WPA vs. Mac filtering

Sometimes when I get something new I turn off WPA or whatever the
router uses, but I use MAC filtering. It does prevent me from getting
in so why do people ridicule it and why does my computer say
"unsecured".

On 24 Jul 2016, Micky wrote in
microsoft.public.windowsxp.general:

Sometimes when I get something new I turn off WPA or whatever the
router uses, but I use MAC filtering. It does prevent me from
getting in so why do people ridicule it and why does my computer
say "unsecured".

For one thing, MAC addresses can be easily spoofed.

On Sun, 24 Jul 2016 14:30:42 -0400, Nil wrote:

On 24 Jul 2016, Micky wrote in
microsoft.public.windowsxp.general:

Sometimes when I get something new I turn off WPA or whatever the
router uses, but I use MAC filtering. It does prevent me from
getting in so why do people ridicule it and why does my computer
say "unsecured".

For one thing, MAC addresses can be easily spoofed.

True, but if you are using a strict set of MAC filtering rules and an outsider doesn't know what
addresses or ranges are in use by your devices, then it makes it that much harder for them to gain
access to your WiFi network. On that basis people should not be too quick to dismiss MAC address
filtering. A lot of people knock it but typically that's because they don't understand it.

It's a balancing act between what is right for your uses. I use MAC address filtering on my home
WiFi but it does mean more work for me whenever I add new hardware. I'm prepared to live with that
if it prevents my freeloading neighbour from piggy-backing on my network (which I monitor) and I
hate to think of the kinds of websites he's visiting!!!

Caveat: at the end of the day there is no such thing as a totally secure network anyway.
Also, there is no such thing as genuine protection, privacy, etc. A determined hacker will find a
way eventually.

Micky wrote:

Sometimes when I get something new I turn off WPA or whatever the
router uses, but I use MAC filtering. It does prevent me from getting
in so why do people ridicule it and why does my computer say
"unsecured".

Someone with the proper software and knowledge with a wifi laptop nearby
can read your mac address from the packets, knock you off line, spoof your
mac addy, and take control of your router. While it's unlikely to happen I
won't take the chance. Easy enough to turn on wpa2 which is much more
difficult to hack.

At the moment I can see 22 mac addresses from my suburban residence.
Two of them are open with no wpa security...

Micky wrote:

Sometimes when I get something new I turn off WPA or whatever the
router uses, but I use MAC filtering. It does prevent me from getting
in so why do people ridicule it and why does my computer say
"unsecured".

Anyone can use any MAC they want. There is nothing fixed about a MAC
address.

Device Management (devmgmt.msc)
Right-click on your NIC.
Select "Properties" from context menu.
Advanced tab.
Select "Locally administered address".
Select radio box next to input field (i.e., deselect "Not present").
Put any valid MAC value you want.

In fact, there is software that will rotate through a whole range of
values for the MAC address so those users can get around MAC blocks.
Only if 2 hosts are on the same subnet would use of the same MAC address
cause networking conflicts (MAC addresses are not routable).

Yes, you may filter-in only a specific MAC address you want to allow for
your intranet hosts. That doesn't stop someone else from using software
to repeatedly change their MAC value, try to bypass your router, and
repeat on failure until they get through.

Filtering on MAC only works somewhere around 30 years ago with NICs were
hardcoded with a MAC address that the OS did not override. Nowadays,
every OS has an override of what MAC address is stuffed into their
packets sent out on the network. It's like having a round security key
to prevent anyone from opening your house door but then you find out
that everyone has access to the hinges to remove the door.

https://en.wikipedia.org/wiki/MAC_spoofing

Since MAC addresses are not routable, spoofing is of no concern
regarding hosts outside your subnet and especially beyond your router
and its built-in very basic router. However, if you are using MAC
blocking to prevent external hosts from entering your network, you
already let them in via wifi if you haven't used pairing to ensure which
hosts are allowed on your network. You want your wifi hosts to have the
keys needed to use your network. Anyone outside can see your wifi
network (just turn on your smartphone to see it) and get on it, and
anyone can use software for MAC spoofing to test through a range of
values until they happen to find those you permitted in.

I'm only going to allow people with the name of Theodore into my
network. I won't tell anyone that. I'm not going to secure the doors
on my house so anyone can come in other than a name filter. Along comes
Malificent who, when asked, says her name is Theodore and, poof, she
gets in. You want to lock the door and secure its hinges to prevent
Malificent from strolling into your house in the first place, not just
hope a nametag affixed to your stereo and TV saying only Theo can use
them would stop Malificent under a differnt name.

There is *nothing fixed* about MAC addresses. You can use whatever one
you want. MAC filtering is a rope across your door: it only keeps out
those that don't need to be kept out. That is, it keeps the trustworthy
from deciding to be otherwise. It doesn't keep the non-trustworthy from
simply walking in. You want keys to control access, not nametags.