Router White List

[toricred]

I need to find a router that supports limiting outbound access to a white list of MAC addresses. Do any of you know of a router that supports that? I've got two DLink routers and neither of them support that. They only support blocking of MAC addresses or limiting what wireless adapters can connect.

[robogeek]

My Netgear WNDR3300 (Wireless-N router) allows me to block ports at the internal IP address level. It also allows me to reserve a static DHCP IP address to specific MAC addresses. Those two features combined could accomplish the task. The router also allows blocking web sites by keyword and by domain name and it also has some basic scheduling if you want to only block access on certain days or only during a specific time period each day. I personally don't use the feature, so I can't really vouch for how well it works.

[toricred]

Blocking isn't going to help. The problem is my son who's already figured out how to change his MAC address to avoid blocking. I really need something that will allow only MAC addresses I specify.

[korben_dallas]

Quote:

Originally Posted by toricred

They only support blocking of MAC addresses or limiting what wireless adapters can connect.

So you want your son's PC to have LAN access, but no web access?

[ChaOConnor]

Won't DD-WRT do this? Maybe you can load DD-WRT on your router and give it a go. Hope it helps!

[toricred]

I want to be able to turn it on or off based on his grades and the time of day.

I thought that DD-WRT would probably do it, but I couldn't find how to do it in their documentation (I could have missed it). I would try it, but none of my current routers support it. Could somebody who has DD-WRT pipe in?

[Comitizer]

Quote:

Originally Posted by toricred

I want to be able to turn it on or off based on his grades and the time of day.

I thought that DD-WRT would probably do it, but I couldn't find how to do it in their documentation (I could have missed it). I would try it, but none of my current routers support it. Could somebody who has DD-WRT pipe in?

Couldn't you remove his Admin access from the machine? That way, he wouldn't be able to change system level settings.

[toricred]

This kid is too good at hacking. We've removed admin access too many times to count and he still finds a way to get it back.

[peternm22]

Take his computer away.

[wrems]

An additional piece of hardware but I believe it does give you the ability to control lots of aspects of internet usage pretty easily. I was thinking about one of these a while back and never did get one:

http://www.amazon.com/D-Link-DSD-150.../dp/B000EUCMV6

[reggie14]

Quote:

Originally Posted by toricred

I want to be able to turn it on or off based on his grades and the time of day.

I thought that DD-WRT would probably do it, but I couldn't find how to do it in their documentation (I could have missed it). I would try it, but none of my current routers support it. Could somebody who has DD-WRT pipe in?

I use DD-WRT. Just for fun I used to block my roommate's computer from accessing Facebook and Fark. He'd whine about the Internet being "broken", and then I'd show him it works fine on my computer, and that he must be doing something wrong. Great fun.

It's moderately easy to use DD-WRT's access controls to block Internet access to/from a computer during certain times of the day, or even just block certain websites like I did. But, you set up the rules to block a particular IP address to MAC address on your internal network. So, if your son knows how to change his MAC address, that might not work.

A countermeasure might be to white list MAC addresses on your network (which I think is what you're looking for). That way your son can't just change his MAC address to anything and still have access. Most wireless routers can do this for wireless clients, but it's pretty rare to do this with wired clients. DD-WRT can do it, but it requires special commands. You'd want to look on the DD-WRT website for help setting that up.

Quote:

Originally Posted by toricred

This kid is too good at hacking. We've removed admin access too many times to count and he still finds a way to get it back.

You really should be able to stop him from getting admin access unless he's really good. I'm not sure what he's doing. Put in a BIOS password and don't let him boot from USB keys or CDs. Make sure he can't guess your admin password. And make sure it's not short enough that he can use tools to brute-force it.


By the way, here's a link to a DD-WRT thread talking about setting something like this up. It's fairly complicated.

[robogeek]

As Reggie pointed out, with that level of hacking skills, even MAC address whitelisting probably won't prevent him from shutting down or disconnecting an existing whitelisted networked device or PC and spoofing its MAC address on his computer to gain access. Short of locking up your broadband modem and network gear in a hacker proof cabinet and connecting his computer to a second router on a different subnet (router-behind-router config), the only other way would be to physically take the computer away. With a router-behind-router config, you could blacklist his router MAC address on your router when you want to cut off his access. As long as he can't access the admin functions of either router, he wouldn't be able to change the blacklist settings on your router or the MAC address of his router. This way, no amount of MAC address spoofing on his computer would get him access through his blacklisted router.

Of course, since he has the skills to spoof MAC addresses and regain admin privileges, if he has physical access to the network gear then he'll likely be able to figure out how to regain access to the internet...especially if his computer is a laptop he can drag to where the network gear is. If you can't keep him from physically accessing the network gear and possibly your other computers, you're probably fighting a losing battle.

I agree with Reggie about regaining admin privileges...he probably found one of the various boot disks out there that will reset the default Windows Administrator account and the only way to make that more difficult is to password protect the BIOS settings and disable the ability to boot from anything but the hard drive. That won't prevent him from using a spare hard drive to accomplish the same thing...a bit more hassle, but if he has nothing better to do, I'm sure he'll figure that out.

[mr_lore]

Reminds me of myself a few years ago, if it were my son I would run windows 7 on his box (less password tools so far), run pfsense on a home built router that can do packet level inspection, and physcially disable his wifi card, this would only leave running a linux live cd (for port 80 encryption) and internet through a cellular phone.

[reggie14]

robogeek made some good points, but I think its important to note that MAC address spoofing and certain kinds of reclaiming admin rights attacks aren't very difficult. I'd actually say it takes more skill to get around white-listed MAC addresses because it's a multi-stage attack, and isn't as easy to look up online. You have to find some valid MAC addresses, which basically means you either need access to some of those machines, or you need to know your way around a packet sniffer. But, perhaps most importantly, you need to actually understand what is going on to even know to do that stuff, rather than just knowing to do a google search.

I don't know how old this kid is, or what level of expertise he has, but I'd be a little surprised if he can hack his way around white-listed MACs and the loss of CD-booting.

[toricred]

That's exactly what I'm hoping for. He's almost 15 and is getting pretty good at basic hacking, but I think I can buy a year or so with the whitelisting. It looks like DD-WRT is perfect for this.

He already has Windows 7 so that hasn't helped. It's actually made it easier to spoof the MAC address.

[reggie14]

I don't think there are huge advantages to Win7 over Vista or even XP when it comes to the admin rights and password cracking issue. I think the same techniques work to reset the admin password, and I think the same password cracking tools work on Win7 as Vista/XP, since it's been a while since Microsoft redid how they store/use passwords. NTLMv2 isn't bad, it's just that passwords can only be so strong.

By the way, there's a really easy way to get around the protections of DD-WRT. You just reset the thing. 20 seconds with the router and a paperclip is all you need to wipe away the access controls. You'll need to protect it. However, you're talking about doing things that aren't commonly done. I think it will be harder for him to realize what's going on.

The next step might be using some more high-end equipment. You could get managed switches, and run some sort of cheap dedicated firewall. I'm guessing you don't want to spend much money, but keep in mind your son is learning as he's getting around whatever countermeasures you throw at him. If he finds it fun, maybe he'll be interested in becoming a professional pen tester someday.

[Fuzzy]

Well, if you can physically secure the router, and run DD-WRT on it, not only could you white list it, but I think you can actually creat VLANs by switch port. Then you can limit it to the physical connection, thereby eliminating pretyt much any other parts.

In the end, though, If your kid is blatently bypassing your controls, it sounds like the locking him out further isn't going to be much help. Not to play someone elses father, byt at his age, he should know that you set those for a reason, and by him bypassing them, he is blatently defying you. For me, the solution to this would be to basically remove the computer access altogether. Sorry if this is taken wrong, as I know some will think it isnt' my place, but the problem isn't that he is CAPABLE of breaking the protections, it's that he's attempting to do it in the first place.

[korben_dallas]

A manual method would be to set a static route on your current Dlink router.

For example, if his PC's IP address is 192.168.0.4, then route 192.168.0.4 255.255.255.255 to (gateway) 192.168.0.254 (assuming 254 is a non-existent node on your LAN). Depending on your router, this will either stop his outbound traffic or stop all of his network traffic, but either way won't affect any other IP address on the LAN/WAN.

[Polypro]

TrueCrypt Pre-boot Authentication

P

[mikejaner]

Quote:

Originally Posted by Polypro

TrueCrypt Pre-boot Authentication

P

Ditto, to what everybody said above. Many good ideas.
Physical access is key to the final way to get around things, both at the computer and network equipment. Hopefully you have a hardware lock for the computer chassis, and a lockable network closet.

DDWRT would do what you need at the network level, being linux with iptables, but if your routers don't do it, you are limited to what you can do.

Truecrypt full drive encryption, coupled with a bios password, boot order with hard drive first, Windows 7 parental controls and good long passwords like T1nuCd2g@t!dPw$#S, (There is nothing you can do to get around this locked down password so pound sand). It would be hard to get around that stuff.