Re: Wired detection of rogue access points

Granted that mac filtering keeps crap out but bear in mind the REAL threat is not accidental users of your network but more so intelligent criminals who will go straight for the kill with a spoofed mac, pick up a dhcp address, then mine your data by further penetrating your applications.
Is mac filtering an effective layer of security? Or is it just another administrative burden that gives your boss better qos by ensuring unauthorised users are not borrowing your network?
Am just trying to promote thought outside the box here - anyone intent on getting access to your network via wireless is not going to simply plug in a linksys AP and set alarm bells ringing - they are very likely to use a custom AP with spoofed mac or try and install a usb AP on an existing device in order to conceal their tracks.

Rgds

Tim

Sent from my BlackBerry® wireless device

-----Original Message-----
From: Adam Powers <apowers@xxxxxxxxxxx>
Date: Wed, 28 Mar 2007 10:40:53
To:<tim_holman@xxxxxxxxxxx>,Adam Graham <agraham@xxxxxxxxxxxxxxxxxxxxx>,<listbounce@xxxxxxxxxxxxxxxxx>,"Focus-Ids@Securityfocus. Com" <focus-ids@xxxxxxxxxxxxxxxxx>
Subject: Re: Wired detection of rogue access points

"Filtering by MAC gives you no additional security whatsoever, period"

Meh, this is simply not true. My home AP might is plenty secure from my SOHO
technology noob neighbors with MAC filtering - few, if any, of them even
know what an "AP" is much less "MAC spoofing".

Having said that filtering technologies such as MAC filtering are far too
difficult to manage given the relatively small security return provided and
as such should be avoided given the fact that other superior authentication
and access control mechanisms exist.



On 3/26/07 7:24 PM, "tim_holman@xxxxxxxxxxx" <tim_holman@xxxxxxxxxxx> wrote:

Filtering by MAC gives you no additional security whatsoever, period. MAC
addresses can be easily spoofed and although your solution may assist in
spotting misconfigurations a determined intruder will get straight through....

Sent from my BlackBerry® wireless device

-----Original Message-----
From: "Adam Graham" <agraham@xxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 26 Mar 2007 15:52:21
To:<focus-ids@xxxxxxxxxxxxxxxxx>
Subject: RE: Wired detection of rogue access points

First off is it even possible to buy a laptop that does not have wifi built
in?

I have set up an automated scan looking for MACs. If the MAC does not appear
on my list I drop its packets in the IPTabes FW. It's rather simple to do.
The main thing I do that seems to work the best is the APs are un-trusted
and therefore stuck out in the DMZ. Before one can get to network resources
they need to open the VPN client after connecting to the AP.

A simple way to handle MACs with IPTables (NOTE: simple rule if you need
more instruction I can send it to you or just the complete iptable script):

Let's create 2 text files:
/tmp/whiteist
/tmp/blackist

Insert into whiteist 00:06:25:2E:56:A0
Insert into blackist 00:06:25:2E:56:E1


Add following to your IPTabes script
TABLES = "filter nat mangle"
iptables = /sbin/iptables
touch /tmp/whiteist
touch /tmp/blackist
WHITELIST = `cat /tmp/whiteist | awk '{print $1}'
BLACKLIST = `cat /tmp/blackist | awk '{print $1}'

# Forward good MACs
$iptables -t filter -I FORWARD 1 -m mark --mark 0x42 -j ACCEPT

# mark all packets from the good macs
for MAC in $WHITELIST ; do
$iptables -t mangle -I PREROUTING -m mac --mac-source $MAC -j MARK
--set-mark 0x42
done

# drop all packets from the good macs
for MAC in $BLACKLIST ; do
$iptables -t mangle -I PREROUTING -m mac --mac-source $MAC -j DROP
done





------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intr
o_sfw
to learn more.
------------------------------------------------------------------------



--

Adam Powers
Chief Technology Officer
Lancope, Inc.
c. 678.725.1028
e. adam@xxxxxxxxxxx

Relevant Pages

  • [UNIX] Bug in Linux 2.4 and IPTables MAC Match Module
    ... Bug in Linux 2.4 and IPTables MAC Match Module ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... perform NAT, mangle packets, and access custom extensions for packet ...
    (Securiteam)
  • Re: So I was wardriving in Yosemite...
    ... We have ours locked to just our 4 MAC addresses. ... > encryption is what makes your signal safe. ... > wifi if you just have the MAC filtering, but that doesn't mean they can't ... > I imagine it would be fun to run etheriel on my laptop while attached to my ...
    (alt.2600)
  • Re: No WEP key works?
    ... >>A MAC filter isn't very secure, ... >>network, zonealarm may have a setting to stop pings, or you could use the ... >>segment and the packets will be broadcast to both PCs with the IP. ... If you decide to use MAC filtering as well, ...
    (microsoft.public.windowsxp.network_web)
  • Re: DHCP restriction via MAC...
    ... Mac filtering does raise the bar to entrance and could prevent unauthorized ... denial of service attack to legitimate computers if the DHCP scope is used ...
    (microsoft.public.security)
  • RE: Wired detection of rogue access points
    ... Why is everyone concentrating on MAC filtering..... ... front line first wave deterrent. ... Having said that filtering technologies such as MAC filtering are far too ... A simple way to handle MACs with IPTables (NOTE: ...
    (Focus-IDS)