[selowitch]

I am running a small mixed-wireless-and-wired network encompassing one router and one access point. I have set both to accept signals only from each other's MAC addresses, and everything works fine.

My question is, do I bite the bullet and activate Wireless Protected Access (WPA) or not? It seems to me that my risk is pretty low, and I'm not anxious to incur the slowdowns likely with WPA.

[Tomster]

Depends on how sensitive your data is. MAC filtering is pretty safe, but unless you rotate your encryption keys, some could theoretically use airsnort and eventually crack your encryption. From there, it is not the hardest thing to get a trusted MAC address and spoof it. All of this is very unlikely though, but WPA should eliminate any chance of someone breaking in because the encryption is rotated so frequently.

[Partisan01]

Originally posted by selowitch:
I am running a small mixed-wireless-and-wired network encompassing one router and one access point. I have set both to accept signals only from each other's MAC addresses, and everything works fine.

My question is, do I bite the bullet and activate Wireless Protected Access (WPA) or not? It seems to me that my risk is pretty low, and I'm not anxious to incur the slowdowns likely with WPA.

From a security stand-point here's some food for thought. Someone sits near your AP and sniffs the traffic, they can see MAC addresses. They then spoof a MACto launch an attack against one of your machines on the network.

Even if you are using MAC ACLs I would always recommend using encryption. Unless you want others to see your data encrypt.

ndt

[ginoledesma]

MAC addresses can always be sniffed as they are sent in the clear. MAC filtering basically serves to protect your network from allowing unauthorized clients into it, but it won't stop them from seeing what's flying around. So if your data is sent in the clear, even with MAC filtering, that data can be retrieived. It is not a means to protect your data transmitted over the air from being "seen." That's what WEP and WPA are for -- general means of protecting/securing your wireless network.

[car1son]

Anyone willing and able to penetrate your WEP encryption would have no trouble penetrating your MAC address filtering.
read more)

[selowitch]

Originally posted by car1son:
Anyone willing and able to penetrate your WEP encryption would have no trouble penetrating your MAC address filtering.
read more)

I wonder if it would be possible for software of some kind to issue an alert if a second device using a duplicate MAC address joins the network.

*EDIT* Are you listening, developer community members?

[selowitch]

Originally posted by selowitch:
I wonder if it would be possible for software of some kind to issue an alert if a second device using a duplicate MAC address joins the network.

Consider this:
Any data I have that is remotely sensitive is that which exists on the wired portion of my network (a Mac and a [groan] PC). The only data that gets transmitted over the air is signals to my printer and signals to and from my Xbox. So maybe WPA is overkill in that scenario.

[car1son]

Consider this :

After I've cracked your WEP encryption, cloned your MAC address, and scryed your un-broadcasted SSID, I can join your wireless network. Once I'm in, I'm probably inside your firewall (unless you've gone to the trouble of specifically isolating the wireless portion so it can't access the wired subnet, by installing an SSH bridge ,VPN, or additional firewall. There's no magical barrier between wired and wireless unless you put it there.) Then I read your passwords for your FTP, AFP, or SMB file sharing, log on to your systems, and see just how "remotely sensitive" that data is. Or, maybe I just share your Internet connection to swap pirated music with my friends.

Of course, you're probably not worth the trouble (to hack into your Mac or PC). You did ask.

[selowitch]

Originally posted by car1son:
Consider this :

After I've cracked your WEP encryption, cloned your MAC address, and scryed your un-broadcasted SSID, I can join your wireless network. Once I'm in, I'm probably inside your firewall (unless you've gone to the trouble of specifically isolating the wireless portion so it can't access the wired subnet, by installing an SSH bridge ,VPN, or additional firewall. There's no magical barrier between wired and wireless unless you put it there.) Then I read your passwords for your FTP, AFP, or SMB file sharing, log on to your systems, and see just how "remotely sensitive" that data is. Or, maybe I just share your Internet connection to download pornography or swap pirated music with my friends.

Of course, you're probably not worth the trouble. You did ask.

Ugh. But I tried enabling WPA-PSK on my router and it slowed me down a lot. *Whine*

[car1son]

I'm just using WEP myself (no WPA on my equipment/software right now). My web browsing, when using anything sensitive, is SSL-encrypted (HTTPS) end-to-end, my personal and company data is on encrypted disk images (more to protect from theft of the laptop than network intruders) and I don't leave servers open inside my LAN.

True, someone sufficiently determined could see what I'm printing, sending to my file server (when it's open), what sites I'm browsing, my personal eMail (business mail is encrypted), or posting on unsecure sites such as MacNN's BBS. In short, they'd be bored to tears. I'm not interesting enough to be worth that much effort to hack, and I can't see anyone in range that desperate for free internet access to make the effort to crack the WEP (I'm in a private home, so the number of neighbors is limited and reasonably static.)

