Network security, my wireless neighborhood, and MAC exclusion list

[BonzaiDuck]

I've been experimenting with a 5.Ghz-capable laptop wireless NIC and a 5Ghz-capable gigabit router with wireless-N.

I find that the NIC won't communicate at 5Ghz with a router that doesn't enable "dual-band" with simultaneous 2.4 and 5.0. But without another access point, I get a solid 144 Mbps outdoors on one side of the house, and between 65 and 144 Mbps outdoors on the other side of the house. I THINK that's about as good as it gets for 2.4 Ghz wireless-N.

This preoccupation compelled me to download and install ViStumbler, to see what other wireless access I find in the neighborhood, what channels they're using -- possible sources of interference. This in turn raised my focus on our own security: This isn't my first "wireless experience" but it is our first-time implementation in a wired gigabit household. Everyone on the street is on 2.4Ghz with wireless-n or wireless-g.

The CISCO E2000 router provides a MAC-address exclusion feature. You can enter MAC addresses for specifically excluding particular devices from any possibility of accessing your LAN through that router, over and above the firewall and password features of connected machines, and over and above the WPA2/Personal encryption.

Will other neighbors "see" my router in their network lists if I add the MAC addresses of their devices to my router's exclusion list? Even if they still see my SSID, isn't this a worthwhile measure to take?

 

[Fardringle]

Yes, they will still be able to "see" your router name in the available networks. A MAC address filter just tells the router that the specific device with that MAC address isn't allowed to connect to your wireless network. And no, it's not a worthwhile measure to take in most situations. Anyone that truly wants to get into your network is going to know how to spoof a MAC address, bypassing your exclusions list.

Just make sure you have a good password with that WPA2 encryption and you have all of the security that you need (and all that you can get with consumer equipment).

 

[BonzaiDuck]

Yes, they will still be able to "see" your router name in the available networks. A MAC address filter just tells the router that the specific device with that MAC address isn't allowed to connect to your wireless network. And no, it's not a worthwhile measure to take in most situations. Anyone that truly wants to get into your network is going to know how to spoof a MAC address, bypassing your exclusions list.

Just make sure you have a good password with that WPA2 encryption and you have all of the security that you need (and all that you can get with consumer equipment).

Well, Fardringle -- let me ask another question. If I disable wireless "router administration," what sort security enhancement does it provide? Suppose someone defeats my password: it would seem they'd only get a "404" screen for trying to access the router's firmware. Isn't that the case?

 

[Fardringle]

That's a completely different setting, and could be considered a security feature, although not a particularly strong one. It does make it so that other people who are allowed to be on your wireless network normally can't even try to change the settings on the router (so the kids can't mess with things, for example). But honestly an outside attacker with the ability to break a WPA2 password probably won't have any trouble bypassing that restriction either.

 

[BonzaiDuck]

That's a completely different setting, and could be considered a security feature, although not a particularly strong one. It does make it so that other people who are allowed to be on your wireless network normally can't even try to change the settings on the router (so the kids can't mess with things, for example). But honestly an outside attacker with the ability to break a WPA2 password probably won't have any trouble bypassing that restriction either.

I understand what you're saying there. Of course there's a whole sieve of possibilities I wanted to address.

 

[azazel1024]

Yes, they will still be able to "see" your router name in the available networks. A MAC address filter just tells the router that the specific device with that MAC address isn't allowed to connect to your wireless network. And no, it's not a worthwhile measure to take in most situations. Anyone that truly wants to get into your network is going to know how to spoof a MAC address, bypassing your exclusions list.

Just make sure you have a good password with that WPA2 encryption and you have all of the security that you need (and all that you can get with consumer equipment).

Pretty much.

MAC exclusion lists (or allow lists really) are only useful in a wired environment where you can't actually snoop on other wired traffic without getting through the switch to begin with. In a wireless environment where you can hear all of the traffic, the MAC address is trivial to get. Cracking the encryption on the other hand is much harder to do with a good WPA2 password.

The only decent options to enhance security beyond that would be setting up the router/AP in standalone mode (IE wireless clients can only access the internet, not the LAN ports on the router) and also then possibly extend that to disabling the admin page for wireless clients.

Still and all, for security, you are really just good at WPA2 and a strong password and calling it a day, at least for wireless intrusion. Though, I'd consider disabling WPS as well. It is FULL of vulnerabilities. Don't just not use it, disable in in the admin page.

To extend to wired security, disable UPnP as well. It isn't necessarily a vital feature and it is also often full of security holes.