1

Sometimes I need to configure the router and choose which devices can connect to my network (MAC address filtering). For example, limit connections to 3 specific machines. But for an advanced user, it is possible to get my MAC address and change it easily (e.g. On a Linux machine using a simple command line macchanger --mac xx:yy:zz:tt:aa:bb wlan0)

According to gowenfawr, if one of my 3 machines isn't connected, it's possible for an advanced user to reconnect in its place.

To get more security features, what is the right configuration of MAC address filtering: enabled or disabled?

Community
  • 1
GAD3R
  • 2,211
  • 3
  • 15
  • 38
  • @gowenfawr thank you ; i ask about the right configuration of MAC adress filtring . – GAD3R Apr 20 '16 at 13:29
  • 5
    You ask (title and last line of question) if it provides security. The answer is no. (As such, there is no right configuration). – gowenfawr Apr 20 '16 at 13:31
  • 1
    `Is that possible for an advanced user to reconnect in its place?` It's possible for a user to connect without the first user ever leaving the network, as long as he's able to spoof the MAC of a device already allowed through the filter. Although depending on the router configuration, there may be some conflicts which would stop both the real device and the spoofed device from accessing the network correctly. – WorseDoughnut Apr 20 '16 at 13:36
  • 1
    "if one of my 3 machines isn't connected" - those devices can be DoS'd to *force* them to disconnect as well. – Shiv Aug 08 '16 at 05:58

6 Answers6

5

MAC filtering doesn't provide an high security. An attacker can simply see which devices (and their relative MACs) are connected to your network, and spoof one of theese MACs. When he changes it to his machine, he can connects to your network without any problem. In conclusion, MAC address filtering doesn't increase your security.

  • Assuming, that is, that the intruding device has any traffic routed to it before advertising an approved MAC address. For example, a router may choose not to send traffic to the device until it has a DHCP lease associated, which allows MAC filtering to take place before the device has chance to sniff anything. Other features such as WiFi client isolation can also have this effect, to a certain extent. – Polynomial Apr 20 '16 at 16:10
  • If your network does not have WPA enabled, no connection (in a sense of DHCP) is needed to sniff the traffic from and to all of the AP's clients. Frames travel in plaintext in radio spectrum and can be captured by anyone tuned into that particular wifi channel. – xmp125a Jan 11 '17 at 15:32
2

You appear to have answered your own question. An advanced user can spoof a MAC address, but non-advanced users cannot.

MAC address filtering provides limited access to those who do not have the skill to spoof a MAC address.

Yuriko
  • 941
  • 1
  • 6
  • 21
schroeder
  • 123,438
  • 55
  • 284
  • 319
  • I think it's important to note that you will prevent undetermined users from connecting. But with determination and knowledge, they will be able to connect easily. Proper wireless authentication should be required instead. – multithr3at3d Apr 20 '16 at 15:51
  • I mention this in my answer. The OP is asking about the merits of filtering, not asking about the best methods. – schroeder Apr 20 '16 at 16:45
  • This is a really poor quality answer. It is trivial to spoof a MAC address. Anyone who can type a google search and follow even a youtube video step by step can do this. That is not an "advanced user". – Shiv Aug 08 '16 at 06:00
  • @Shiv and advanced user is one who would look to do this - it does not mean 'technologically advanced' - I was mirroring the wording used by the OP. – schroeder Aug 08 '16 at 20:47
1

MAC addresses are only relevant to the nearest hop. So you can only spoof a MAC address within a LAN. That means that someone wanting to get around any restrictions needs to connect to your network, or to a network which is directly connected to your network. i.e. the attack surface is reduced.

Like port firewalling, MAC filtering is a great way to cut down on the noise, but should not be used as a substitute for secure authentication. OTOH, (assuming this is an IP network) its little different from restricting access by IP address.

