There are two kinds of network Adapters. A wired adapter allows us to set up a connection to a modem or router via Ethernet in a computer whereas a wireless adapter identifies and connects to remote hot spots. Each adapter has a distinct label known as a MAC address which recognizes and authenticates the computer. Mac address is shown in the format of 00:00:00:00:00:00 or 00-00-00-00-00-00.
About and working:
MAC filtering is a security method based on access control. In this, each address is assigned a 48-bit address which is used to determine whether we can access a network or not. It helps in listing a set of allowed devices that you need on your Wi-Fi and the list of denied devices that you don’t want on your Wi-Fi. It helps in preventing unwanted access to the network. In a way, we can deny list or allow a list of certain computers based on their MAC address. We can configure the filter to allow connection only to those devices included in the white list. White lists provide greater security than denied lists because the router grants access only to selected devices.
It is used on enterprise wireless networks having multiple access points to prevent clients from communicating with each other. The access point can be configured to only allow clients to talk to the default gateway, but not other wireless clients. It increases the efficiency of access to a network
The router allows configuring a list of allowed MAC addresses in its web interface, allowing you to choose which devices can connect to your network. The router has a number of functions designed to improve the security of the network but not all are useful. Media access control may seem advantageous but there are certain flaws.
On a wireless network, the device with the proper credentials such as SSID and password can authenticate with the router and join the network which gets an IP address and access to the internet and any shared resources.
MAC address filtering adds an extra layer of security that checks the device’s MAC address against a list of agreed addresses. If the client’s address matches one on the router’s list, access is granted otherwise it doesn’t join the network.
Steps for Mac filtering –
- Set a list of allowed devices. Only those MAC addresses which are on the list will be provided services by the DHCP.
- Set a list of denied devices. The MAC addresses which are on the denied list will not be granted server by DHCP.
- If the MAC address is on both the allowed and denied list then it will be denied the service.
For enabling a list of allowed, denied or both devices follow the steps given below.
- Go to the DHCP console, right-click the IPv4 node, and click properties.
- Use the current filter configuration details on the filter tab and use an allow list by selecting enable allow list and use a denied list by selecting enable deny list.
- Click OK and save changes.
Updating Mac filtering:
Note that if MAC Filtering is enabled on a wireless router and the MAC address is not entered then the wireless device connected to the router will not be able to connect
We do not need to enable MAC Filtering if this is already disabled for troubleshooting purposes. Router manufacturers are more knowledgeable in this field.
What to Do –
- Go to your router settings.
In the router’s settings locate the tab or setting “MAC Filtering.” This is found within a router’s “Wireless” or “Wireless Security” options. In some routers, MAC Filtering may also be referred to as “MAC Address Control, “” Address Reservation, ” or “Wireless MAC Authentication.”
- One needs to add the Nintendo system’s MAC Address to the list of allowed devices and save or apply this change if MAC Filtering is on or enabled. If you do not want MAC Filtering on for your network turn it off or disable it.
Note – You can enable the MAC filter on a Linksys Wireless-N router through the Wireless > Wireless MAC Filter page. We can do this on NETGEAR routers through ADVANCED > Security > Access Control and on D-Link routers through ADVANCED > NETWORK FILTER.S
applications of MAC filtering in computer networks:
- Access control: MAC filtering can be used to restrict access to a network by only allowing devices with authorized MAC addresses to connect. This can help prevent unauthorized access to the network and improve network security.
- Parental controls: MAC filtering can be used by parents to restrict access to the internet for their children by allowing only specific devices to connect to the network.
- BYOD policies: MAC filtering can be used to implement Bring Your Own Device (BYOD) policies in organizations. By allowing only authorized devices to connect to the network, organizations can ensure that only approved devices are used to access corporate resources.
- Guest access: MAC filtering can be used to provide guest access to a network by allowing only specific devices to connect. This can help improve security and prevent unauthorized access to the network.
- Wireless networks: MAC filtering can be used to secure wireless networks by allowing only authorized devices to connect to the network. This can help prevent unauthorized access to the network and protect sensitive data.
- Network monitoring: MAC filtering can be used to monitor network traffic by allowing only specific devices to connect and tracking their activity on the network.
- Compliance: MAC filtering can be used to enforce compliance with security policies and regulations by ensuring that only authorized devices are allowed to connect to the network.
- Traffic management: MAC filtering can be used to manage network traffic by limiting the number of devices that are allowed to connect to the network at any given time.
- Troubleshooting: MAC filtering can be used to troubleshoot network connectivity issues by identifying unauthorized devices that may be causing problems on the network.
- Remote management: MAC filtering can be used to provide remote management capabilities for network devices by allowing only specific devices to connect to the network and access network resources.
- IoT device security: MAC filtering can be used to secure Internet of Things (IoT) devices by allowing only authorized devices to connect to the network and access IoT resources.
- It is time-consuming and tedious especially if you have a lot of Wi-Fi-enabled devices as you will need to get the MAC to address every device. The list of allowed devices should be modified whenever we want to purchase a new computer or mobile device or whenever we want to grant permission to a new device.
- Two MAC addresses should be added for the PCs one being the wired adapter and one being the wireless adapter.
- It won’t protect against hackers who know what they are doing. But you can use it for kids to disallow access as they don’t have adequate knowledge.
- It can make the network less secure because now the hacker doesn’t have to crack your WPA2-encrypted password at all.
- Limited effectiveness: MAC filtering is not foolproof and can be easily bypassed by experienced hackers who can spoof or change their MAC addresses. Additionally, some devices may allow users to change their MAC addresses, making it difficult to control network access.
- Compatibility issues: Some devices may not be compatible with MAC filtering or may have issues connecting to the network if their MAC address is not properly configured. This can cause connectivity issues and may require additional troubleshooting.
- Increased network management complexity: Maintaining a list of authorized MAC addresses can be time-consuming and difficult to manage, especially for larger networks with many devices. Additionally, it can be challenging to identify and remove unauthorized devices from the network.
- False sense of security: Relying solely on MAC filtering can give a false sense of security as it is just one layer of network security. It is important to also use other security measures such as encryption, strong passwords, and firewalls to protect the network from threats.
By examining the packet using Wireshark hackers with a toolset like Kali Linux can access the network as they can get the MAC address of allowed devices and then they can change their device’s MAC address to the allowed MAC address and connect posing as that device. They can use “deauth”or “deassoc” attack that forcefully disconnects a device from a Wi-Fi network or use airplay-ng to send disassociation packets to the clients and then connect in the device’s place. However, MAC addresses of wireless clients can’t truly be changed because they’re encoded in the hardware. But some critics spotted that MAC addresses can be faked. All an attacker needs to do is to know one of the valid addresses. They don’t have to break the encryption to access your network or crack your WPA2 encrypted password. They just have to pretend to be a trusted computer.
MAC filtering will prevent average hackers from gaining network access. Most computer users don’t know how to trick their MAC address let alone find a router’s list of approved addresses. Unlike domain filter, they do not stop traffic from flowing through the network.
A general doubt that arises is how the hackers can get our MAC address if they can’t connect to the network. It is a weakness of Wi-Fi that even if there is a WPA2 encrypted network, the MAC addresses on those packets are not encrypted. This means that anyone with network sniffing software installed and a wireless card in a range of your network can easily grab all the MAC addresses that are communicating with your router.
Other solutions to the problem –
- A better solution to control outsiders who want to connect to your network is to use a guest Wi-Fi network. It will allow them to let others connect to your network, but not let them see anything on your home network. You can purchase a cheap router and attach it to your network with a separate password and separate IP address range to do this.
- WPA2 encryption is sufficient as it is very difficult to crack. But the key is to have a strong and long password. If someone cracks your WPA2 encryption they don’t have to make the effort to trick MAC filtering. If an attacker is confused by MAC address filtering they won’t be able to break your encryption.
Does MAC Address Separate Further develop Organization Security?
Hypothetically, the probability of halting pernicious organization action increments when a switch really looks at this association prior to conceding gadgets. Yet, by dissecting the parcel utilizing Wireshark, programmers utilizing a toolset, for example, Kali Linux can get to the organization since they can get the Macintosh locations of supported gadgets, then, at that point, the aggressor can change its gadget’s Macintosh address to the permitted Macintosh address and interface by taking on the appearance of that gadget. They can utilize the “deauth” or “deassoc” assaults, which powerfully segregate a gadget from a Wi-Fi organization, or they can use airplay-ng, which sends disassociation bundles to clients and afterward interfaces in the gadget’s place.
Then again, the Macintosh locations of remote clients can’t be changed on the grounds that they are encoded in the equipment. Notwithstanding, a few pundits have brought up that Macintosh locations can be manufactured. An aggressor just needs to know one of the real locations. They don’t have to break the encryption or break your WPA2 scrambled secret phrase to get sufficiently close to your organization. The assailants need to act like a confided in PC.
A typical inquiry emerges to you that how these programmers got our Macintosh address assuming that they couldn’t interface with the organization. Regardless of whether there is a WPA2 scrambled network, the Macintosh tends to on those bundles are not encoded. This implies that anybody having network sniffing programming and a remote card close enough to your organization can undoubtedly catch all of the Macintosh tends to converse with your switch.