Jump to content
Linux_Inside V2

How Paranoid are you?

Recommended Posts

MAC address allow list.

In other words, nothing? :P

 

'sif I'd share with you lot. :P

If it was good enough then you wouldn't mind sharing :P

 

Rob.

 

 

You put in physical addresses to allow, anything not in the list is ban-hammered off the network.

 

Over wifi or wired?

You know how easy it is to steal and spoof a mac address over wifi, right?

 

Who said it'd be unsecured?

Share this post


Link to post
Share on other sites

Who said it'd be unsecured?

Will you never said anything about WEP/WPA :P

 

Mac Filtering by itself is more useless than WEP :P

 

Rob.

Share this post


Link to post
Share on other sites

Even if a wireless network is protected by WPA2, it is still possible to see client MAC addresses. MAC address lists are extremely useless. They might protect you from the occasional curious person, but that is it.

 

If you're after something truely secure, either use a VPN or authpf.

Share this post


Link to post
Share on other sites

Who said it'd be unsecured?

Will you never said anything about WEP/WPA :P

 

Mac Filtering by itself is more useless than WEP :P

 

Rob.

 

Any Joe Bloe can check a tickbox enabling a partiular form of encryption, it's so basic I dont think it's worth jumping up and down saying 'im awesome cause i use the latest WPA XYZ'.

 

Physical address filtering and fake AP and fake client spamming stops auto-leechers looking for public networks.

 

If someone is targetting your AP specifically, the solution isn't to make it more difficult for them, the solution is to stop them from doing it in the first place.

Share this post


Link to post
Share on other sites

Pretty Basic at home

WPA2-PSk with a pretty long key.

MAC address lock

and SSID hidden.

 

But I have 2 PC's 1 play and 1 work, the work one doesn't speak to the internets at home! So it is pretty safe.

Share this post


Link to post
Share on other sites

Physical address filtering and fake AP and fake client spamming stops auto-leechers looking for public networks.

 

If someone is targetting your AP specifically, the solution isn't to make it more difficult for them, the solution is to stop them from doing it in the first place.

You come up with some rich stuff sometimes.

 

Physical address filtering and Fake aps with fake clients? that's security through obscurity

Kismet will see right past fake clients, especially if you want to be a hardcore and go without encryption alltogether because you think obscufication is security.

 

If you've got WPA with a non-dictionary guessable password it IS currently impossible to break unless you've got a few hundred years to brute it.

 

Mac filtering is just a big red flag that says "Hack me, I have no idea what I'm doing!"

Share this post


Link to post
Share on other sites

mac filtering is fine with a wired connect, as for wifi well no brainer, I have several programs which are design for wifi security testing, and the amount of info on our air wave is insane.. god bless freedom to snoop!!, hehe

Share this post


Link to post
Share on other sites

mac filtering is fine with a wired connect, as for wifi well no brainer.

Sorry, I wasn't meaning to imply that MAC Filtering was useless over Wired connections, but it's definitely useless over wifi.

Share this post


Link to post
Share on other sites

mac filtering is fine with a wired connect

Noooooooo. It's not.

 

 

Unless you're using a hub, or they have physical access to another machine.

 

As far as I'm aware, two machines on two ports with the same mac address will cause a Switch to not route any traffic at all to that MAC

I don't use it myself, but at the same time I'm not shelling out a few grand for a managed switch just so I can employ 802.1x

Share this post


Link to post
Share on other sites

How did they "hack out" your WEP if they already had access?

 

AMT I'm using a WPA-PSK encryption - as that's all my router allows.

 

out was meant to be our, typo.

 

And we gave them hard wired access, and after about a week, noticed they were running additional traffic on other machines through the wireless link.

 

If they were using all hard wired or had asked for wireless rather than crack the password and use it of their own accord I wouldn't have cared.

Share this post


Link to post
Share on other sites

mac filtering is fine with a wired connect

Noooooooo. It's not.

 

 

Unless you're using a hub, or they have physical access to another machine.

 

As far as I'm aware, two machines on two ports with the same mac address will cause a Switch to not route any traffic at all to that MAC

I don't use it myself, but at the same time I'm not shelling out a few grand for a managed switch just so I can employ 802.1x

 

I was basically referring to the fact that it can be trivial sometimes to take down a host, and assume their MAC address.

Share this post


Link to post
Share on other sites

Not much security here.

