Re: [gentoo-user] Locking down a wireless network

[Paul Hartman <paul.hartman+gentoo@gmail.com>]

On Thu, Jan 29, 2009 at 12:11 PM, Mark Knecht <markknecht@gmail.com> wrote:
> On Thu, Jan 29, 2009 at 9:40 AM, Grant <emailgrant@gmail.com> wrote:
>> My Gentoo router's wireless network is encrypted via WPA and doesn't
>> DHCP.  I'd like to take this a step further in case my WPA key gets
>> hacked.  Can I issue only certain IPs to certain MAC addresses?
>>
>> Does WPA2 require hardware support?
>>
>> - Grant
>
> My LinkSys wireless router supports MAC address filtering. I can add a
> MAC address to the allowed list and disallow everything else. It works
> for us so far, until someone manages to somehow find out an allowed
> MAC address and pretends to be that address. I'll deal with that
> should it ever happen. Unlikely I think...
>
> It is a little extra work adding a new device in as I have to discover
> its address but that's OK with me.
>
> I don't think is typically done in hardware as the specs change and
> hardware designers are reluctant to put the gates in. More likely it's
> done in firmware on a router like mine, or software if you're using
> some Gentoo box to do a job like this.

Well, using kismet to sniff out active MAC addresses of clients and
access points is dead simple, and MAC spoofing is even easier (emerge
net-analyzer/macchanger). Obviously trying to use a MAC that's already
active could result in collisions/IP conflict so the drive-by wifi
hijackers probably won't get much use of it, but if someone is doing
an attack on you they can wait for your laptop to be turned off or
wireless traffic idle, and then hop on that MAC and get in your
network. Even that should not be a problem if you've got eveything
else secured (like, if you allow passwordless entry to samba shares
from local address, and someone gets on your wireless, that could be
bad unless you put wifi in a different vlan or whatever). I don't have
mine set up that sophisticated, I am putting my faith in WPA2 being
strong enough to keep out intruders. I know I should probably be more
careful but I'm trusting and lazy. :) My internal devices are not
necessarily protected from each other.

I don't use MAC filtering, but I have the DHCP leases tied to MAC
addresses; I don't restrict it only to those addresses though. I have
a range (192.168.0.101-109) for reserved IP addresses, and dynamic
from 110+. My main desktop has 2 NICs and Wifi, second desktop has 2
NICs, Laptop has NIC & Wifi, cell phone has Wifi, land phone is Voip,
I have a second wireless router set up as a wireless bridge to which
my Xbox, Xbox 360 & Slingbox are attached, as well as any visitors who
happen to need to plug in a laptop in my living room. :) I let some of
my devices get dynamic IPs just because it doesn't matter (vonage,
slingbox, xbox 360) but the PCs I like to have well-defined addresses.