MAC filtering is dismissed as a security measure because MAC addresses can be spoofed.
If there are two devices sharing a MAC address, won't they get the same IP address from the DHCP server? In my experience, when there are two devices with the same IP address on a network, neither of them work.
My query was really directed to why it ISN'T a useful security tool, as long as your WiFi network is turned off when you aren't using it. If you rely on MAC filtering, you would immediately know when someone spoofs your address, since you lose connectivity, and the intruder doesn't get any connectivity either, no?
Absolutely true. So if you rely on MAC filtering for security, it's either having no effect at all (anybody spoofing your MAC is using it while you aren't) or it's preventing you, too, from accessing your network. Not a very useful situation :-)
Networks tend to have more than one computer connected and tend not to be switched off when a single computer is.A hacker could wait until a computer is no longer apparent on his "sniffer"(he will have logged all MAC addresses for that network) spoof that MAC address and access the network.If he just wanted to be bolshy he could operate at the same time as the normal user and deny the service, that could be inconvenient for some users.
MAC filtering can be a useful tool - it prevents non-spoofers accessing your network, and raises the general level of security.
However because there are attacks which can get round this security measure (MAC spoofing) it is unwise to rely on this as your only defence.
Likewise WEP can be broken by a determined attacker with the right software and enough data to analyse. This does not mean that you should not use it; just that you should be aware that it is not foolproof.
For a home network 128 bit WEP combined with MAC filtering should keep most attackers off your network, especially if your traffic levels are reasonably low.
Unless you are a particularly attractive target (but why?) you are probably safe in the main.
Virtually all security measures can be nullified if the attacker is determined enough and has sufficient resources. You have to measure the likely threat against the level (and cost) of the security measures.
Given the number of wireless networks around with no security at all, why would someone pick on you especially?
What he said. I expect most wireless networks are on 24/7. Half of mine is (the base router down the road is always on, the WDS router in my home isn't).
MAC filtering is a useful _tool_, just not a lot of use for security. If your wireless network gets switched off when not in use, _that's_ a better security system than most people have. You can't hack a system that's not turned on!
It seems silly to dismiss using MAC filtering entirely simply because it can be spoofed. Its another layer, why not use it?
I've experimented with spoofing MACs, just to see the behavior of my DLink stuff. The DHCP servers wouldn't even assign an IP to a connecting device with the same MAC of a device already connected. Behavior probably varies from manufacturer to manufacturer. Play and see what your stuff does.
In the typical home environment, I think some people are way too paranoid that someone is "hiding in their bushes, waiting for the moment for a MAC/IP to become available."
Maybe that's a good analogy. I always leave my car doors unlocked - I don't leave anything valuable in it and if someone wants to break in, I'd rather not have glass all over the place. If I want security, I use real security, rather than security blankets.
It adds another layer of complexity to allowing guest access to your network. Many people don't (want to) know how to add another MAC address to their allowed-clients list, while they can easily handle giving a friend their WPA keyphrase.
Again, if all you're hoping to achieve is to stop the odd stumbler, then enable *any* of the encryption methods available. That'll do it.
The disadvantage is the effort to set it up for no real gain. How about removing one wheel off your car and leaving it next to the hub to prevent people from driving off? (since we're on silly analogies?!)
That's exactly what happened 3 times in the last week or so. The kids are coming home for the holidaze and bringing their skool laptops. Guess what doesn't work without some router configuration? I expect another mess of phone calls as the new laptops bought for Christmas require more router configuration. I also run into problems with SSID hiding. Many wireless clients still don't work well if the router doesn't broadcast the SSID. The default action for XP SP2 WZC client is to go shopping for a "suitable" access point if it doesn't hear one with the right SSID. The common result is connecting to the neighbors instead of their own.
The good news is that I charge for effort. That helps support my decadent and lavish lifestyle. I really like complex security pretzels and obstacle courses.
Well the best reason I can think for using it, after you have been 'up' for awhile and a friend comes over and wants to use your network. You might forget you have MAC filtering on (on my AP it is on a different display page from other settings) and have added trouble getting him/her connected until the light bulb clicks on and you remember you are using MAC filtering.