WEP64 and MAC address filtering - I even broadcast SSID

 

Unfortunately I have a few wireless devices that don't have any/or reliable WPA support, and I'd prefer to use them than not use them.

 

Geographically, there's probably only 1 or 2 neighbours who are close enough to the access point to get on there and use the network, and I'm not in an area that's likely to attract a lot of casual seekers.

 

If someone was to get on and steal a little bandwidth, I probably wouldn't know - it's fast enough to share, and I don't use my 25GB allowance.

 

After 18 months I've never noticed any bandwidth missing, it's never caused me to be capped, so if a neighbour IS getting some freebies, good for them - it's not like I was using the bandwidth.

 

If I happened to be within sight of a school/uni/shops where people tend to stop and use laptops etc, then it's be a different thing and I probably wouldn't use wireless.

Share this post


Link to post
Share on other sites

I'm so paranoid that I don't even encrypt my wireless :O

And with good reason.

I live on a farm and my closest neighbour is about 3km's up the road. Good luck to them on trying to pick it up!

I just use my D-Link router as a firwall. I connect my net to the WAN port and use a LAN port for one computer and WLAN for my laptop. I haven't even changed the defult password on the router. I still have Windows Firewall turned on on both computers however.

 

<.<

 

>.>

 

<.<

Share this post


Link to post
Share on other sites

I was basically referring to the fact that it can be trivial sometimes to take down a host, and assume their MAC address.

You'd have to unplug said machine from the switch, even a machine that's switched off will still have a link.

Obviously hardware access would have to be prevented.

 

It's not foolproof, but it's less insecure than doing the same over WIFI

Share this post


Link to post
Share on other sites

Not very.

 

I implement sufficient security. WPA2 Mixed (will allow WPA1 clients to connect) TKIP+AES. I go for compatibility, with higher security if supported. I don't hide my SSID nor do I implement MAC filtering. I usually use key authentication for SSH, but have password authentication enabled if I need to use it. I mostly use key authentication for easy of use, and don't have a passkey enabled on the private keys on my home computers. If you get into my account, you get into all my accounts :P

 

Altimately, I consider the fact I'm a small target with nothing of value in the equation. I've got decent enough security that johnny with his wireless laptop won't be able to get in, and there's plenty of unsecured networks nearby that make mine seem less attractive anyway...

Share this post


Link to post
Share on other sites

Wired network here is fairly open. I don't see any point in going overboard there. Unrecognised PCs are put on a separate IPv4 subnet, but otherwise have access to the whole network. (IPv6 is all one big happy family until I can figure out DHCPv6.)

 

The wireless segment is a different story. Access point is completely open, however, that just places you on the very perimeter of the network. To get beyond the server, you need OpenVPN, and a suitable X.509 private key.

 

The network uses AES256 for encryption of data... good luck cracking it. Your easiest route would be either exposing some vulnerability in OpenVPN's key exchange, guessing a private key, or hacking the server directly.

 

All of this is doable, but it's beyond the average wardriver. Especially since you need to be within ~1km of my home QTH to get in.

Share this post


Link to post
Share on other sites

I was basically referring to the fact that it can be trivial sometimes to take down a host, and assume their MAC address.

You'd have to unplug said machine from the switch, even a machine that's switched off will still have a link.

Obviously hardware access would have to be prevented.

 

It's not foolproof, but it's less insecure than doing the same over WIFI

 

Can you expand on this? Provide some examples?

 

I am not aware of any possible secure hardware configuration relying purely on MAC authentication. It is transmitted in cleartext, easy to intercept and spoof, and was never designed with security in mind. If you want do do device authentication you should use 802.1x and RADIUS, not MAC authentication.

Share this post


Link to post
Share on other sites

My wireless is open. Just in case I need plausible deniability. :P

 

Wireless gets a different IP to wire machines though and guest access to shared directories is disabled. That's about it. Every now and then I can tell someones been using it but I'm not that worried, I probably should secure it but I like checking out who's been on there. If I catch them one day I'll be curious to see just how secure their computer is.

Share this post


Link to post
Share on other sites

Can you expand on this? Provide some examples?

 

I am not aware of any possible secure hardware configuration relying purely on MAC authentication. It is transmitted in cleartext, easy to intercept and spoof, and was never designed with security in mind. If you want do do device authentication you should use 802.1x and RADIUS, not MAC authentication.

If you turn off any modern ATX compliant PC with a +5vsb rail and have a look at the link and act lights you will find the link light is still on, and the ACT occasionally flickers

 

As for MAC control:

http://en.wikipedia.org/wiki/Network_switch#Layer_2

 

A Hub would allow you to sniff and spoof, but a Switch doesn't rebroadcast data to all nodes, instead it forwards packets on and identifies nodes by MAC addresses itself.

Since switches don't rebroadcast data to all nodes, it'd be hard to actually sniff and steal a MAC address in a lot of cases.

 

Other than that, how well do you think the switch would handle 2 ports claiming to have the same MAC address?

 

I know it isn't foolproof, and it isn't designed with security in mind. all I'm saying is that it's less useless than MAC filtering on a WIFI network.

I agree that a better implementation would be Radius and an 802.1x switch but as a home user he probably doesn't want to spend $5k on a managed switch and neither do I.

Share this post


Link to post
Share on other sites

A Hub would allow you to sniff and spoof, but a Switch doesn't rebroadcast data to all nodes, instead it forwards packets on and identifies nodes by MAC addresses itself.

Since switches don't rebroadcast data to all nodes, it'd be hard to actually sniff and steal a MAC address in a lot of cases.

Save for the fact that your average PC is sending out broadcast packets looking for other hosts, looking for and advertising UPnP services, DHCP DISCOVER packets, master browser elections, etc etc. Unlike unicast and multicast packets, these ones do go to every port in the segment.

 

Even on a switched network, it wouldn't be overly difficult to catch whiff of a "valid" MAC address.

Share this post


Link to post
Share on other sites

A Hub would allow you to sniff and spoof, but a Switch doesn't rebroadcast data to all nodes, instead it forwards packets on and identifies nodes by MAC addresses itself.

Since switches don't rebroadcast data to all nodes, it'd be hard to actually sniff and steal a MAC address in a lot of cases.

Save for the fact that your average PC is sending out broadcast packets looking for other hosts, looking for and advertising UPnP services, DHCP DISCOVER packets, master browser elections, etc etc. Unlike unicast and multicast packets, these ones do go to every port in the segment.

 

Even on a switched network, it wouldn't be overly difficult to catch whiff of a "valid" MAC address.

 

True

 

the real question, is how well the switch will route traffic to the host when it's got 2 ports with an active Link reporting the same MAC address.

 

I've never really tried it myself, and I don't think it'd route the traffic to both, it might though.

Share this post


Link to post
Share on other sites

A Hub would allow you to sniff and spoof, but a Switch doesn't rebroadcast data to all nodes, instead it forwards packets on and identifies nodes by MAC addresses itself.

Since switches don't rebroadcast data to all nodes, it'd be hard to actually sniff and steal a MAC address in a lot of cases.

Save for the fact that your average PC is sending out broadcast packets looking for other hosts, looking for and advertising UPnP services, DHCP DISCOVER packets, master browser elections, etc etc. Unlike unicast and multicast packets, these ones do go to every port in the segment.

 

Even on a switched network, it wouldn't be overly difficult to catch whiff of a "valid" MAC address.

 

True

 

the real question, is how well the switch will route traffic to the host when it's got 2 ports with an active Link reporting the same MAC address.

 

I've never really tried it myself, and I don't think it'd route the traffic to both, it might though.

 

 

No it wouldn't. I am guessing it's mac table would be updated every time a packet came from one of the devices, so as long as only one device was trying to speak, it would have reliable comms. Why would you need to sniff a MAC though? I would doubt your consumer grade switch/router combo would have port security which would enable a proper restriction on the actual MAC's allowed on the network. This option on my home router only defines the MACs that the DHCP will serve too. It would take about 20seconds to discover the network being used, another 30seconds to pick a random IP and have an educated guess at the gateway. If you get that wrong a ping sweep would be a basic first step to discovering the correct gateway.

 

If you have a managed switch, disregard the above paragraph, cause you would of course either have all the unused ports disabled, and port security on the active ports.

Share this post


Link to post
Share on other sites

This option on my home router only defines the MACs that the DHCP will serve too. It would take about 20seconds to discover the network being used, another 30seconds to pick a random IP and have an educated guess at the gateway. If you get that wrong a ping sweep would be a basic first step to discovering the correct gateway.

 

If you have a managed switch, disregard the above paragraph, cause you would of course either have all the unused ports disabled, and port security on the active ports.

I wouldn't be talking about filtering by MAC on the DHCP server, it'd be a firewall rule

 

Problem is that it'd only restrict comms to the server rather than the rest of the network.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×