MAC地址过滤是一些人发誓的那些有争议的功能之一,而另一些人则说这完全是浪费时间和资源。那么它是哪一个?在我看来,两者兼而有之,取决于您通过使用它要完成的工作。
不幸的是,如果您精通技术并愿意付出努力,则可以使用此功能作为安全增强功能。事情的真实情况是,它确实没有提供额外的安全性,实际上会使您的WiFi网络不那么安全!别担心,我会在下面详细解释。
但是,它并非完全没用。在某些合法情况下,您可以在网络上使用MAC 地址过滤,但不会增加额外的安全性。相反,它更像是一种管理工具,您可以使用它来控制您的孩子是否可以在一天中的特定时间访问Internet,或者您是否想手动将设备添加到您可以监控的网络中。
为什么它不能让(Make)您的网络(Network)更安全
它不能使您的网络更安全的主要原因是因为它真的很容易欺骗 MAC 地址(spoof a MAC address)。网络黑客(实际上可以是任何人,因为这些工具非常易于使用)可以轻松找出您网络上的MAC地址,然后将该地址欺骗到他们的计算机上。
那么,您可能会问,如果他们无法连接到您的网络,他们如何获取您的MAC地址?(MAC)嗯,这是WiFi(WiFi)的固有弱点。即使使用WPA2加密网络,这些数据包上的MAC地址也不会加密。这意味着任何安装了网络嗅探软件和网络范围内的无线网卡的人都可以轻松获取与路由器通信的所有MAC地址。
他们看不到数据或类似的东西,但他们实际上并不需要破解加密来访问您的网络。为什么?因为现在他们有了你的MAC地址,他们可以欺骗它,然后向你的路由器发送一个特殊的数据包,称为分离数据包,这会断开你的设备与无线网络的连接。
然后,黑客的设备将尝试连接到路由器并被接受,因为它现在正在使用您的有效MAC地址。这就是为什么我之前说此功能会使您的网络安全性降低,因为现在黑客根本不必费心尝试破解您的WPA2加密密码!他们只需要假装自己是一台受信任的计算机。
同样,这可以由对计算机知之甚少的人来完成。如果您只是使用Kali Linux谷歌(Google)破解WiFi ,您将在几分钟内获得大量关于如何侵入邻居WiFi的教程。(WiFi)那么这些工具总是有效吗?
保持安全的最佳方式
这些工具可以使用,但如果您使用WPA2加密以及相当长的WiFi密码,则无法使用。不要使用简单而简短的WiFi密码,这一点非常重要,因为黑客在使用这些工具时所做的一切都是暴力攻击。
通过蛮力攻击,他们将捕获加密的密码,并尝试使用他们能找到的最快的机器和最大的密码字典来破解它。如果您的密码是安全的,密码可能需要数年才能被破解。始终尝试仅将WPA2与AES一起使用。您应该避免使用 WPA [TKIP] + WPA2 [ AES ] 选项,因为它的安全性要低得多。
但是,如果您启用了MAC地址过滤,黑客可以绕过所有这些麻烦,只需获取您的MAC地址,进行欺骗,将您或网络上的其他设备与路由器断开连接并自由连接。一旦他们进入,他们就可以造成各种破坏并访问您网络上的所有内容。
问题的其他解决方案
但是有些人仍然会说控制谁可以访问我的网络非常有用,尤其是因为每个人都不知道如何使用我上面提到的工具。好的,这很重要,但是控制想要连接到您网络的外部人员的更好解决方案是使用访客WiFi网络。
几乎所有现代路由器都具有访客WiFi功能,可让您让其他人连接到您的网络,但不能让他们看到您家庭网络上的任何内容。如果您的路由器不支持它,您只需购买便宜的路由器,然后使用单独的密码和单独的 IP 地址范围将其连接到您的网络。
还值得注意的是,禁用 SSID 广播等其他WiFi安全“增强功能”也会使您的网络更不安全(LESS),而不是更安全。另一个人告诉我他们尝试使用静态 IP 地址。同样(Again),只要黑客能够找出您的网络 IP 范围,他们也可以在他们的机器上使用该范围内的任何地址,无论您是否分配了该 IP。
希望这能让您清楚地了解可以使用MAC寻址过滤来做什么以及有什么期望。如果您有不同的感受,请随时在评论中告诉我们。享受!