[selowitch]

Originally posted by car1son:
I'm just using WEP myself (no WPA on my equipment/software right now). My web browsing, when using anything sensitive, is SSL-encrypted (HTTPS) end-to-end, my personal and company data is on encrypted disk images (more to protect from theft of the laptop than network intruders) and I don't leave servers open inside my LAN.

True, someone sufficiently determined could see what I'm printing, sending to my file server (when it's open), what sites I'm browsing, my personal eMail (business mail is encrypted), or posting on unsecure sites such as MacNN's BBS. In short, they'd be bored to tears. I'm not interesting enough to be worth that much effort to hack, and I can't see anyone in range that desperate for free internet access to make the effort to crack the WEP (I'm in a private home, so the number of neighbors is limited and reasonably static.)

Here's an intriguing wrinkle: My Belkin router and access point each have an option to "Disable ability for Wireless CLIENTS to connect" (this is good when all you're doing is bridging two wired subnets). Until I buy a wireless computer/laptop, this would be a good option.

Of course, I better remember to turn that off when I set up the laptop!

[kndonlee]

I'd say the WEP and WPA are worthless, (well not completely worthless) but don't even really think that Wireless is secure in anyway.

For BEST Security practices, at an INSTITUTION this is what should be done.

Use MAC Address filtering - Deters casual internet hijackers...
WEP, WPA? - Nonsense, just turn it off

VPN - Tunnel ALL Traffic via a VPN on your wireless connection - keeps info secure.

Subnet - Subnet the Wireless network into its own network

USE Switches for Wired Network - It will isolate traffic on the ports to only traffic it should be receiving. Generally, it is verrrrrrrry difficult to sniff anything on a completely switched network.

Turn on individual firewalls for ALL computers.

btw - Mac OS X's firewall only deals with tcp traffic, not UDP...

-------------------------------------

For the casual homeuser that wants a good safeguard on security??

- Turn on MAC address filtering

- Use a completely switched network. NO cheapo generic Hubs, at the least get a generic SWITCH! The difference between a hub and a switch is that a hub will transmit all data from one port to all the other ports, and swtich will be smarter and not do that.


For Example lets say you have Computer1, Laptop1, Basestation1, and PrintServer1 all connected to your 8 port hub. When computer1 sends information (ie, TCP/IP Packet) to Laptop1, then Basestation1 & PrintServer1 will also receive those IP Packets.

If all these were connected to the Switch. When Computer1 sends a Packet to Laptop1, only laptop1 will receive that packet. The Basestation and PrintServer will NOT receive that packet.

If you had a HUB when Computer1 sent a Packet to a Laptop1, then it is likely(I say likely depneding on how smart the basestation/wireless bridge,hub is) that BaseStation1 will also receive that packet and usually transmit it wirelessly. Now your wireless traffic is clogged by your Wired Network.

So, use a switch. Better wired and wireless traffic.

If you're only using your home network for your family, ie {mom, dad, cathy, johnny & mindy} it'd be OK to let everyone be on the same subnet. As in, wired clients and wireless clients can talk to each other directly without going through some router. It's quite unlikely that johnny might want to launch a DOS attack on Mindy cuz she's on the wireless network.

Best thing to rememeber is that websites, email, anything that doesn't go through a secure port(ie https, encrypted IMAP email, RSA) can be sniffed by someone on the outside. If you're buying something online wiht a CC number USING HTTPS you'll be ok. If there's not HTTPS, then that CC number can be compromised...

You should turn on the Firewall on ALL computers behind the firewall/router. This is becasue if an intruder does gain access to the wireless network, their way of getting a CC number won't be to sniff the traffic and try to crack RSA. They will most likely try to Compromise a windows machine, then install a keylogger/trojan of sometype on the computer and let the trojan do its work by sending sensitive data to them.

Stopping Internet HiJackers

If they have gone through the trouble of spoofing a Mac Address and getting into the wireless network, then the way to stop then from hijacking the internet connection is to have fun and DOS them. Just flood ping from two or three mac os x machines, but remmeber if you do that, the other wireless clients won't be able to use the wireless network..

Ideally,there is an automated way of stopping these hijackers, but if they've come that far, your best bet might be to just turn on WPA/WEP temporarily while they have to crack the network again.

At our school, because of our Layer 3~7 Switches all over campus, once the network discovers a spoofed Mac address, that individual ethernet port is shut down. And any other port they connect to is shut down. Not only that, that spoofed Mac Addresses corresponding IP (according to the DHCP server) is dynamically firewalled OFF from being able to gain access to anything past it's first router (this will prevent wireless clients from getting internet access) But this would be a bit too hardcore to implement in a home setting.

Spoofed Mac addresses can be easily found because every Ethernet card's first packets upon being connection to a switch/hub contain the TRUE mac address, before the software/driver kicks into spoofing mode. A monitoring system can catch these spoofed addresses, but this is a bit out of hand for typical home users...


-------------------
wrote so much, dunno how organized my thoughts are.. wil come come back to edit again...