It’s not the be-all and end-all of Wi-Fi security, but MAC filtering can provide a layer of additional protection for your wireless network. Learn when (and when not) to use this measure on top of strong encryption.
Back before the Wi-Fi industry sorted out its problems with WEP (wireless encryption protocol), the original – and flawed – encryption security built into the technology, many experts recommended using something called MAC filtering to shore up the crumbling defenses.
Every Wi-Fi device is assigned a MAC (Media Access Control) address, a unique 12-digit hexadecimal identifier issued by the IEEE, the standards body that developed the Wi-Fi protocol. The MAC address is “baked into” the hardware and sent automatically to a Wi-Fi access point when the device tries to connect to the network.
Using the access point configuration software, you can create a safe list of allowed client devices or a black list of banned devices. If MAC filtering is activated, regardless of what encryption security is in place, the AP only allows devices on the safe list to connect, or blocks all devices on the black list – even if they have the encryption key.
With the emergence of reliable encryption protocols, including WPA2 (Wi-Fi Protected Access II), the strongest, we heard less about MAC filtering. Hackers also figured out how to circumvent it, by sniffing addresses of connected devices and then spoofing or masquerading as one of them.
So is MAC filtering a dead issue?
A layered security strategy
Not necessarily, says Jacob Sharony, principal consultant and president of Mobius Consulting, a Long Island, NY wireless consulting firm.
“A good security strategy is built on layers,” Sharony says. “In most situations I definitely don’t recommend only using MAC filtering — on its own it’s not going to prevent the sophisticated hacker – but it’s another layer. Why not use it?”
The last is not an entirely hypothetical question. There are situations in which it makes less sense to use MAC filtering — where, as Sharony puts it, the return in added security for your investment of effort is probably not enough.
How to do it
To set up MAC filtering, you need to create a table or database of device addresses. Each time you want to add or drop a device, you have to open the AP configuration software and make an entry in the table, adding the name of a new device and its address or deleting an entry. (Enterprise-grade APs may include command line shortcuts for doing this.)
In the consumer/small business routers many companies use, you open the browser-based configuration software by entering the router’s IP address into the address bar of your browser. (Look in the product documentation, but it’s often 192.168.0.1 or 192.168.1.1.)
The software will ask for a login ID and password — the documentation will tell you the default values, which you can change later. Then look for an advanced wireless settings tab and select the option for ‘MAC filtering,’ ‘access list’ or some variation, which the documentation, again, will make clear.
What’s my (MAC) address?
If you’re adding a device, you first need to know its address. It’s often printed on a label on the outside of the product, but isn’t always. In the case of some products such as handheld phones, it may only be accessible in software on the device, but again, sometimes isn’t, or is hard to find.
As a last resort, you can deactivate MAC filtering temporarily, allowing the new device to connect, and capture its MAC address from the connected devices list in the AP software.
To add a device, type a name for it in the field provided in the software, and carefully type in the 12-character address — or paste it into the field if you were able to copy it from the browser. Make sure the “activate” checkbox is checked for MAC filtering, and that you’ve selected the mode you intended – black or safe list.
“If you are operating a wireless environment where you know the MAC addresses for the machines that should be connecting to your network and those machines do not change frequently it can be a relatively simple additional layer of security to deploy,” says security consultant and private investigator Paul A. Henry of Florida-based vNet Security LLC.
When not to MAC filter
But if your wireless networking environment is very dynamic, with new devices being added or subtracted all the time, or you’re managing a large enterprise network with thousands or hundreds of thousands of devices, the headaches involved in maintaining and constantly updating a MAC filtering table may be just too onerous to make it worthwhile.
There are tools that could make it easier, such as WPS (Wi-Fi Protected Setup). Sharony says extensions to the WPS automatic connection approach, using near field communications (NFC), could allow a network administrator to simply hold a new device near the AP and have it automatically added to the network and to a MAC filtering table at the same time. But such products don’t quite exist yet.
There may also be situations where the base network population is small and/or unchanging enough to warrant using MAC filtering, but you want to occasionally or even often add guest devices – to let visitors to your office use your network while they’re there, for example.
In that situation, Sharony says, many modern access points allow you to set up a second network completely separate from the main network, with a different SSID (service set identifier). The main network could be protected by a combination of encryption and MAC filtering, while the second, guest network is open.
MAC filtering instead of encryption?
Are there situations where you might want to use MAC filtering only?
“I cannot think of any situation where it would be advisable to not use encryption,” Henry says. “With so many protocols and programs in use [on the Web] that are not encrypted, and with the availability of freely downloadable [hacker] tools to capture wireless traffic, it simply makes sense to encrypt wireless communications.”
But Sharony says MAC filtering only might make sense when using a personal hotspot, such as one of the MiFi products from Novatel Wireless – in a moving car, for example, with family members or colleagues. These devices connect to the Net over a 3G network and then provide local Wi-Fi connectivity to a small group of computers.
“You could use it [MAC filtering] with or without encryption,” he says. “Sometimes encryption is cumbersome because you have to give everybody the key.”
Black list or safe list
Most of the time, you’re going to want to use inclusive MAC filtering — only allow these specified devices to connect. But there could be situations where you want to create a black list instead.
If it didn’t make sense to use inclusive MAC filtering for the reasons suggested above, you might still want to make doubly sure that some devices — personal devices owned by employees no longer with the company, for example — could never connect. Other examples might include devices identified as having been associated with denial of service attacks in the past, or neighbors you suspect of trying to hack your network to piggyback on it for free Internet access.
Henry suggests it’s a good idea to include company computers in a black list for the open guest network in your office so that none of your devices with sensitive data could accidentally be connected to the open network.
It’s even possible for a network administrator to block all devices from certain vendors from connecting if they’re known to have compatibility issues with your network, Sharony points out. The first two character pairs in the MAC address identify the manufacturer.
As Henry says, MAC address filtering is by no means the Holy Grail of wireless security, but it is, in many situations, a useful complement to encryption. Just be aware that it can be compromised, and pay attention to encryption best practices too.