Editing Wake-on-LAN (section)

==Security considerations==

===Unauthorized access===
Magic packets are sent via the [[Data link layer|data link or OSI-2 layer]], which can be used or abused by anyone on the same LAN, unless the L2 LAN equipment is capable of and configured for filtering such traffic to match site-wide security requirements.

Firewalls may be used to prevent [[Client (computing)|clients]] among the public [[Wide area network|WAN]] from accessing the broadcast addresses of inside LAN segments, or routers may be configured to ignore subnet-directed broadcasts.

Certain NICs support a security feature called "SecureOn". It allows users to store within the NIC a hexadecimal password of 6 bytes. Clients append this password to the magic packet. The NIC wakes the system only if the MAC address and password are correct.<ref>[https://linux.die.net/man/1/wol wol(1) - Linux man page]</ref> This security measure significantly decreases the risk of successful [[brute force attack]]s, by increasing the search space by 48 bits (6 bytes), up to 2<sup>96</sup> combinations if the MAC address is entirely unknown. However, any network eavesdropping will expose the cleartext password.

Abuse of the Wake-on-LAN feature only allows computers to be switched on; it does not in itself bypass password and other forms of security, and is unable to power off the machine once on. However, many client computers attempt booting from a [[Preboot Execution Environment|PXE]] server when powered up by WoL. Therefore, a combination of [[Dynamic Host Configuration Protocol|DHCP]] and PXE servers on the network can sometimes be used to start a computer with an attacker's boot image, bypassing any security of the installed operating system and granting access to unprotected, local disks over the network.

===Interactions with network access control===
The use of Wake-on-LAN technology on enterprise networks can sometimes conflict with network access control solutions such as [[802.1X]] MAC-based authentication, which may prevent magic packet delivery if a machine's WoL hardware has not been designed to maintain a live authentication session while in a sleep state.<ref>{{cite web |title=Understanding 802.1X Authentication with Wake-on-LAN |url=http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html#wp1133592 |work=Cisco Catalyst 6500 Release 12.2SX Software Configuration Guide}}</ref>

===Security===
Some PCs include technology built into the [[chipset]] to improve security for Wake-on-LAN. For example, [[Intel AMT]] (a component of [[Intel vPro]] technology). AMT uses TLS encryption to secure an [[Out-of-band management|out-of-band]] communication tunnel to an AMT-based PC for remote management commands such as Wake-on-LAN.<ref name="multiple-vPro-WP"/>

AMT secures the communication tunnel with [[Advanced Encryption Standard]] (AES) 128-bit encryption and [[RSA (algorithm)|RSA]] [[Key (cryptography)|keys]] with modulus lengths of 2,048 bits.<ref>{{cite web |title=Advanced Encryption Standard (AES) Instructions Set |url=http://softwarecommunity.intel.com/articles/eng/3788.htm |publisher=Intel |archive-url=https://web.archive.org/web/20080924081412/http://softwarecommunity.intel.com/articles/eng/3788.htm |access-date=6 April 2008|archive-date=2008-09-24 }}</ref><ref>{{cite web |title=Hardening Measures Built into Intel Active Management Technology |url=http://softwarecommunity.intel.com/articles/eng/3703.htm |publisher=Intel |archive-url=https://web.archive.org/web/20080320005157/http://softwarecommunity.intel.com/articles/eng/3703.htm |access-date=11 June 2008|archive-date=2008-03-20 }}</ref> Because the encrypted communication is out-of-band, the PC's hardware and firmware receive the magic packet before network traffic reaches the software stack for the operating system (OS). Since the encrypted communication occurs ''below'' the OS level, it is less vulnerable to attacks by viruses, worms, and other threats that typically target the OS level.<ref name="multiple-vPro-WP">{{cite web |title=Intel Centrino 2 with vPro technology and Intel Core2 processor with vPro technology |url=http://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel |archive-url=https://web.archive.org/web/20081206123107/http://download.intel.com/products/vpro/whitepaper/crossclient.pdf |access-date=7 August 2008|archive-date=2008-12-06 }}</ref>

IT shops using Wake-on-LAN through the Intel AMT implementation can wake an AMT PC over network environments that require TLS-based security, such as [[IEEE 802.1X]], [[Cisco]] Self Defending Network (SDN), and [[Microsoft]] [[Network Access Protection]] (NAP) environments.<ref name="multiple-vPro-WP"/> The Intel implementation also works for [[wireless]] networks.<ref name="multiple-vPro-WP"/>