MAC Filtering
Every device on a wireless network, by default, has a unique address that's used to identify one WNIC from another. This address is called the MAC address, which stands for Media Access Control. In theory, because every WNIC has been pre-assigned a 100% unique MAC address by the hardware vendor, an access point can be set up to only allow a preselected list of WNICs to connect. For example, the Linksys WAP11 includes a MAC filtering option in its software that will enable an administrator to define who can connect to the WLAN by listing all the allowed MAC addresses.
As you can see, this is fairly straightforward. To determine the MAC address of a network card, a user only has to go to Start Run and perform the steps in the following sections, depending on the operating system.
To determine the MAC address of a network card in Windows NT/2000/XP/.NET, follow these steps:
- Type cmd.
- In the command window, type ipconfig /all.
- This will list the installed NICs. The MAC address is listed as the Physical Address.
To determine the MAC address of a network card in Linux (do not attempt to find Start Run-it doesn't exist), follow these steps:
- Open the shell window.
- Type ifconfig -a.
- The MAC address will appear next to the ADDR field.
Once you have the MAC addresses of all the connecting WNICs, you can set up the MAC filtering and enable it accordingly. This will stop any connection attempts made by unauthorized addresses.
However, while this in theory is an excellent way to stop hackers from accessing your WLAN, there is a serious flaw in MAC filtering. The problem with MAC filtering is that MAC addresses can be spoofed by changing WNIC settings. For example, the Dell TrueMobile includes software that will enable a hacker to alter her MAC address to any she chooses. Thus, this option is about as useful as trying to keep people from accessing a chat room by restricting chat handle names. To bypass such a restriction, a person only has to change her name. The same applies to MAC filtering.
Why would a software/hardware vendor want to allow a user to change a MAC address? Having the power to adjust a MAC address can provide a network administrator more tools to keep control over her network. However, this increased power could also enable a malicious person to have just as much control. This is one example of how the ancient power struggle between user needs and security often plays right into a hacker's hands.
Regardless, if MAC filtering is an option, you should implement it on your WLAN. Just as with enabling WEP, MAC filtering does require a modicum of sniffing and network expertise. Thus, it can also serve as an intellectual barrier to most of the potential intruders of your wireless network.
In this tutorial:
- Securing the WLAN
- Access Point-Based Security Measures
- MAC Filtering
- Controlling the Radiation Zone
- Defensive Security Through a DMZ
- Third-Party Security Methods
- VPNs
- Funk Steel-Belted Radius
- Central User Administration
- Central Hardware Administration
- Securing Your Wireless LAN
- RADIUS Accounting
- WLAN Protection Enhancements
- AES