8

My question refers to the following article on Wikipedia: MAC Filtering.

The article states:

MAC filtering is not effective control in wireless network as attackers can eavesdrop on wireless transmissions. However MAC filtering is more effective in wired networks, since it is more difficult for attackers to identify authorised MACs.

The question is: Why would MAC filtering provide additional security in wired networks (opposed to wireless networks)?

I am aware of the general flaws of this technique, and know about alternatives. I am only interested in the claimed difference in achieved security.

Thanks!

Karl Hardr
  • 692
  • 5
  • 12

4 Answers4

6

  • In wireless networks, the signals travel through the air; anybody can listen to them and capture the source MAC address. Therefore, it's easy for an attacker to find out the white-listed MAC addresses and impersonate them.

    Think of it this way: A group of friends talking to each others, and they only talk to people they know. When one of them says something, he always says his name in the beginning. So, for example, Jack says "Hey, I'm Jack. Today I blah blah blah". If you happen to pass by them, you can hear one of their names and use it in the beginning of your sentence. They'd think that you're Jack. (Please ignore their ability to see you and recognize your voice)

  • In wired networks (more specifically, switch-wired networks), the signals travel through the wires from the hosts to the switch; it's much more difficult for an attacker to listen to them an capture the source MAC address.

    Think of it this way: The same situation in the previous example, but instead of talking, the friends are sending each others post-it notes directly, hand-to-hand. You, as an outsider, have no idea what they're talking about and their names are, so, theoretically, you cannot pretend to be one of them.

In short, what makes MAC filtering ineffective is an attacker who knows a valid MAC address. By having a valid MAC address, the attacker is able to impersonate it and "convince" the server/router/AP that he is the white-listed device.

In wireless network it's easier to capture and acquire a valid MAC address than it is in wired netwroks. That's why MAC filtering is less effective in wireless networks than wired networks.

Community
  • 1
Adi
  • 43,808
  • 16
  • 135
  • 167
  • Thanks for your answer, and I agree: it is more difficult to eavesdrop on wired networks. But is this a property which is related to MAC filtering? – Karl Hardr Nov 01 '13 at 10:06
  • @Fab I've updated the answer to make it clearer. Yes, this, this property is essential to MAC filtering. Easier access to white-listed MAC addresses -> Less effective MAC filtering policy. – Adi Nov 01 '13 at 10:15
  • In wireless networks, MAC addresses are *always* in the clear - even with encryption. Though adding encryption makes it harder for someone to impersonate an authorized device, it does nothing to protect the device's MAC address from being leaked. – Iszi Nov 01 '13 at 14:37
  • @Iszi Indeed. Thanks, Iszi. I forgot that the MAC address is essential for association, and thus cannot be encrypted. – Adi Nov 01 '13 at 15:05
  • 1
    Why can't we see MAC addresses by sniffing ARP on a wired network. I can certainly see them here. – Cybergibbons Nov 01 '13 at 16:10
  • ARP requests are indeed broadcasted, so you could sniff the MAC addresses if all hosts send at least one ARP request while you are sniffing. – Lucas Kauffman Nov 01 '13 at 16:20
  • @Cybergibbons and Lucas. How are you going to be able to capture those MAC addresses if you're not part of the wired network? If MAC filtering is enabled, the switch doesn't consider you a part of the network unless you have a white-listed MAC address. – Adi Nov 01 '13 at 16:55
  • @Adnan Then again what use would the MAC be if you weren't part of the wired network? I see connectivity as a precondition. This is why I don't see an advantage of MAC-filtering in wired over wireless networks. Besides, there exist encryption standards for lower layers such as DSSS on the PHY layer. – Karl Hardr Nov 04 '13 at 21:01
  • @Fab You're not part of the network because the switch is preventing you from being part of the network due to not having a whitelisted MAC address. Once you falsify your MAC address and pretend to be the whitelisted device, then the switch will allow you to be part of the network. – Adi Nov 04 '13 at 21:17
  • @Adnan Yes, but if I understand Cybergibbons question correctly, he only wants to observe/learn MAC addresses. As soon as you are connected to the network on the physical layer (and this is where wireless & wired are the same) you will be able to observe traffic where MAC addresses are unencrypted for addressing reasons. => You can learn a MAC address without being whitelisted by the switch as long as there is traffic. You only need to spoof/obtain a valid MAC address in order to participate actively. – Karl Hardr Nov 04 '13 at 22:07
  • @Fab Again, the switch will **prevent** you from being part of the network. You won't have the chance to observe/sniff any MAC addresses as ARP packets will not reach you. The switch is only partially enabling that port for you so it can check your MAC address, that's it. If the switch sees that you're whitelisted, then it will fully enable the port and you'll be part of the network and your ARP packets will be broadcasted and other broadcasted ARP packets will reach you. – Adi Nov 04 '13 at 22:11
  • @Adnan Ok thanks now I think I understand. So you're splitting the network so that no two hosts are using the same port on the switch. Is this common practice? I have seen many networks with several hosts connected to one switch port. – Karl Hardr Nov 06 '13 at 09:26
  • Doesn't mac reservation/filtering block those just trying to hack the SSID/Wifi if they don't do mac address sniffing? They have to sniff for transmitted mac addresses and know how to spoof from their system. Might not be high level stuff, Google-able etc, but, might be some level of security to stop basic attacks? They need the passkey either way. – James Apr 12 '21 at 01:04
3

