Security Feature REQ: Allow only one connection per MAC address

[dugaduga]

The only way users can bypass the MAC filter security feature is by MAC spoofing/cloning. An option to allow only one connection per MAC would help detect and prevent wifi hijacking and router tampering. Users would know quickly, their device is not able to connect. Detection logging for simultaneous connections from the same MAC would be useful for troubleshooting & spoof detection. Just a little warning for users to ensure they have a secondary device or means to connect to the router would be useful.

 

[bitmonster]

Waste of time.

The Australian Government Security Manual, and probably all others around the world, recommend against MAC filtering. Because it achieves nothing while just adding complexity and points of failure.

Just use proper WPA2 instead, or some sort of RADIUS type authentication if you are really concerned.

I would rather development effort focus on areas where actual gains can be made.

Sent from my SM-G965F using Tapatalk

 

[RMerlin]

Association is done by the closed source driver, which is outside of my control anyway.

 

[bitmonster]

Association is done by the closed source driver, which is outside of my control anyway.

May be worth putting a notice up on the page that MAC filtering achieves nothing.. Still after all these years people still do it even though security professionals long ago said it's useless for security.

 

[ColinTaylor]

May be worth putting a notice up on the page that MAC filtering achieves nothing.. Still after all these years people still do it even though security professionals long ago said it's useless for security.

It still serves a purpose. I use it to stop a couple of devices associating with a particular access point. Don't fall for the "MAC filtering = bad" mantra so loved by tech journalists, not everything has to be seen from a security perspective.

 

[bitmonster]

That's why I said "useless for security".

 

[ColinTaylor]

That's why I said "useless for security".

I think we're in agreement there, but you suggested "putting a notice up on the page that MAC filtering achieves nothing". I was just pointing out that it can "achieve something".

 

[bitmonster]

Amended - suggest notice "achieves nothing for security, please use other features". It lulls people in to a false sense of security. It's about as secure as identifying by fixed IP address - same thing really.

 

[RMerlin]

The goal of the web interface is not to provide documentation on best practices, but to provide access to router configuration parameters. End-user education is outside the scope of a web interface. The more text you put in an interface, the less people will read it.