Go Back   MacRumors Forums > Apple Hardware > Mac Peripherals

Reply
 
Thread Tools Search this Thread Display Modes
Old Jan 2, 2013, 12:32 AM   #26
calderone
macrumors 68040
 
calderone's Avatar
 
Join Date: Aug 2009
Location: Seattle
Quote:
Originally Posted by QuarterSwede View Post
Not if he's working for or a contractor for the DOD. That'd be perfectly normal. Only one person I know who works as a contractor for DOD, and I know a lot, isn't all that concerned about personal data and that's because there are only a few people in the world that has the knowledge he does so he's not afraid of being fired over a polygraph like the rest are.

To the OP, don't use MAC filtering for security purposes. Not only is it extremely insecure it could actually cause you issues without causing the spoofer any. A good secure WPA2 password, maybe even longer than you have, will take someone longer to crack than they'll live.

If you're paranoid, ethernet is the only way to go. Hackers would have to have physical access somewhere along the chain or hack into your firewall instead at that point. It doesn't matter if it's plugged straight into the modem or through a router in your house.


That's a good idea actually.
Intruder sets static IP, done.
__________________
ACSA, ACMT
calderone is offline   0 Reply With Quote
Old Jan 3, 2013, 05:32 PM   #27
NogbadTheBad
macrumors regular
 
Join Date: Aug 2009
Location: United Kingdom
You could set up a cron job to do a snmpwalk of your airport to dump out the IP to MAC table, every so often, maybe to an email :-

mac:~ Andy$ snmpwalk -c public 172.16.1.1 IP-MIB::ipNetToMediaPhysAddress
IP-MIB::ipNetToMediaPhysAddress.9.172.16.1.50 = STRING: 20:c9:d0:8f:be:51
IP-MIB::ipNetToMediaPhysAddress.9.172.16.1.52 = STRING: 7c:c5:37:6b:48:c1
IP-MIB::ipNetToMediaPhysAddress.9.172.16.1.53 = STRING: 64:20:c:2a:14:3e
IP-MIB::ipNetToMediaPhysAddress.9.172.16.1.57 = STRING: 58:55:ca:1a:bc:23
IP-MIB::ipNetToMediaPhysAddress.9.172.16.1.254 = STRING: 0:13:b6:8:18:b2
mac:~ Andy$

BTW the read-only SNMP password is public, it should work if you replace 172.16.1.1 to your airport internal IP address.

Also addresses will drop out this table, i'm not sure how long Apple network devices keep their ARP entries.
NogbadTheBad is offline   0 Reply With Quote
Old Jan 3, 2013, 05:50 PM   #28
NogbadTheBad
macrumors regular
 
Join Date: Aug 2009
Location: United Kingdom
Quote:
Originally Posted by mmomega View Post
You could also set a pre-determined amount of IP addresses to be allowed to connect.
I use the 10.0.1.x to make it easier to keep track of than 192.168.254.x.

Say you will only ever have 5 devices connected to the router ever.
You can set static IP addresses for each device.
Allow IP's from 10.0.1.2 - 10.0.1.6
Pointless really, if they could connect to your wireless network without an IP address and snoop for arp packets and then assign a fixed IP address in the same subnet.

All your doing here is limiting your DHCP scope, which probably causes you more issues.

After setting my IP to 1.1.1.1 :-

mac:~ Andy$ sudo tcpdump -i en1 arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes
23:05:05.285623 ARP, Request who-has 172.16.1.57 tell 172.16.1.57, length 28
^C
1 packets captured
32 packets received by filter
0 packets dropped by kernel
mac:~ Andy$

Last edited by NogbadTheBad; Jan 3, 2013 at 06:09 PM.
NogbadTheBad is offline   0 Reply With Quote
Old Jan 3, 2013, 06:00 PM   #29
Brian Y
macrumors 68020
 
Join Date: Oct 2012
Quote:
Originally Posted by NogbadTheBad View Post
Pointless really, if they could connect to your wireless network without an IP address and snoop for arp packets and then assign a fixed IP address in the same subnet.

