The pitfalls of MAC filtering

Why MAC filtering isnt a lone solution

If you’re familiar with 802.11b wireless networking, you’ve no doubt heard the horror stories about how weak Wired Equivalent Privacy (WEP) is. In the rush to move away from WEP and its supposed weakness, many organizations have implemented Media Access Control (MAC) filtering as their sole wireless access point (WAP) security measure. What they may not know is that MAC filtering is extremely ineffective as a sole security measure. In reality, relying on MAC filtering to protect your wireless network is pretty much the same as leaving the front door open and asking an intruder to come on in and stay a while. In this Daily Feature, I’ll show you how MAC filtering works and describe some of its pitfalls.

MAC filtering basics
Before I discuss why MAC filters aren’t the perfect security solution, let's examine what MAC filters are and how they work. MAC filtering is the process of configuring an access point with a list of MAC addresses that will either be allowed or not allowed to gain access to the rest of the network via that WAP. The most common configuration has a list of allowed MAC addresses—the trusted and known MAC addresses that are supposed to be on the wireless LAN.

Exactly where you enter the allowed MAC addresses varies, depending on the WAP you use. Normally you’ll enter this information into the WAP’s configuration utility, usually from a Web-based interface, although you can also do it from a console session or some other form of remote control. No matter how it's done, the end result is a list of MAC addresses that you use to allow or disallow access.

In Figure A, which was generated from a Cisco 1200 AP, you can see quite a few clients making connections to the WAP. Some are merely authenticated, while others are completely associated. In wireless-speak, “to authenticate to a WAP” simply means to announce your identity to the other station—in this case, the AP.

Figure A
Clients can be either authenticated or associated.

Authentication can take place using either open system or shared key (WEP) methods. To be associated with a WAP implies that the client is fully connected to the WAP and is now allowed to pass traffic through the AP. In short, the client now has complete access to the rest of the network, both wireless and wired. MAC filters act to keep unauthorized clients from becoming associated with the WAP.

An open door to intruders
The problem comes when an intruder wants to gain access to your network and has decided to sniff your wireless network traffic. Sitting in your parking lot or some other easily accessible location, an intruder armed with the right hardware and software can easily sniff your wireless network and capture all packets sent to and from your access points. The captured data packets contain all the information the intruder needs to make a connection to your wireless LAN. This information includes the following:
  • Authorized MAC addresses
  • IP addresses
  • IP subnets
  • Wireless LAN SSIDs

The intruder can easily configure a wireless device with a captured IP address and subnet in the device’s TCP/IP Properties window. Configuring captured SSIDs varies from one type of NIC to another, but it’s done from within the configuration software provided with the NIC—again, a very easy configuration to make.

The tricky part comes in spoofing the MAC address itself. However, even an unskilled attacker can spoof a MAC address by making one quick registry edit. Using the Registry Editor, all the attacker has to do is check the value of the NetworkAddress key, as shown in Figure B.

Figure B
A place to reconfigure the MAC address of the rogue NIC

If the NetworkAddress string value doesn’t already exist for the NIC, or if it’s blank, Windows reads the MAC address from the NIC’s firmware. Entering a captured MAC address into the NetworkAddress string value for the rogue NIC tells Windows to use this MAC address for all communications emanating from the NIC. This registry setting only works if the NIC in the attacker’s wireless device uses a PCI bus. This rules out most Flash Card-based NICs, but all PCMCIA cards, which appear on most laptops, use this bus.

After reconfiguring the rogue NIC with the stolen MAC address of an authorized client, the intruder will be able to seamlessly associate with the WAP, which knows no different and is doing its job as it was configured to. If an attacker steals the MAC address during the day and doesn’t use it until later—after the authorized user has left for the day—then the odds that the intruder will ever be caught are small.

Defense in depth
Just about all 802.11b access points support MAC filtering in addition to WEP. When used together, they form a pretty good security solution that will stop all but the most experienced and determined intruders. But MAC filtering alone won’t cut it—even a relatively inexperienced attacker can get by it in 10 minutes or so.

So what do you do if you’re responsible for a SOHO wireless network? You basically have two choices: 1) upgrade to wireless hardware that supports the Temporal Key Integrity Protocol (TKIP), which provides strengthening corrections for WEP, or 2) implement security by using both WEP and MAC filtering. For large, enterprise-level solutions, you should talk to your hardware vendor for a supported solution that increases your security. No matter what you do, don't go another day relying on only MAC filtering to keep intruders out of your network.

Editor's Picks

Free Newsletters, In your Inbox