Helping people with computers... one answer at a time.
MAC address filtering is a technique that in theory prevents unauthorized computers from accessing your network. I'll explain why the theory fails.
I've read your posts on network/router security and using WPA to secure your network. I use MAC address filtering and don't use WPA. I realize that that means I must physically enter each pc/printer/tv/etc. that wants to connect to my network, but I believe that MAC address filtering is also a viable security solution (with or without WPA or WEP), though using all is probably the most secure. I haven't seen any comments from you on using MAC address filtering, could you comment on this as a security configuration please?
•
I do hear about MAC address filtering from time to time. At first it sounded kind of intriguing, but ultimately it turns out to be kind of like a cheap padlock - keeping only honest people honest.
It'll certainly keep the casual or accidental connection from happening, which is fine as far as that goes.
But as for true security it's actually pretty close to not having any at all.
I'll explain why.
•
A MAC or "Media Access Control" address is a theoretically unique identifier that is assigned to every network interface. Every ethernet port on your PC, every wireless adapter, and even every Firewire or USB connection that might also be used for networking is assigned a MAC address. And as I said they are all theoretically different - the ethernet port on my desktop machine has a different MAC address than the ethernet port on my laptop, which is different than the ethernet port on the server running in my basement.
MAC addresses are assigned at the hardware level. So, for example, if you move a network interface card (often referred to as a "NIC") from one machine to another, the MAC address moves with that card.
The MAC address uniquely identifies every machine on your network. If you know the MAC address of every computer you want to allow to connect to your network, many routers - particularly wireless routers - will allow you to restrict access to only those MAC addresses you specify. You collect the MAC addresses from all your laptops, for example (available via the "ipconfig /all" command in the Windows Command prompt) and then enter them into your routers "allowed addresses" list, and you should be secure.
In theory.
In fact, I've used "theoretically" and "in theory" a couple of times above, but there are some inconvenient facts that cause those theories, as well as some assumptions, to fall down.
-
MAC address filtering does not encrypt. Restricting your wireless router's access only to certain MAC addresses does not prevent your data from being sniffed. If your data is unencrypted, then that data is visible to whomever might be in range.
-
MAC addresses may not be unique. Many network interfaces now come with a default MAC address, but also have the ability to let you manually configure a MAC address. It's easy to then configure two network adapters with the same MAC address.
-
The MAC address itself is never encrypted. Even if you specify WPA encryption on your wireless connection the MAC address itself is not encrypted. It can't be, as it's required to tell the computers involved which computer is supposed to receive the packet. Your data is encrypted, of course, but the MAC address is not.
So, let's say a somewhat knowledgeable hacker is interested in accessing your WiFi hotspot - the one on which you have MAC address filtering turned on. He need only do two things:
-
Sniff the network and look at the MAC addresses which are allowed access to the Wifi.
-
Configure his network interface to use one of those MAC addresses.
He's on; quickly and easily.
In my opinion unless you're aware of the risks above and take them into account, MAC address filtering can actually be worse than having no security at all. It can give a false sense of security which may lead you to not take additional steps that would give you true security.
Additional steps like turning on WPA encryption, which will both encrypt your data keeping it safe from sniffing, and restrict access to the wireless network to only those that have the key.
My recommendation? Use WPA: be secure, and be done with it.
Article C4350 - June 23, 2010
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
However, Mac Address filtering, with WPA/WEP AND a hidden SSID provides significantly more security. This allows only those that are authenticated via each level to access the hidden network. You need to know what the SSSID is in order to hack it...
Posted by: Matt JJ at June 29, 2010 10:59 AMFurther, I use MAC filtering as part of my method of cutting off network access when the kids are supposed to be off-line (like on a school night).
Posted by: Matt JJ at June 29, 2010 11:01 AMAlso worth looking up how Google Street view survey cars 'accidentally' picked up network names #SSIDs# plus some of the traffic #eg e-mails# over unencrypted networks while taking their photographs. So well worth securing any wireless network ...
Posted by: Peter B at June 29, 2010 1:51 PMThere is really no practical way to "hide" your network's SSID, as some have suggested. You can certainly turn off "SSID broadcasting" on your router, but that's only half the story. While your router will no longer be shouting, "Hey, tomsnetwork here!" any wireless devices authorized to connect to the router servicing tomsnework will be shouting, "Hey, tomsnetwork, you there?" The result is an easily discoverable network SSID. Ergo, turning off "SSID broadcasting" on your router accomplishes nothing other than a false sense of security.
Posted by: Tom R. at June 29, 2010 6:20 PMIt is obviously that both WPA and mac address filtering can secure my wireless network. But does mac address filtering effective to disable the connection of other pc which uses ethernet cable?
Posted by: karen at March 27, 2012 4:54 AM