----- Original Message -----
From: "Kamil Wencel" <wencel at radion dot org>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Saturday, December 06, 2003 4:53 AM
Subject: Re: [m0n0wall] FW: MAC filtering on wireless interfaces
> Since MAC address spoofing is a rather common technique
> to pass by WLAN "Security" I would not recommend using it.
Just because MAC spoofing is rather simple to do and can be easily
demonstrated hardly makes it common - I've been running WLANs for several
years and have never had anyone hack someone elses MAC. You need to
differentiate between those who just want to use this as a tool and those
who play with networks for fun or personal improvement (learning.)
> Use an IPSEC over WLAN tunnel instead. I myself allow traffic
> shaped HTTP / HTTPS for geeks who still have fun standing in
> front of my door and want to get online.
> Apart from that, the whole internal infrastructure uses IPSEC
> to reach the internal machines.
Many of the users of monowall are not capable of managing an IPSEC based
setup as evidenced by the number of questions posted here about how to make
it work. Don't discount a simple improvement that gives some security just
because there is a better (though more complicated) one.
WLANs are inherently insecure but a balance between the effort required to
secure and the value of the data at risk must be made. Just because WEP is
fairly easily broken is not a reason to turn it off. MAC filtering has it's
place among other useful security tools. IPSEC is more secure. Seriously
valuable data should not be accessible from WLANs at all.
John Voigt, President
Reston Wireless, LLC
High speed internet service
no smoke, no mirrors, no wires (tm)