The modern-proof alternative to MAC address filtering


When you’re an IT manager, you’ve probably heard of MAC address filtering. Today, many organisations still use it to manage IT access, by letting in all whitelisted MAC addresses while keeping out the ones that aren’t. Pretty clever, right? Well, no. MAC address filtering is actually far from safe, as it’s very easy to spoof a MAC address and gain access to the network unnoticed. Moreover, as MAC address filtering does give companies a false sense of security, it makes them extra vulnerable to security breaches. But if this is true, then what’s the modern-proof alternative? We’ll tell you in this article.

 

Recap: what exactly is a MAC address?

MAC address stands for Media Access Control Address. It’s assigned to each network interface card when it’s manufactured and serves as a permanent, physical identifier for that network interface on a local network. Without a MAC address, no communication can take place. This applies to computers, phones, tablets, printers, but also a router or an Apple TV. Devices can have two or more network interface cards. For example, when a device has an Ethernet port and a Wi-Fi adapter, it has two MAC-addresses: a MAC address for the Ethernet connection and a MAC address for the wireless connection. On a higher level, MAC-addresses are translated into IP-addresses, which allow your device to communicate on the Internet.

MAC addresses often consist of six groups of hexadecimal numbers separated by hyphens or colons:

  • MM:MM:MM:SS:SS:SS
  • MM-MM-MM-SS-SS-SS
  • MMM.SSS.SSS

 

MAC address filtering

In local networks, companies can use MAC addresses to make access whitelists or blacklists. This is called MAC address filtering. Basically, one or more network access servers, like switches or Wi-Fi access points, are configured with a whitelist that’s then used to allow or deny a device access to the network. This is why MAC address filtering is sometimes called MAC address authentication, as if it were an authentication method. Many people therefore think of MAC address filtering as a quite decent solution to IT security problems. “Sure,” they’ll tell you, “it might not be perfect, but it’s still something.”

“Often, users have a false sense of security by setting up MAC address filtering, which tells attackers that the network security is not strictly managed”

 

Worse than nothing

Strangely enough, it’s well-known that MAC address filtering has almost no effect in terms of security against today’s cyber-attacks targeting companies. In fact, it doesn't even have a limiting effect! What’s worse is that administrators often get a false sense of security by setting up MAC address filtering, because it actually tells attackers that the network security is not strictly managed. Another reason why MAC address filtering is dangerous is ease of impersonation. As MAC addresses are not encrypted on the network, outsiders can clearly identify them by capturing packets from the wireless LAN. Tools to change MAC addresses are distributed on the Internet and easily available. In other words, malicious attackers can effortlessly get past the security system just by using these tools to “spoof” (falsify) the MAC address. You might say MAC address filtering is worse than not taking measures at all!

But there’s more. To avoid security breaches, more and more manufacturers choose to let go of the unique MAC address per device and opt for a new sort of address that’s constantly changing. This prevents tracking based on MAC addresses, but also makes it impossible to do MAC address filtering. After all, you can’t make a white list of MAC addresses when they change every three hours.

 

So, then what should you do?

First of all, we advise you to stop relying on MAC address filtering. It’s becoming more and more useless, and in the near future, the method will disappear anyway. Instead of purely focusing on a device feature, make your identication and authentication method waterproof by working with a stronger identification factor. This means that devices much show something they have. Digital certificates are very suitable to show something a device has, as they’re very difficult to steal. Certificates have expiration dates but can also be revoked before they expire in case this is needed. Moreover, as the RADIUS server has information on e.g. user rights, it’s very easy to change access rights on the fly, giving IT managers more control. Of course, we also recommend a strong mutual authentication method, which means that the device must proof its identity, but the network access device it’s connecting to should do the same. This way, there’s no doubt about the identity of both interlocutors, and risks of identity theft are reduced to a minimum.

Do you want to know more about modern MAC spoofing alternatives?

Download the white paper 

Originally published 19 March 2020, updated on 9 June 2023 for freshness and relevancy.

Hans-Peter Ponten

Subscribe Here!