| 1 |
On Thu, Jan 29, 2009 at 12:11 PM, Mark Knecht <markknecht@×××××.com> wrote: |
| 2 |
> On Thu, Jan 29, 2009 at 9:40 AM, Grant <emailgrant@×××××.com> wrote: |
| 3 |
>> My Gentoo router's wireless network is encrypted via WPA and doesn't |
| 4 |
>> DHCP. I'd like to take this a step further in case my WPA key gets |
| 5 |
>> hacked. Can I issue only certain IPs to certain MAC addresses? |
| 6 |
>> |
| 7 |
>> Does WPA2 require hardware support? |
| 8 |
>> |
| 9 |
>> - Grant |
| 10 |
> |
| 11 |
> My LinkSys wireless router supports MAC address filtering. I can add a |
| 12 |
> MAC address to the allowed list and disallow everything else. It works |
| 13 |
> for us so far, until someone manages to somehow find out an allowed |
| 14 |
> MAC address and pretends to be that address. I'll deal with that |
| 15 |
> should it ever happen. Unlikely I think... |
| 16 |
> |
| 17 |
> It is a little extra work adding a new device in as I have to discover |
| 18 |
> its address but that's OK with me. |
| 19 |
> |
| 20 |
> I don't think is typically done in hardware as the specs change and |
| 21 |
> hardware designers are reluctant to put the gates in. More likely it's |
| 22 |
> done in firmware on a router like mine, or software if you're using |
| 23 |
> some Gentoo box to do a job like this. |
| 24 |
|
| 25 |
Well, using kismet to sniff out active MAC addresses of clients and |
| 26 |
access points is dead simple, and MAC spoofing is even easier (emerge |
| 27 |
net-analyzer/macchanger). Obviously trying to use a MAC that's already |
| 28 |
active could result in collisions/IP conflict so the drive-by wifi |
| 29 |
hijackers probably won't get much use of it, but if someone is doing |
| 30 |
an attack on you they can wait for your laptop to be turned off or |
| 31 |
wireless traffic idle, and then hop on that MAC and get in your |
| 32 |
network. Even that should not be a problem if you've got eveything |
| 33 |
else secured (like, if you allow passwordless entry to samba shares |
| 34 |
from local address, and someone gets on your wireless, that could be |
| 35 |
bad unless you put wifi in a different vlan or whatever). I don't have |
| 36 |
mine set up that sophisticated, I am putting my faith in WPA2 being |
| 37 |
strong enough to keep out intruders. I know I should probably be more |
| 38 |
careful but I'm trusting and lazy. :) My internal devices are not |
| 39 |
necessarily protected from each other. |
| 40 |
|
| 41 |
I don't use MAC filtering, but I have the DHCP leases tied to MAC |
| 42 |
addresses; I don't restrict it only to those addresses though. I have |
| 43 |
a range (192.168.0.101-109) for reserved IP addresses, and dynamic |
| 44 |
from 110+. My main desktop has 2 NICs and Wifi, second desktop has 2 |
| 45 |
NICs, Laptop has NIC & Wifi, cell phone has Wifi, land phone is Voip, |
| 46 |
I have a second wireless router set up as a wireless bridge to which |
| 47 |
my Xbox, Xbox 360 & Slingbox are attached, as well as any visitors who |
| 48 |
happen to need to plug in a laptop in my living room. :) I let some of |
| 49 |
my devices get dynamic IPs just because it doesn't matter (vonage, |
| 50 |
slingbox, xbox 360) but the PCs I like to have well-defined addresses. |
Archives