Blocking a computer from a wireless router.

Many routers support that. RTFM.

Look through your router configuration for a setting named something like 'MAC address filter'. On mine, when enabled you can allow only listed computers by MAC address, or disallow listed computers. Of course, someone maybe able to 'clone' a MAC address - see the lengthy discussion in alt.computer.security named 'change my IP address'.

Stuart

On Thu, 26 Oct 2006 18:09:17 GMT, "Stuart Miller" wrote in :

MAC address filtering is a pointless waste of time. Only encryption really matters, and only WPA with a strong passphrase is really secure.

Thanks to both of you for your help. That was just what I was looking for!

Thanks aga> > On a wireless network, is there a way to block a particular computer,

Actually for what the OP wants to do, and as described by Stuart, MAC filtering/blocking will achieve what the OP wants to do. He wants to block non authorized users. If his system is small enough so the management will not be so time consuming, he can configure his router to allow only certain MAC addresses in.

Please help me here. I don't have a great knowledge of how to break security systems.

Why is filtering a waste of time? It took me less than 10 minutes to set it up here. Why is it pointless? Other than knowing which address to clone, how easy is it to break the filtering algorithm in the router? Brute force attack? 12 hex digits 2.8 * 10^^14 possibilities.... How can a total outsider find out which MAC addresses are inside?

Stuart

The MAC addresses are sent in the clear.

Some routers let you do that, you'd have to read the fine manual.

Otherwise you could install proxy server software on a PC thats always on, and point all the other PCs at this for their net access. The proxy would block or allow users as you wanted to .

Note that this will block the specified MAC from ANY access via your router, both to the internet and to your WAN.

Yes, but using Mac Address filtering/blocking is better than doing nothing. Especially if used with say WEP. No it will not block a determined hacker, but it would prevent unauthorized traffic from typical users .

MAC addresses are sent unencrypted. Spoofing a MAC address is trivial with any operating system. There are even programs that do it for you. Were some evil hacker interested in breaking into your network, spoofing a valid MAC address would only require a few minutes of sniffing.

Because it's so easy to spoof a MAC addres. Because it doesn't provide much added protection. Because it slows down some cheap routers that have gutless CPU's. Because it's a pain in the posterior having to tweak the router every time a new machine needs to be added to the network. This is a regular event at the end of the skool year, when the students come home to visit from skool, bring their new laptop, and discover that they can't connect to their parents wireless because some "security expert" has MAC address filtering enabled.

There are not mutually exclusive. It is necessary to know what MAC address is allowed by the filters and to clone these. A few minutes sniffing will usually do the trick.

Sniff with Kismet, Netstumbler, etc...

And if those workstations want to break it all they have to do is change their MAC address to one of the ones that's allowed access. Granted, this generally won't work if the legit computer is still turned on. But that's why MAC filtering is a lame method for blocking access.

Most SOHO (small office, home office) routers don't have the facilities for selective blocking. What you end up needing to do is block all addresses from using the Internet and force all traffic through a proxy. Users would have to possess a login for the proxy in order to gain internet access. But this is often more than small network setups are prepared to setup and maintain.

Thanks - I didn't realize they were broadcasted unencrypted. Time to tighten up things here

Stuart

Yes and no and yes - to your no.

Filters can [...] improve network performance by eliminating broadcast/multicast packets from the radio network. The User Guide, CNet Teknologies, CNAP-711.

Broadcasts *FROM* the radio network? Yeah, I guess an unconnected client might be the recipient of a few broadcasts *FROM* the radio network. If someone were doing multicast broadcasting, it would be more than a few packets, but this is rather unusual. I guess blocking packets to an unconnected client might reduce wasted packets somewhat. My guess(tm) that the wasted airtime from an unconnected client is a bigger potential performance hit. There's nothing the access point can do to prevent the unconnected client from spewing broadcasts and management frames while trying unceasingly but failing to connect. No amount of MAC filtering is going to stop the client from trying.

Methinks you'll find that eliminating a few broadcasts doesn't have anywhere near the performance hit as an overloaded CPU trying to deal with a complex rule set. I know of one fairly old router model that would slow down from about 2Mbits/sec TCP thruput to about half that with all 10 MAC filter slots filled. I suspect they only allowed 10 MAC filter rules because it probably would stop dead in its tracks with any more. Todays processors are probably much better at filtering and should have much less of a performance hit.

On Thu, 26 Oct 2006 13:16:22 -0800, "Dana" wrote in :

Not really.

It adds nothing of any real value to WEP, which itself isn't of much value.

It's won't even stop a bored teenager.

Most don't? My common Linksys WRT54G does, and my older equally common Linksys BEFW11S4 also does support blocking by MAC and by IP.

Again I say to the OP: RTFM.