Does MAC Address Filtering Really Protect Your WiFi?
MAC address filtering is one of those controversiаl fеatures that some people swear by, whereas otherѕ say it’s a complete waste of time and resources. So which is it? In my оpinion, it’s both, depending on what you are trying to accomplish by using it.
Unfortunately, this feature is marketed as a security enhancement that you can use if you are technically-savvy and willing to put in the effort. The real fact of the matter is that it really provides no extra security and can actually make your WiFi network less secure! Don’t worry, I’ll explain more about that below.
However, it’s not completely useless. There are some legitimate cases where you can use MAC address filtering on your network, but it won’t add additional security. Instead, it’s more of an administration tool that you can use to control whether or not your kids can access the Internet at certain times during the day or if you want to manually add devices to your network, which you can monitor.
Why It Doesn’t Make Your Network More Secure
The main reason why it doesn’t make your network more secure is because it’s really easy to spoof a MAC address. A network hacker, which can literally be anyone since the tools are so easy to use, can easily figure out the MAC addresses on your network and then spoof that address onto their computer.
So, you may ask, how can they get your MAC address if they can’t connect to your network? Well, that’s an inherent weakness with WiFi. Even with a WPA2 encrypted network, the MAC addresses on those packets are not encrypted. This means that anyone with network sniffing software installed and a wireless card in range of your network, can easily grab all the MAC addresses that are communicating with your router.
They can’t see the data or anything like that, but they don’t really have to break the encryption to access your network. Why? Because now that they have your MAC address, they can spoof it and then send out special packets to your router called disassociation packets, which will disconnect your device from the wireless network.
Then, the hackers’ device will try to connect to the router and will be accepted because it is now using your valid MAC address. This is why I said earlier that this feature can make your network less secure because now the hacker doesn’t have to bother trying to crack your WPA2 encrypted password at all! They simply have to pretend to be a trusted computer.
Again, this can be done by someone who little to no knowledge of computers. If you just Google crack WiFi using Kali Linux, you’ll get tons of tutorials on how to hack into your neighbor’s WiFi within a few minutes. So do those tools always work?
The Best Way to Stay Secure
Those tools will work, but not if you are using WPA2 encryption along with a fairly long WiFi password. It’s really important that you don’t use a simple and short WiFi password because all a hacker does when using these tools is a brute force attack.
With a brute force attack, they will capture the encrypted password and try to crack it using the fastest machine and the biggest dictionary of passwords they can find. If your password is secure, it can take years for the password to be cracked. Always try to use WPA2 with AES only. You should avoid the WPA [TKIP] + WPA2 [AES] option as it’s much less secure.
However, if you have MAC address filtering enabled, the hacker can bypass all that trouble and simply grab your MAC address, spoof it, disconnect you or another device on your network from the router and connect freely. Once they are in, they can do all kinds of damage and access everything on your network.
Other Solutions to the Problem
But some people will still say it’s so useful to control who can get on my network, especially since everyone doesn’t know how to use the tools I mentioned above. OK, that’s a point, but a better solution to control outsiders who want to connect to your network is to use a guest WiFi network.
Just about all modern routers have a guest WiFi feature that will allow you to let others connect to your network, but not let them see anything on your home network. If your router doesn’t support it, you can just purchase a cheap router and attach that to your network with a separate password and separate IP address range.
It’s also worth noting that other WiFi security “enhancements” like disabling SSID broadcasting will also make your network LESS secure, not more secure. Another one people have told me they try is to use static IP addressing. Again, as long as a hacker can figure out your network IP range, they can use any address in that range too on their machine, regardless of whether you have assigned that IP or not.
Hopefully, this gives you a clear idea of what you can use MAC addressing filtering for and what expectations to have. If you feel differently, feel free to let us know in the comments. Enjoy!