All your doing here is limiting your DHCP scope, which probably causes you more issues.
The only reason to use static is if you want to know what address each device has easily. It's not a way of securing.

TBH, you can't expect that much of a consumer access point. If you're really that paranoid, just don't use wireless. But, I imagine somebody who really worked for such an organization wouldn't attract attention to themselves on a forum as you have .
Brian Y is offline   0 Reply With Quote
Old Jan 3, 2013, 06:07 PM   #30
NogbadTheBad
macrumors regular
 
Join Date: Aug 2009
Location: United Kingdom
Quote:
Originally Posted by bma View Post
The only reason to use static is if you want to know what address each device has easily. It's not a way of securing.

TBH, you can't expect that much of a consumer access point. If you're really that paranoid, just don't use wireless. But, I imagine somebody who really worked for such an organization wouldn't attract attention to themselves on a forum as you have .
I'm not the OP BTW
NogbadTheBad is offline   0 Reply With Quote
Old Jan 3, 2013, 06:32 PM   #31
NogbadTheBad
macrumors regular
 
Join Date: Aug 2009
Location: United Kingdom
Quote:
Originally Posted by dbales View Post
Does this mean anything to anyone?

Thx.

Image

----------



Thank you. I'll find that and do it. I'm going to reboot my Extreme, make new Network names and p/w's, disable the Guest account, and then hide my network.
That looks like the output from netstat to me, do a "man -t netstat | open -f -a Preview" to see the man page in Preview.

Where you see 74.125.225.164:80 ESTABLISHED it means your mac is connected to google using port 80 which is http.

The addresses with a : in are IPv6 addresses

Torrent Leach Tastic BTW

Last edited by NogbadTheBad; Jan 3, 2013 at 06:54 PM.
NogbadTheBad is offline   0 Reply With Quote
Old Jan 4, 2013, 05:04 AM   #32
el-John-o
macrumors 65816
 
Join Date: Nov 2010
Location: Missouri
It sounds like ethernet is the best bet. The reason you read that connecting direct to the modem is an issue, is because in such a setup you no longer have your hardware firewall. Instead, connect to your Airport Extreme via ethernet, and disable Wi-Fi.

When it comes to data security, no matter what security you use, your data is still being broadcast with a radio. It's not a trivial thing, but it's still possible. If it's that essential, then the only solution is to go wired.
__________________
Windows7 PC - Phenom II 965@4GHz x4 Cores, 16GB DDR3-2133, Radeon HD7970 | iPhone 5 32GB | iPad Air WiFi+LTE 128GB | Mid 2012 MacBook Pro 13", Dual 256GB SSD's in RAID 0, 16GB DDR3-1600
el-John-o is offline   0 Reply With Quote
Old Jan 4, 2013, 05:22 AM   #33
majkom
macrumors 6502a
 
Join Date: May 2011
Quote:
Originally Posted by el-John-o View Post
It sounds like ethernet is the best bet. The reason you read that connecting direct to the modem is an issue, is because in such a setup you no longer have your hardware firewall. Instead, connect to your Airport Extreme via ethernet, and disable Wi-Fi.

When it comes to data security, no matter what security you use, your data is still being broadcast with a radio. It's not a trivial thing, but it's still possible. If it's that essential, then the only solution is to go wired.
So, does it mean that while connected via wifi, my mac is protected by AE firewall (and there is no need to turn on os x firewall?) whereas while connected via utp cable, mac is not protected by AE firewall (and os x firewall is a must?)? Do I get it right?
majkom is offline   0 Reply With Quote
Old Jan 4, 2013, 05:46 AM   #34
el-John-o
macrumors 65816
 
Join Date: Nov 2010
Location: Missouri
Quote:
Originally Posted by majkom View Post
So, does it mean that while connected via wifi, my mac is protected by AE firewall (and there is no need to turn on os x firewall?) whereas while connected via utp cable, mac is not protected by AE firewall (and os x firewall is a must?)? Do I get it right?
Don't disable the OS X firewall. Unless a firewall is causing some sort of issue, don't disable it. The Airport Extreme has a firewall IF it's setup in DHCP/NAT mode. If it's setup in bridge mode, the firewall is off. You can use both firewalls at the same time. Most routers have some form of a hardware firewall, which works in conjuction with your Operating Systems software firewall.

When your Mac is connected to the Airport Extreme, whether via ethernet or Wi-Fi, it's traffic runs through the AE firewall. When it is connected DIRECTLY to the modem, it does not benefit from the firewall of the Airport. Hence why you may have read it's better to use your router, instead of connecting to the modem directly. This still counts wired OR wireless.

So, to conclude, use BOTH firewalls (OSX and AE), and for best security, use Airport Utility to turn off Wi-Fi on the AE, and connect to it using ethernet. This eliminates the ability for someone nearby to access your network.

It may not be any of my business, but if it's that much of an issue law enforcement should probably get involved. You hinted at behaviors that sound like stalking or harassment, these individuals also seem to be in your immediate vicinity. I don't know the details or anything like that, but if you have people actively seeking YOU DIRECTLY to access your personal information without your consent, then you need to contact law enforcement. Unless I misunderstood you and you are just wanting 'general' security because you fear someone MIGHT be, but you don't have knowledge of it.

Bear in mind finding strange IP addresses is not unusual. People will always 'try'. There are plenty of cheap-o's out there trying to steal Wi-Fi, who will attempt to connect to your network using 'common' passwords. (Lots of cable companies set up Wi-Fi routers using the customers address or last name as the Wi-Fi password, so people may try those just to see if they 'get lucky'). They aren't trying to steal information, they are just trying to bum a free ride to the internet!

Another option, if you want to keep WiFi but be a bit more secure, is to disable SSID broadcasting in Airport utility. What this does, is makes most computers not see the SSID. (Using a piece of software, you still can, but it helps eliminate most free-wifi-lurkers). When you connect via Wi-Fi, you'll have to manually connect (On OS-X, click the Wi-Fi logo on the menubar and click 'join other network'). You can then type in the name of your network manually.

However, again, if security is a concern, disabling Wi-Fi is the way to go. Although there are still risks with ANY internet connected computer. If you or your employer have very sensitive data that you have at home, often it's best to keep and use that data on a non internet connected computer if at all possible.
__________________
Windows7 PC - Phenom II 965@4GHz x4 Cores, 16GB DDR3-2133, Radeon HD7970 | iPhone 5 32GB | iPad Air WiFi+LTE 128GB | Mid 2012 MacBook Pro 13", Dual 256GB SSD's in RAID 0, 16GB DDR3-1600
el-John-o is offline   0 Reply With Quote
Old Jan 4, 2013, 12:37 PM   #35
southerndoc
macrumors 6502a
 
southerndoc's Avatar
 
Join Date: May 2006
Location: USA
Quote:
Originally Posted by Fishrrman View Post
If you're that worried about others breaking into your wireless network, perhaps the only real option is to turn wireless OFF, and connect via Ethernet -- even with your laptops...
Ditto.

I do part-time confidential consulting work for the government, and in my NDA I had to sign something stating I would not perform work over a WiFi connection. So my dedicated workstation is connected to my Time Machine via ethernet.

If it's as clandestine as you make it out to be, and if you have a waiver to work with TS material at home, then you should have been provided a firewall device and should have signed a form stating you would not use WiFi.
southerndoc is offline   0 Reply With Quote
Old Jan 4, 2013, 05:50 PM   #36
el-John-o
macrumors 65816
 
Join Date: Nov 2010
Location: Missouri
Quote:
Originally Posted by southerndoc View Post
Ditto.

I do part-time confidential consulting work for the government, and in my NDA I had to sign something stating I would not perform work over a WiFi connection. So my dedicated workstation is connected to my Time Machine via ethernet.

If it's as clandestine as you make it out to be, and if you have a waiver to work with TS material at home, then you should have been provided a firewall device and should have signed a form stating you would not use WiFi.
If your workstation is connected via ethernet but the box it's connected to (Time Capsule) has Wi-Fi enabled, what's the difference? Unless I'm missing something. But, it still means someone could wirelessly access your network and then the computer that you're working on (in a one in a million chance someone has the tools and skills to do so, and is within range. Using better Wi-Fi encryption keys can help with that!)
__________________
Windows7 PC - Phenom II 965@4GHz x4 Cores, 16GB DDR3-2133, Radeon HD7970 | iPhone 5 32GB | iPad Air WiFi+LTE 128GB | Mid 2012 MacBook Pro 13", Dual 256GB SSD's in RAID 0, 16GB DDR3-1600
el-John-o is offline   0 Reply With Quote
Old Jan 4, 2013, 06:33 PM   #37
davidoloan
macrumors regular
 
Join Date: Apr 2009
Quote:
Originally Posted by northernbaldy View Post
I'm intrigued
I'd love to know why you are having these issues
Cause he is a secret agent.
davidoloan is offline   0 Reply With Quote
Old Jan 4, 2013, 06:35 PM   #38
el-John-o
macrumors 65816
 
Join Date: Nov 2010
Location: Missouri
Quote:
Originally Posted by davidoloan View Post
Cause he is a secret agent.

http://youtu.be/6iaR3WO71j4
__________________
Windows7 PC - Phenom II 965@4GHz x4 Cores, 16GB DDR3-2133, Radeon HD7970 | iPhone 5 32GB | iPad Air WiFi+LTE 128GB | Mid 2012 MacBook Pro 13", Dual 256GB SSD's in RAID 0, 16GB DDR3-1600
el-John-o is offline   0 Reply With Quote
Old Jan 4, 2013, 11:35 PM   #39
velocityg4
macrumors 68040
 
velocityg4's Avatar
 
Join Date: Dec 2004
Location: Georgia
If security is of such paramount importance. It seems to me that you should be using much more secure equipment than an Airport Extreme. Say a Cisco router. I don't mean a rebranded Linksys Cisco Small Business model. Rather a real $1000+ model.

Then use whole disk hard drive encryption on your computer. Plus an aftermarket firewall on your laptop when on the go. I can't think of a good manufacturer.
velocityg4 is offline   0 Reply With Quote
Old Jan 5, 2013, 12:54 AM   #40
Ccrew
macrumors 68020
 
Join Date: Feb 2011
Quote:
Originally Posted by brentsg View Post
If it is truly that clandestine and vital, there are surely better places to seek advice than a public Mac forum.
Tinfoil hat might stop the problems too
Ccrew is offline   0 Reply With Quote
Old Jan 5, 2013, 06:47 AM   #41
southerndoc
macrumors 6502a
 
southerndoc's Avatar
 
Join Date: May 2006
Location: USA
Quote:
Originally Posted by el-John-o View Post
If your workstation is connected via ethernet but the box it's connected to (Time Capsule) has Wi-Fi enabled, what's the difference? Unless I'm missing something. But, it still means someone could wirelessly access your network and then the computer that you're working on (in a one in a million chance someone has the tools and skills to do so, and is within range. Using better Wi-Fi encryption keys can help with that!)
Perhaps I should've clarified. I turn off my WiFi network when performing my consulting work.
__________________
2012 iMac 27" | i7 | 3.4GHz | 768GB SSD | 32GB RAM | 680MX <<>> 2012 MacBook Air 13" | i7 | 2.0GHz | 256GB SSD | 8GB RAM
southerndoc is offline   0 Reply With Quote

Reply
MacRumors Forums > Apple Hardware > Mac Peripherals

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
APE/TC IGMP Snooping opinio Mac OS X Server, Xserve, and Networking 0 Feb 11, 2014 05:40 AM
Text Message snooping tony2355 iPhone Tips, Help and Troubleshooting 7 Oct 21, 2013 06:59 PM
Neighbors Apple TV listed on ipad Airplay mtking Apple TV and Home Theater 9 Sep 3, 2013 09:32 PM
Apple Again Solicits Cupertino Neighbors for Feedback on 'Campus 2' Project MacRumors MacRumors.com News Discussion 39 May 1, 2013 12:00 PM

Forum Jump

All times are GMT -5. The time now is 08:49 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC