Securing my new Network - Is mac address filtering enough?

hi,

just wondering if i can get by on mac address filtering without going through wep or wpa(2)

 

NO.

You need WPA at an minimum.

 

I use WPA2 + AES, with a 20 character key.

I also use the DHCP server set to a maximum of 3 IP addresses, all assigned by MAC address to each of my PC's.

If someone manages to break the encryption (no chance in hell), they still can't get assigned an IP because there aren't any left.

 

MAC filtering is only good as an addition to WPA/WEP, and really only keeps people who have no idea how wireless works out.

But for anybody that knows what they are doing, your network will be accessible in less than a minute.

The only reason to not use WPA is limitations with older hardware, and your lappy should have a more than adequate card.


Edit; Soulburner, after viewing your avatar, I'm not using your bathroom.

 

Sure go right ahead and anyone will jump all over your network...just follow SoulBurner's advice.

 

x2 on what modly said aoubt soulburner's bathroom

and x2 on what soulburner said.

to explain a little further, i may or may not keep have some software on my laptop that will scan any host (ie computers or routers) and tell me just about everything i would want to know. the point is that anyone that knows a thing or two can see that you are filtering by macs and modify the mac of their NIC. WPA at a minimum, but soulburner's advice is pretty good. that kind of encryption would be too much trouble to mess with...especially if you just hit a dead end after you break it...

EDIT: WEP is pretty worthless...if your router does WPA, go with that. WEP can be cracked with a graphing calculator...

 

I wish my high school graphing calculator had wireless internet access!

 

lol maybe you should break it open and add a wifi card! not really...just makin a point

 

fendereff, that's an awesome shirt

Tell me if my thinking on this is right though. Since my DHCP can only assign 3 IP's (I have it set by a range, .101 to .103), and they are already taken, doesn't that mean that no one can connect to my network since the router will not assign them an IP? Or are there ways around that?

 

I think you are right, but there might be a way to get around it if the user manually configures the IP.

I think that would depend on the router.

 

I think you can get by it by using a static IP if you had the security key. I know on a wired network you have both as long as you know the gateway and DNS servers. But with some routers the MAC filter only apply's to DHCP clients.

 

Soulburner, giving the DHCP server a range such as you have helps but its not fool proof...well maybe its fool proof but not geek proof. If I had the time and diligence to get past the encryption, I could give my computer a static IP causing a IP address conflict with one of your other computers (assuming I knew the range you allowed). From here, I would not have any internet access, but I think I would be able to try to log in to the router and could use one of my handy password "recovery" tools to get in to the router and add another IP or block your MAC(s) and change the login info or whatever and get internet that way. I think it just adds to the hassle in the same way MAC filtering does. Your biggest and most effective deterrent is the encryption.

 

If your NOT going to use encryption, DO NOT SEND ANY PASSWORDS. ALL WILL BE IN THE CLEAR. Unless you want the bad guys to do your banking for you. You might as well give them a blank check or make a sign for your front door for every one to know.

 

that is true unless you are using SSL or TLS. You can set up mail clients to use SSL or TLS to encrypt that instead of using clear text passwords. Also, some https:// sites are secure, though it depends on what tools the "bad guys" are using to watch. On my own network, certain packet capturing tools let me see passwords sent over https sites though I have yet to succeed in getting passwords sent that were encrypted via SSL or TLS though I have been able to cause a variety of SSL errors resulting in authentication failure. Long story short...encrypted SSID is the way to go [at least WPA], MAC filtering helps some, limiting the DHCP range helps too, making sure that you are using https, SSL, TLS, and what ever other forms of encryption make you happy is the way to go. Never hurts to be too safe. When I am at coffee shops or what have you with my notebook, I never do anything that is not encrypted. And I never do bank or anything linked to my money anywhere but at home or on a connection that I know is even more secure.

I dont really take network privacy/security lightly...