Is anyone using MAC addresses for security as opposed to WPA/WEP? I'm considering switching to this method instead of WEP. I can't use WPA because of a couple of devices that I have that don't support it.

I have, but it's fairly easy to spoof. It would be incredibly easy if you don't use at least the WEP encryption. Plus, anyone nearby might not be able to use your access point (until they spoof the MAC address) but they *will* be able to see every single packet to and from your base station. This is far worse than using the crappy WEP. You really need to use MAC filtering with some level of encryption. You know that you can use WEP and MAC filtering at the same time, right?

I have *one* old device that I can't upgrade and that uses WEP. I have a separate access point for it, with a different, non-broadcast SSID, and since the device only connects for a few moments each night, I figure I'm fairly safe from anyone sniffing enough packets. Of course, now that some German researchers have it down to 3 seconds to break WEP (from 5 minutes) I may just break down and find a replacement for the device.

Great info, thanks Jack. I guess I'll keep WEP going for now. I'm not as concerned about a hacker driving by as I am keeping the casual neighbor off my network and using my bandwidth.

Turning on WPA for the main network and setting up a separate network for the WEP only devices is another solution I hadn't considered. I'll have to give that some thought. I already set up a separate WPA 802.11n network for the MacBook Pro and Apple TV's. I guess I could set all but one of the remaining access points up with WPA and leave one set up as WEP with a hidden SSID and possibly a different internet connection altogether! That could work! I have both Cable and DSL (for backup). I could put the older devices on the DSL connection.

I just get confused with wi-fi security. Our 3 Macs are connected via ethernet to our wi-fi router. The only thing we connect to via wi-fi is our Nintendo DSs that only support WEP. Should I be concerned or are our Macs safe? There are plenty of unsecured wi-fi routers in our complex I'm not concerned about someone trying to crack ours for bandwidth as they can just connect immediately to an unsecured one.

Bibo,

If someone breaks into your base station after cracking the WEP, they could get onto your wired LAN. Then they can attempt to access your Macs. But it's not something I'd panic over. Turn off SSID broadcast, turn on MAC filtering, add your Nintendo's MAC address to the filter, and you have added another layer (although not a very tough one) to crack. Still, I imagine your Nintendo isn't on all the time, so that means someone would need to try and sniff packets while you're using it. Not something I'd be overly worried about.

Terry,

If you can get the WEP devices onto another LAN entirely, that would certainly protect the rest of your network.

Since this is a wireless discussion, will toss in another question:
My vintage Pismo PB has the original Airport card. Works fine at the library, etc. Currently running 10.3.9, has a G4 upgrade processor (originally a G3).
- Want to connect to a phone line for dialup internet service.

1. What kind of device would I get to connect wirelessly with our phone line? Since it is so old, not sure the current Apple hardware would work.
Looked at the Airport Express, (works with older Airport cards), but not sure it is the right thing to plug into a phone jack to access the internet. Looks like it requires DSL modem or cable modem.

http://www.apple.com/airportexpress/specs.html
http://www.apple.com/airportexpress/unwireyourlivingroom.html

2. Would this kind of setup be subject to all the problems in this discussion?

Mary Jo,
From what I can gather from your question and correct me if I'm wrong, you want to set up a wireless network using dial-up as your internet connection?

The only way that I know of to do that is to either use one of the older AirPort Base Stations (the ones that look like flying saucers) OR to use a desktop Mac that already is connected via dial-up and it has a AirPort card in it and you turn on Internet Sharing. This will effectively turn your desktop Mac into a base station.

I have one of the older graphite AirPort base stations that has a modem in it that I could sell. I know at one point Apple started supporting dial-up to AOL via the AirPort base stations too. I believe that your provider is AOL, not sure if the Graphite AirPort Base Station supports AOL or not.

The AirPort Base Station models that had a modem in them (for dial-up):
AirPort Base Station (Graphite)
AirPort Base Station (Dual Ethernet)
AirPort Extreme Base Station (with Modem)


Lastly, how can I convince you to abandon this course of action and get a high speed connection? DSL prices are pretty reasonable these days and probably only a few dollars more than you're paying AOL/Dial-up anyway for a MUCH BETTER EXPERIENCE!

And you can still use AOL while on DSL or cable. You are not required to use dial-up to use AOL. I think you get a discount from AOL when you use DSL or cable. At one time AOL was even pushing DSL themselves, so you might see if they still have an offer available.

The Internet is moving away from dial-up at a pretty good clip. At some point (probably not all that far along from now) most services will assume you have at least DSL speeds. When that happens, you may have a very poor Internet experience.

As for point 2 - yes. Wireless is wireless. It doesn't matter what happens to the packets after they reach the base station.

In addition to MAC filtering and WEP I have the LAN DCHP IP Address Pool on my SMC set up to only be as large as the number of devices I have accessing the network. Theoretically, there won't ever be enough IP addresses for someone else to grab.

It makes it a pain when someone trusted comes over and wants to join my wireless network, but it adds an extra level of "security".

If all he wants to do via AOL is access his email, then that can be done for free now, as long as you have any way of accessing the internet, like cable or DSL. You can still keep your email name(s). You could even use another dial-up provider (they are still out there). I thought AOL was getting out of the dial-up access business.The only reason you have to pay AOL anything now is if you want to access their premium services. I think the very first Airport saucer did not do AOL, but the 2nd one did.

The DHCP range is not any form of security. Once I see your ranges, all I have to do is pick an IP address on the same subnet. So while better than nothing, it's really not much of a security device.

You are correct.

I actually have one machine on the network that has a static IP outside the DCHP range that is specified, but it doesn't access the network wirelessly, so I completely ignored it.

I guess it is only one more hurdle for the casual bypassing visitor to have to overcome.

quote:

Originally posted by Jack Beckman:
The DHCP range is not any form of security. Once I see your ranges, all I have to do is pick an IP address on the same subnet. So while better than nothing, it's really not much of a security device.

I think the WEP cracking is mostly Hype and not much else. I've tried to crack WEP myself and have known others that have done it. First you have to collect enough weak packets to try and crack. Then you have to run a utility that tries to crack the packets, and that's after picking the most effective cracking method wich most of the time you can only guess at.

Even a brute force attack isn't always successful and can take DAYS! If the user has changed their WEP password in the time you took to crack the old one, you're out of luck anyway. So a kid carrying a blackberry, walking past my house can crack my WEP network in three seconds??? Spare me!!

I'm sure it's possible, but likely? Not really! I think you have a better chance of getting struck by lightning, winning the lottery and being struck my a meteor all on the same day than the next door neighbor breaking into your network in three seconds.

If you have devices that still need WEP, I suggest you follow these rules...

1. Don't broadcast your SSID
2. Block by MAC Address
3. Change your password often

I'm sure you'll be fine. Just upgrade to WPA when you can.

Terry & Jack - You are definitely right: The time has come for us to go broadband somehow. (Part of me was hanging on for the day Oakland Cty wireless is completed.)

Yes, we have the basic AOL dialup ($9.95/mo). Partly concerned about accessing email when visiting older relatives who don't have computers. Will look into what AOL offers, because I think one can have hi-speed, yet use regular dialup when in a location with no other internet access. Also need to maintain my aol mail address because it is so widely distributed now. (Yes, I know AOL is "free" for folks with other web access, but we don't have cable - not planning on it for now.)

Terry - Thank you for the offer. Will think about it. If we get a new computer for my husband - probably one of the MacBooks - I think the wireless setup and hardware would use more current devices. My original question related to wirelessly accessing a normal dialup somehow using the older Airport card.