1 |
On Thu, Jan 29, 2009 at 12:11 PM, Mark Knecht <markknecht@×××××.com> wrote: |
2 |
> On Thu, Jan 29, 2009 at 9:40 AM, Grant <emailgrant@×××××.com> wrote: |
3 |
>> My Gentoo router's wireless network is encrypted via WPA and doesn't |
4 |
>> DHCP. I'd like to take this a step further in case my WPA key gets |
5 |
>> hacked. Can I issue only certain IPs to certain MAC addresses? |
6 |
>> |
7 |
>> Does WPA2 require hardware support? |
8 |
>> |
9 |
>> - Grant |
10 |
> |
11 |
> My LinkSys wireless router supports MAC address filtering. I can add a |
12 |
> MAC address to the allowed list and disallow everything else. It works |
13 |
> for us so far, until someone manages to somehow find out an allowed |
14 |
> MAC address and pretends to be that address. I'll deal with that |
15 |
> should it ever happen. Unlikely I think... |
16 |
> |
17 |
> It is a little extra work adding a new device in as I have to discover |
18 |
> its address but that's OK with me. |
19 |
> |
20 |
> I don't think is typically done in hardware as the specs change and |
21 |
> hardware designers are reluctant to put the gates in. More likely it's |
22 |
> done in firmware on a router like mine, or software if you're using |
23 |
> some Gentoo box to do a job like this. |
24 |
|
25 |
Well, using kismet to sniff out active MAC addresses of clients and |
26 |
access points is dead simple, and MAC spoofing is even easier (emerge |
27 |
net-analyzer/macchanger). Obviously trying to use a MAC that's already |
28 |
active could result in collisions/IP conflict so the drive-by wifi |
29 |
hijackers probably won't get much use of it, but if someone is doing |
30 |
an attack on you they can wait for your laptop to be turned off or |
31 |
wireless traffic idle, and then hop on that MAC and get in your |
32 |
network. Even that should not be a problem if you've got eveything |
33 |
else secured (like, if you allow passwordless entry to samba shares |
34 |
from local address, and someone gets on your wireless, that could be |
35 |
bad unless you put wifi in a different vlan or whatever). I don't have |
36 |
mine set up that sophisticated, I am putting my faith in WPA2 being |
37 |
strong enough to keep out intruders. I know I should probably be more |
38 |
careful but I'm trusting and lazy. :) My internal devices are not |
39 |
necessarily protected from each other. |
40 |
|
41 |
I don't use MAC filtering, but I have the DHCP leases tied to MAC |
42 |
addresses; I don't restrict it only to those addresses though. I have |
43 |
a range (192.168.0.101-109) for reserved IP addresses, and dynamic |
44 |
from 110+. My main desktop has 2 NICs and Wifi, second desktop has 2 |
45 |
NICs, Laptop has NIC & Wifi, cell phone has Wifi, land phone is Voip, |
46 |
I have a second wireless router set up as a wireless bridge to which |
47 |
my Xbox, Xbox 360 & Slingbox are attached, as well as any visitors who |
48 |
happen to need to plug in a laptop in my living room. :) I let some of |
49 |
my devices get dynamic IPs just because it doesn't matter (vonage, |
50 |
slingbox, xbox 360) but the PCs I like to have well-defined addresses. |