MAC Filtering for Your Wireless Network - Page 2
February 10, 2011
When not to MAC filter
But if your wireless networking environment is very dynamic, with new devices being added or subtracted all the time, or you're managing a large enterprise network with thousands or hundreds of thousands of devices, the headaches involved in maintaining and constantly updating a MAC filtering table may be just too onerous to make it worthwhile.
There are tools that could make it easier, such as WPS (Wi-Fi Protected Setup). Sharony says extensions to the WPS automatic connection approach, using near field communications (NFC), could allow a network administrator to simply hold a new device near the AP and have it automatically added to the network and to a MAC filtering table at the same time. But such products don't quite exist yet.
There may also be situations where the base network population is small and/or unchanging enough to warrant using MAC filtering, but you want to occasionally or even often add guest devices - to let visitors to your office use your network while they're there, for example.
MAC filtering instead of encryption?
Are there situations where you might want to use MAC filtering only?
"I cannot think of any situation where it would be advisable to not use encryption," Henry says. "With so many protocols and programs in use [on the Web] that are not encrypted, and with the availability of freely downloadable [hacker] tools to capture wireless traffic, it simply makes sense to encrypt wireless communications."
But Sharony says MAC filtering only might make sense when using a personal hotspot, such as one of the MiFi products from Novatel Wireless - in a moving car, for example, with family members or colleagues. These devices connect to the Net over a 3G network and then provide local Wi-Fi connectivity to a small group of computers.
"You could use it [MAC filtering] with or without encryption," he says. "Sometimes encryption is cumbersome because you have to give everybody the key."
Black list or safe list
Most of the time, you're going to want to use inclusive MAC filtering -- only allow these specified devices to connect. But there could be situations where you want to create a black list instead.
If it didn't make sense to use inclusive MAC filtering for the reasons suggested above, you might still want to make doubly sure that some devices -- personal devices owned by employees no longer with the company, for example -- could never connect. Other examples might include devices identified as having been associated with denial of service attacks in the past, or neighbors you suspect of trying to hack your network to piggyback on it for free Internet access.
Henry suggests it's a good idea to include company computers in a black list for the open guest network in your office so that none of your devices with sensitive data could accidentally be connected to the open network.
It's even possible for a network administrator to block all devices from certain vendors from connecting if they're known to have compatibility issues with your network, Sharony points out. The first two character pairs in the MAC address identify the manufacturer.
As Henry says, MAC address filtering is by no means the Holy Grail of wireless security, but it is, in many situations, a useful complement to encryption. Just be aware that it can be compromised, and pay attention to encryption best practices too.