Whether the effort of maintaining the rules is worth the benefit, is up to you.

symcbean
  • 18,278
  • 39
  • 73
  • I think the OP is concerned with a Wifi access point router (as per the tags). – schroeder Apr 20 '16 at 15:18
  • I don't see how MAC address filtering reduces the attack surface. OP is clearly asking about wifi (see the wifi tag + wlan0 in example) when the machines being filtered out are directly talking to the router with MAC address filtering. The biggest problem with MAC address filtering in this scenario, is it's easy to find the allowed MAC addresses (by just listening as they are in the unencrypted header of each packet) and it's also easy to change your MAC address. IP address filtering is different, as its not easy for non-network admins to change their IP to allowed ones (at least with TCP). – dr jimbob Apr 20 '16 at 15:19
  • Even wifi routers sometimes connect to other networks. Like that big one....what's it called again....the internet. – symcbean Apr 20 '16 at 15:40
1

As you said, MAC filtering provides an extra layer of security, as the potential attacker would need to spoof his MAC address (something we would do anyways if he doesn't want to get caught).

To provide a good security for your Wi-Fi you should have MAC filtering enabled (with a white list), DHCP disabled with fixed IP for your devices (if possible), WPS feature disabled and a strong WPA/WPA2 password. Also you can sete the network to not visible.

The most important thing is to have WPA/WPA2 encryption with a strong password. All the other layers are easily bypassed by a skilled attacker

Nevado
  • 11
  • 1
1

While the duplicate that people have linked to does cover most of the story, there's actually a way to make MAC filtering work: enable client isolation.

Client isolation prevents individual WiFi clients from communicating with each other, effectively segregating their traffic. Since in order to know the MAC of a legitimate client you'd need to see traffic from one, this makes it rather difficult to identify a valid MAC and spoof it.

The downside of this, of course, is that your WiFi devices can't communicate with each other. This also only works if you've got no whitelisted devices on the wired LAN side and your MAC filtering doesn't differentiate between interfaces (otherwise you can just sniff a whitelisted LAN device's MAC from the WiFi, then spoof it).

There are scenarios that this kind of control makes sense, e.g. a guest network AP where your users only need to be able to reach the internet and not any internal services.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • I don't think that client isolation contributes to MAC whitelisting security in a way you described it. Non-encrypted wifi traffic can be read by anyone, client isolation only prevents forwarding of frames between devices. You do not need forwarding to see others' unencrypted data! – xmp125a Jan 11 '17 at 15:36
0

A MAC address filter provides no real security, but it does provide a false sense of security. It should therefore be considered harmful.

If you need to limit access to certain devices, use WPA2. If a single pre-shared key is not sufficient for your purposes, it's not that hard (ok, ok, famous last words) to run a RADIUS server and use enterprise auth. I use OpenWRT, and it can even be configured to use a separate PSK per MAC address. That does provide security.

(It's also worth noting that even if all your allowed MACs are online, an attacker can selectively silence its radio by forging RTS/CTS frames, allowing the attacker to use its MAC.)

Reid Rankin
  • 1,062
  • 5
  • 10
  • Also important to note that RADIUS-as-a-service is a thing that exists, if you prefer throwing money at the problem to rolling your own. – Reid Rankin Apr 20 '16 at 15:09
  • Concluding that it is "harmful" is an overreach – schroeder Apr 20 '16 at 15:16
  • @schroeder I have seen many examples of even self-professed power users who either think that MAC filtering is sufficient security alone or that it enhances security enough to allow them to choose easy-to-remember passwords. In these cases, turning on the MAC filter actively reduces security. Even if it is practically good enough - or even better than an easily-sharable password - for access control purposes in these scenarios, the resulting poor choice of PSK guts your expected confidentiality protection. – Reid Rankin Apr 20 '16 at 15:36
  • 2
    And that logic is an overreach. The filtering is as good as it is. Combining it with other misconceptions does not make this technical control "harmful" – schroeder Apr 20 '16 at 16:28