MAC Filtering for Your Wireless Network
February 10, 2011
It's not the be-all and end-all of Wi-Fi security, but MAC filtering can provide a layer of additional protection for your wireless network. Learn when (and when not) to use this measure on top of strong encryption.
Back before the Wi-Fi industry sorted out its problems with WEP (wireless encryption protocol), the original - and flawed - encryption security built into the technology, many experts recommended using something called MAC filtering to shore up the crumbling defenses.
Every Wi-Fi device is assigned a MAC (Media Access Control) address, a unique 12-digit hexadecimal identifier issued by the IEEE, the standards body that developed the Wi-Fi protocol. The MAC address is "baked into" the hardware and sent automatically to a Wi-Fi access point when the device tries to connect to the network.
Using the access point configuration software, you can create a safe list of allowed client devices or a black list of banned devices. If MAC filtering is activated, regardless of what encryption security is in place, the AP only allows devices on the safe list to connect, or blocks all devices on the black list - even if they have the encryption key.
With the emergence of reliable encryption protocols, including WPA2 (Wi-Fi Protected Access II), the strongest, we heard less about MAC filtering. Hackers also figured out how to circumvent it, by sniffing addresses of connected devices and then spoofing or masquerading as one of them.
So is MAC filtering a dead issue?
A layered security strategy
Not necessarily, says Jacob Sharony, principal consultant and president of Mobius Consulting, a Long Island, NY wireless consulting firm.
"A good security strategy is built on layers," Sharony says. "In most situations I definitely don't recommend only using MAC filtering -- on its own it's not going to prevent the sophisticated hacker - but it's another layer. Why not use it?"The last is not an entirely hypothetical question. There are situations in which it makes less sense to use MAC filtering -- where, as Sharony puts it, the return in added security for your investment of effort is probably not enough.
How to do it
To set up MAC filtering, you need to create a table or database of device addresses. Each time you want to add or drop a device, you have to open the AP configuration software and make an entry in the table, adding the name of a new device and its address or deleting an entry. (Enterprise-grade APs may include command line shortcuts for doing this.)
In the consumer/small business routers many companies use, you open the browser-based configuration software by entering the router's IP address into the address bar of your browser. (Look in the product documentation, but it's often 192.168.0.1 or 192.168.1.1.)
The software will ask for a login ID and password -- the documentation will tell you the default values, which you can change later. Then look for an advanced wireless settings tab and select the option for 'MAC filtering,' 'access list' or some variation, which the documentation, again, will make clear.
What's my (MAC) address?
If you're adding a device, you first need to know its address. It's often printed on a label on the outside of the product, but isn't always. In the case of some products such as handheld phones, it may only be accessible in software on the device, but again, sometimes isn't, or is hard to find.
As a last resort, you can deactivate MAC filtering temporarily, allowing the new device to connect, and capture its MAC address from the connected devices list in the AP software.
To add a device, type a name for it in the field provided in the software, and carefully type in the 12-character address -- or paste it into the field if you were able to copy it from the browser. Make sure the "activate" checkbox is checked for MAC filtering, and that you've selected the mode you intended - black or safe list.
"If you are operating a wireless environment where you know the MAC addresses for the machines that should be connecting to your network and those machines do not change frequently it can be a relatively simple additional layer of security to deploy," says security consultant and private investigator Paul A. Henry of Florida-based vNet Security LLC.