Security Through Obscurity: MAC Address Filtering ( Layer 2 Filtering )

by on February 17, 2009 · 14 comments· LAST UPDATED February 18, 2009

in , ,

MAC Filtering (layer 2 address filtering) refers to a security access control methodology whereby the 48-bit address assigned to each network card is used to determine access to the network. Iptables, pf, and IPFW can block a certain MAC address on a network, just like an IP. One can deny or allow from MAC address like 00:1e:2a:47:42:8d using open source firewalls. MAC address filtering is often used to secure LAN or wireless network / devices. Is this technique effective?

Short answer - NO.

Long answer

Personally, I do not use and recommend MAC address based filtering. MAC address can be easily spoofed under each and every operating system out there. So I was wondering why anybody want to use MAC-based filtering? You can easily filter IPv4 or IPv6 IP address. My formula is as follows to filter and control bad stuff:

For Servers:

  1. Throttle network connections using firewall, operating system control mechanisms, and applications control mechanisms.
  2. Set connection rate per IP, do not allow unlimited access to any public service.
  3. Drop abusing netblocks at router / edge level.
  4. Drop bad IPs using Iptables / pf firewall. Use DMZ if required. Use proxy layer if required.
  5. Disable unwanted services.
  6. Monitor public services using open source tools, IPS and/or custom scripts.
  7. Default policy deny all & open required ports, least privilege policy for all applications, users and anything that can communicate over network.

For Wireless networks and Desktops

  1. Always use WPA / WPA2 with TKIP or AES encrypting with a strong passphrase
  2. Change your passphrase every month
  3. Disable stupid UPnP
  4. Disable your wireless router's remote management and ssh / telnet port features.
  5. Turn on firewall, port scan and DoS protection
  6. Windows / Mac OS X user should always use an anti virus, firewall / internet security suite. Keep your operating system and virus databases always up to date.
  7. Use VPN or SSH while communicating with Linux / Windows servers.
  8. Use secure SMTP, IMAP or POP3 version for email communication. Most ISP and free service such as gmail support secure version of email protocols.

Personally, If I found anyone breaking the security polices, I would warn them. In some case I recommend firing them. I don't care if it is small break or anything else. If you are willing to break the IT security policies why should you be trusted? Hire a third party or constant to evaluate your current security policy.

What do you think? Do you use MAC based filtering?

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 14 comments… read them below or add one }

1 VonSkippy February 17, 2009 at 10:36 pm

“Change your paraphrase every month”

Shouldn’t that be “Change your PASSphrase every month”?

And no, Mac Filtering is pretty much a waste of time since it’s so easy to bypass.

Reply

2 nixCraft February 18, 2009 at 7:45 am

@VonSkippy,

Thanks for the heads up.

Reply

3 mhernandez February 18, 2009 at 8:08 am

I use MAC filtering just as an additional security measure. As you could’ve mentioned,

ifconfig wlan0 hw ether 12:34:56:78:9a:bc

will do the trick but my home network is easy enough to configure, so I don’t see why not making my AP a little bit more secure.

Reply

4 ble February 18, 2009 at 8:22 am

in most networks it’s also easy to just change your IP, usually easyer than changing you mac adress, not everyone can use “ip verify” from cisco :p

If you know a good way to not allow changing ip’s please tell me.

Reply

5 nixCraft February 18, 2009 at 8:30 am

@ ble,

Use authenticated password protected gateway to provide access to office and people working from home. BSD authpf or expensive Cisco device can do the job. This is what we do at work. You will get access to Intranet, LAN and server racks only after you authenticate yourself. We do not use IP / MAC (layer 2 / 3 ) based filtering at all. To make authentication harder we use RSA keys. So password is like password+RSAKey. RSA key changes every 10 / 30 seconds. So you have to specify unique password for each login.

@mhernandez
Try authpf or Authentication Gateway using iptables. No need to spend your time with stupid Mac filtering.

Reply

6 Tudorminator February 18, 2009 at 11:23 am

I use MAC filtering in addition to the other measures. The way I see it, it’s just like another password, on top of all the others. Anyone trying to get access to the network would have to know the allowed MAC addresses in order to spoof them. Are you saying that it is possible to somehow obtain the list of allowed MACs from the firewall/router?

Reply

7 Tapas Mallick February 18, 2009 at 12:12 pm

Will you please publish on “Throttle network connections” and “Set connection rate per IP” in any upcoming article for IPTABLES based firewall ?
Regards,
Tapas

Reply

8 loophole February 18, 2009 at 1:15 pm

I see little point in doing MAC-filtering firewall wise cause MAC’s are to easy to spoof. But for small networks their is a quite simple solution. Just set static mac address using “ip” command on linux. But also need fixed ip’s for that.

On a switch base MAC-filtering per Port is a nice feature I got on my procurve 2626 . Once you have a mac set for a port no other mac is allowed for that port.

Greetings

Reply

9 ZebraSnarl February 18, 2009 at 4:33 pm

Tudorminator:
If someone wanted to get the MAC addresses from your network, all they would have to do is ping the clients with a app like arping.

In the dorm days, installed win98 on a PC for a buddy. The authentication software was not support on win98, so we spoofed MAC addresses to get him on the network.

Reply

10 Superhuman February 19, 2009 at 5:46 am

For one, don’t let your wireless AP do DHCP, don’t do DHCP on your LAN at all. Static assign all IPs.
Use a non standard private network eg 10.5.0.1. Makes it harder for outside people to guess your configuration.
Only allow certain IPs access to the outside, by putting in a firewall box between the wireless AP and the LAN, or between the LAN and the router. Have ACL’s, always have ACL’s.

Wireless is unsecure, no matter how good your security is.

Reply

11 ezeze5000 February 22, 2009 at 2:29 am

This could be something else that might help.
If you only need wireless at certain times, you might try just turning off the wireless when it’s not needed. That will narrow the window of opportunity for unauthorized access.
multiple layers of protection can’t hurt.
Just my 2 cents worth.

Reply

12 Tudorminator February 27, 2009 at 11:22 am

@ZebraSnarl:
arping works only in the context of the local network, as detailed here. There are no concerns there, I have complete control over the machines inside my network. I was asking if there’s any way that someone outside my network would be able to probe my wireless router and somehow get the list of MAC addresses it allows to connect.

Reply

13 miguimon March 14, 2009 at 5:48 am

hey:

yeah I am sure there is a way to get at least some MAC addresses on your wireless network from outside. For example, you could use aircrack-ng suite using airodump-ng you start monitoring the target by channel or AP and if you are lucky enough you will get active clients with their correspondent MAC.

I use MAC address filtering as well as a extra protection measure to protect my wireless network but I know is totally useless if you have little knowledge.

Reply

14 Stupid Sr. Software Engineer March 31, 2009 at 4:53 pm

Ooo RSA Keys! Love ‘em. What I’d really like is if it could change the password every 2 or 3 nano seconds. Plus our I.T. group has implemented a REAL filewall. They dug a trench around our server and poured gasoline in there and set it ablaze. Then put a razorwire fence fence around that. Our system is the pinnicle of security now. NOBODY get’s in… EVER. I love our I.T.
I used to have an 11 character password with Mixed case/ Numbers / Special characters. To brute force my password would require tens of trillions of attempts. And it was locked in my head..and I could type it in a flash. Now my password has to change every month and the only way I can remeber it is if I WRITE IT DOWN.

I used to keep a post it note under my keyboard or on my screen with Username and Password… Oh it wasn’t a really my username and password. I just like to piss off I.T. snoops. What could be better than feeding a potential threat disinformation.

Reply

Leave a Comment

Tagged as: , , , , , , , ,

Previous post:

Next post: