4

I use a Netgear wireless router, with various wireless devices connecting to it. One of my wireless devices doesn't support WPA2 security, so I had to downgrade the security on the router to WEP.

We all know WEP is broken, so as an added measure I enabled a wireless access list on the router so that only devices with specified MAC addresses which are in my access list are permitted to connect to the router.

I know it is possible to spoof a MAC address from a device for the purposes of accessing a secure network like this. But is it easy? Is using WEP and a wireless access list good enough to prevent most hacking attacks? Or should I do whatever I can to ensure all devices support WPA2 in the future?

LeopardSkinPillBoxHat
  • 143
  • 1
  • 6

6 Answers6

14

No.

WEP is trivial to break. MAC addresses aren't secure. They can be trivially spoofed. Take a look at The six dumbest ways to secure a wireless LAN:

MAC filtering: This is like handing a security guard a pad of paper with a list of names. Then when someone comes up to the door and wants entry, the security guard looks at the person's name tag and compares it to his list of names and determines whether to open the door or not.

cletus
  • 9,779
  • 9
  • 36
  • 40
  • But how easy is it for a hacker to find out what MAC addresses are in the access list on a router, so they know what address to spoof? – LeopardSkinPillBoxHat May 01 '09 at 12:33
  • 6
    You can easily read it when the network is used so it's only secure so long as noone actually uses your network. – cletus May 01 '09 at 12:35
  • Airsnort can get you both the MAC and the WEP pretty quickly, from what I've read/heard. – Andy May May 01 '09 at 12:36
  • @LeopardSkinPillBoxHat: The hacker just needs to look for frames originating from the router. Anything that the router is responding to logically must be a permitted client. – Murali Suriar May 01 '09 at 12:42
  • The next step to this question then is what is an adequate way to secure a wireless network? – Mykroft May 01 '09 at 13:35
  • For someone to spoof the MAC, they need to observe traffic from an intermittently connected client, right? They'll need to be around when the client is active (to snoop). But if they use it then, you'll have a collision, detectable at both your router and your legit client. So they'd have to wait until your client is gone. – Matt G May 22 '09 at 23:56
3

WEP is easy to crack (there are videos of it being done in 10 mins, etc) and MAC addresses can be spoofed. However, what are you 'securing'? If this is a business then NO, this is definitely not enough security. If it's your home internet, and your 10 neighbors all leave their wireless open, and you have a software firewall on your computer, then maybe this is enough.

It's like when I go hiking in the woods with my girlfriend. I'm not scared of the bears... I might not be able to outrun them, but I can at least outrun her!

Andy May
  • 919
  • 10
  • 16
1

No WEP is not adequate security. Mac addresses are sent as part of the wireless packet and therefore easy to intercept and spoof.

If you need to use WEP you need to install a 3 NAT router setup as shown below. NAT router 1 (NR1) is connected to the internet on the WAN port. NAT router 2 (NR2) WAN port is connected to NR1 LAN port. NAT router 3 (NR3) WAN port is connected to NR1 LAN port.

                       ----------NR2--------------Wireless WEP Unsecure 
                       |
Internet  ----- NR1----|
                       |
                       |
                       ----------NR3--------------Wireless WPA Secure

This will allow the WEP access to get to the internet. The NR3 router would block access to your secure network. One other advantage would be to allow guest access to NR2. That would allow Internet access without providing access to your local secure network.

Tony
  • 548
  • 1
  • 4
  • 7
  • Tony, there's a bug in your markdown, you need to indent that third line to get it to render like the two above it. – Matt G May 22 '09 at 23:40
0

At best you are stopping casual intrusion. Using WEP, white-listing particular MAC addresses, disabling DHCP, and disabling broadcast of SSID create a few hoops for people to jump through, but they're all trivial to defeat.

If you need to support WEP, then go ahead and take these steps, but also accept that the network is insecure. You'll want to isolate it from the rest of your LAN, using a multi-router setup as described in Steve Gibson's guide. Basically, you put one router running WEP on the "outside", connected to your upstream internet connection. Intruders may get on that wireless segment. You then connect a second "inner" router to one of the LAN ports of the outer router. Connect everything that doesn't need WEP to that router.

Matt G
  • 399
  • 2
  • 5
0

No, MAC address protection is not enough as MAC addresses are easily spoofed - http://www.think-security.com/wireless-wep-insecurity/ . Even if the hacker cannot spoof it, he can at least sniff your traffic.

0

Technically it's not very safe but I guess it depends on where you are; if you're in a building full of techies then it's really not safe, if you're in on a private island in the middle of pacific then it's probably overkill to have any security. You have to measure your need first.

Chopper3
  • 100,240
  • 9
  • 106
  • 238