WPA-PSK & MAC Filtering = pretty secure?

[DJFuji]

I've heard that WPA-SPK & MAC filtering makes a wifi network fairly secure. As secure as most home router-based wifi networks are going to get, anyway. That's what I'm using right now, along with a software firewall on each client. Should I be doing this differently?

 

[Rainsford]

Yes, WPA by itself is pretty secure as long as you use a good password for generating the key. Using dictionary words, your name, etc, are all bad because WPA is vulnerable to offline dictionary attacks (which is expected of course). If you have a good password, and especially if you use WPA with AES, that is about as secure as a home wireless network is going to get, which is pretty secure.

Unlike WEP, there is no known shortcut way to crack WPA other than trying to bruteforce every possible password (which can be done off-line with some captured data). With a good password, that becomes very difficult. MAC filtering doesn't help nearly as much since almost all network cards can have their MAC addresses changed through software.

 

[Ogewo]

On the topic of MAC filtering, wouldn't the attacker have to know what MAC to change to in order to gain access to your network? How could they get that information?

 

[ScottMac]

That is correct. MAC filtering is pretty much worthless.

Anyone that'd try to get in has probably already captured data, which includes teh MAC in clear text.

Concentrate on a good WPA-PSK passphrase and you're about as good as it can get (aside from WPA / EAP- (TLS, TTLS, PEAP ...).

FWIW

Scott

 

[TechnoPro]

Isn't MAC address filtering of some worth because it prevents unintentional connections to your wireless network? I'm talking about one of the neighbors connecting to your netowrk and not even knowing about it...

 

[BZeto]

Originally posted by: TechnoPro
Isn't MAC address filtering of some worth because it prevents unintentional connections to your wireless network? I'm talking about one of the neighbors connecting to your netowrk and not even knowing about it...

As long as you dont broadcast the SSID you shouldn't have a problem with that anyway...

 

[InlineFive]

Originally posted by: BZeto

Originally posted by: TechnoPro
Isn't MAC address filtering of some worth because it prevents unintentional connections to your wireless network? I'm talking about one of the neighbors connecting to your netowrk and not even knowing about it...

As long as you dont broadcast the SSID you shouldn't have a problem with that anyway...

Any decent WiFi utility will pick up a network regardless of encryption. I've tried a couple of utilities and they all see mine as "SSID: Not broadcasted, Auth: WPA, Encrypt: AES-CCMP". The exception is the WinXP SP2 WiFi manager which doesn't see it if SSID is not broadcasted.

So it doesn't add anything to security.

 

[tbooth]

I was under the impression that MAC address's were encrypted when using WPA but not when using WEP. Is this not correct?

 

[InlineFive]

Originally posted by: tbooth
I was under the impression that MAC address's were encrypted when using WPA but not when using WEP. Is this not correct?

I thought so also. But I'm not 100% sure.

 

[kwo]

Originally posted by: tbooth
I was under the impression that MAC address's were encrypted when using WPA but not when using WEP. Is this not correct?

I'd also be curious to know... 🙂

 

[VirtualLarry]

Originally posted by: kwo

Originally posted by: tbooth
I was under the impression that MAC address's were encrypted when using WPA but not when using WEP. Is this not correct?

I'd also be curious to know... 🙂

Same here. Also, how does "Shared-Key" Authentication (as opposed to "Open"), fit in with "WPA-PSK"? I can't seem to get "Shared-Key" authentication to work when using WPA-PSK (AES), between a LinkSys WRT54Gv2 and a WUSB54Gv1 (on XP SP1, with WiFi Client util 2.0 and driver 1.0.8.0). I can with WEP128. Also, if I change the "default transmit key" to anything but "1", I can't connect. Even if I change it on both the router and the client.

 

[Boscoh]

EDIT: I actually just read a document talking about wireless encryption at ALL layers, including all headers.

But I still do not think that WPA/2 encrypts the MAC. Unless it is encrypting only certain fields in the header. As far as I know, the entire header is not encrypted, but the data payload of the layer 2 frame is.

 

[mboy]

MAC filtering and disabling SSID are worthless.
Just use WPA with a very good passphrase, not password, but a nice long sentence and mix up letters with characters, etc.

 

[turbojerbo]

Hi, I have just updated my Netgear WGR614 router with the WPA-PSK firmware version. I am now (attempting) running WPA-PSK with AES data encryption. My router has asked me for a passphrase and key lifetime. However, I am feeling a bit on the bleeding edge of technology because My Wireless Network Properties prompts me for a network key, which I cannot locate. Ergo I am unable to connect to my wireless network using WPA-PSK network authentication. Any ideas? Help...

 

[InlineFive]

Originally posted by: mboy
MAC filtering and disabling SSID are worthless.
Just use WPA with a very good passphrase, not password, but a nice long sentence and mix up letters with characters, etc.

I like to use the Winguides Password Generator. I works quite well for generating 63-character keys with a good combination of letters, numbers and other symbols.

Originally posted by: turbojerbo
Hi, I have just updated my Netgear WGR614 router with the WPA-PSK firmware version. I am now (attempting) running WPA-PSK with AES data encryption. My router has asked me for a passphrase and key lifetime. However, I am feeling a bit on the bleeding edge of technology because My Wireless Network Properties prompts me for a network key, which I cannot locate. Ergo I am unable to connect to my wireless network using WPA-PSK network authentication. Any ideas? Help...

You need to keep the same key you setup your router with and use it with all of the clients. If you cannot remember the key make a new one and configure the router to use that one instead.