Switches, Hubs, and Broadcast

In old-style ethernet networks connected with a hub, all packets were broadcast to all stations on the network. This is also the way wireless networks typically act today.

But in order to improve network performance, switches have largely replaced hubs in connection stations together. Once a switch sees a packet originating from one of its physical ports, it makes a note of the sender's MAC address. From that point forward, traffic directed at that MAC address will only be sent down that one single wire, and none of the others.

This connection arrangement dramatically reduces the amount of traffic visible to a surreptitious listener. Instead of seeing all traffic on the network, the listener will only see broadcast traffic and traffic that isn't directed toward a MAC that the switch knows about.

Workaround and Additional Problems

This doesn't make MAC-spoofing impossible; a user can watch for broadcast frames (such as ARP packets) to see which MACs are allowed on the network. But once the attacker begins to use a stolen MAC, the effect on the switch becomes somewhat unpredictable and typically very unstable.

Since the policy on the switch is only send traffic down the wire from which the MAC address was recently seen, and since two stations are now claiming the same MAC, the behavior of the switch becomes undefined. While different switches handle this situation differently, typically what you'll see is some of the traffic goes to one computer, and some of it goes to the other, depending on which one spoke last. Combine this with the continuity and acknowledgement requirements of TCP, and this makes for a largely unusable connection for both parties.

Further Mitigation

To make matters even more difficult for an attacker, "Managed Switches", typically found in higher-end network installations, can use more than just the naive algorithm mentioned above for routing ethernet traffic. Instead of determining MAC address routing by listening, these can be pre-configured by an admin to know were to expect a given MAC address to reside. This means that not only will an attacker have to find a valid MAC address, but he'll also have to plug his device into the same physical plug socket where the valid device was found. Plug your device into any other socket and it just won't work.

Community
  • 1
tylerl
  • 82,225
  • 25
  • 148
  • 226
  • I like your mention of large networks and resulting segmentation. This does potentially drastically reduce the attack space for the attacker (if he were to guess - then again, all he has to do is wait for traffic). This is, however, also true for wireless networks to a certain extent (see hidden node). – Karl Hardr Nov 04 '13 at 21:06
0

One of the biggest security flaws in a wired network is DHCP. Someone social engineers their way into your building, wanders into an empty conference room or office, and plugs their laptop into the wall. They get an IP automatically, and can exploit anything that may happen to be unsecured on your local network.

The best way to combat this is to only assign addresses based on known systems, and the most accepted way of doing that is via Mac address. Getting a valid MAC address off the network is challenging: if you're already on the network, you might be able to sniff one out with NMAP, but then you're stuck, since that address is already claimed. You'd have to find that machine or force it offline to spoof it's MAC, and steal the IP address. If you're not on the network, then you're forced to try to exploit a local machine, and having done that, why wouldn't you just use that machine?

With wireless, you're either dealing with a completely unsecured connection, in which case you don't care what's going on with the computer or the switch, or you're dealing with an encrypted connection which is orders of magnitude more secure than the DHCP/MAC thing. In either case the MAC address is unimportant.

Satanicpuppy
  • 211
  • 1
  • 5
-1

Is not true that you can't eavesdrop MACs on Wired networks. ARP who-has messages are broadcast messages. MAC Filtering provides no security at all.

Daniel
  • 99