than the Nintendo DS. Apple Footer. This site contains user submitted content, comments and opinions and is for informational purposes only. Apple may provide or recommend responses as a possible solution based on the information provided; every potential issue may involve several factors not detailed in the conversations captured in an electronic forum and Apple can therefore provide no guarantee as to the efficacy of any proposed solutions on the community forums. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |