If I have a fixed external IP, I think it is possible to detect the router manufacturer from the WAN by MAC address and infer possible (known security vulnerabilities) methods of attack. If this is the case, is it advisable to change the MAC address on the router to increase security ?
Edit: prevent the use of a known security vulnerability of a particular manufacturer’s router.
I don’t understand your answer very well. If I search the neighboring wifi networks in the vicinity I can also see the router manufacturer
MAC address must be detectable even from the outside in the net internet provider - some providers bind access or IP address allocation to MAC address of router.
Your answer to my question is: Yes, No … or it’s one thing - it doesn’t matter ?
It is advisable to change the router MAC address to improve the security of the router on the local net internet provider and thus prevent theoretically possible misuse of a known security vulnerability ?
Your answer to my question is: Yes, No … or it’s one thing - it doesn’t matter ?
because you share the L2 network where packets are addressed by physical address.
They’ll be visible exactly in the same L2 segment, often (almost always) it means in your WAN subnet. So if someone (e.g. your neighbor) is in the same network, he can see your MAC. Anyway globally and outside of your ISP network, the MAC is not visible.
The concept of STO is well known and described and the final decision is up to you and your needs.
If you’re asking what I do with my devices being present at Internet, then the answer is no, I do not change MAC addresses as I do not see any real security benefits.
I use Turris as router and firewall, so I don’t expose any Turris service to the outside world, effectively limiting the attack surface. Publicly accessible services are on other devices, being properly updated, configured and firewalled. EDIT: = so no way for attacker to correlate network card vendor and possibly known service vulnerabilities.
In IPv6 the problem is less interesting. It is addressed.
In IPv6 you are well advised to set ip6-privacy to value 2 NOT to reveal information that can lead back to calculating your MAC.
It wouldn’t hurt to do this. If there is a zeroday available against your device, this could potentially thwart a bot running an OUI lookup from grandmas Windows Vista desktop she uses for her coupons in the next neighborhood over.
The only folks who will be able to see your mac address on your public facing router are your ISP and possibly some of the customers in your same geographic area in the event that they are on the same public IP subnet and are able to dump the ARP table on the WAN side of their router. Generalized botnets are going to care a lot more about open ports and passwords being left default than MAC addresses (which they most likely won’t even be able to see).