5

I've always thought that you should enable MAC filtering to increase Wifi security (in addition to using WPA2).

Now I've found this article (Wireless LAN security hall of shame) that says

MAC filtering takes the most effort to manage with zero ROI (return on investment) in terms of security gain.

So can I safely turn it off and save myself the hassle?

laktak
  • 686
  • 2
  • 9
  • 16
  • The point of that section of the article is that MAC addresses can be spoofed. – Dennis Williamson Dec 23 '09 at 09:09
  • MAC addresses can be spoofed, but if you have a whitelist of a few MAC addresses that are allowed on the network and this list is private, it would take a very long time for anyone to find the right MAC address to get into the network. – raphink Dec 23 '09 at 09:54
  • 5
    MAC addresses can be sniffed from the wireless packets. It takes no time at all. – xenny Dec 23 '09 at 10:38
  • 1
    @xenny: Exactly right. Wireless works exactly the same way that ethernet works, every packet has a source and destination MAC address. Anyone with the right tools can sniff the traffic, capture and decode a packet, get the source MAC address, and spoof it. – joeqwerty Dec 23 '09 at 14:42

4 Answers4

8

In my opinion the article is correct in advising that MAC filtering is pointless and just wastes time. Feel free to turn it off and save yourself the hassle.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • 3
    +1 spoofing mac addresses is a pretty basic task when pentesting a network. – Maxwell Dec 23 '09 at 10:04
  • I disagree that MAC filtering is a *total* waste of time. It will keep the average joe off your WiFi. It will not stop a determined high schooler though. – oz10 Dec 25 '09 at 01:15
2

Certainly MAC filtering won't slow down anyone with a little cracking knowledge. But it all depends on the number of potential allowed clients, if it's very low (5-10) then why not enable it, it doesn't take long to implement and could stop casual abuse by low-skilled people. If it's a lot of clients then it's probably more of a pain than a help though.

Chopper3
  • 101,299
  • 9
  • 108
  • 239
1

You may do if you have a few clients but if more - it's really a waste of time.

Anyway you need WPA2 in addition to this.

disserman
  • 1,850
  • 2
  • 17
  • 35
-1

If someone's managed to crack your WPA2 encryption key (asusming it's not trivial), they're unlikely to be stopped by having to wait and monitor the traffic on the server to see which clients are allowed, and then spoof their MAC address (which is easy to do).

It was a much more reasonable proposition when WEP was the only wireless security system that was widely available, as WEP was essentially worthless from very early on in it's life.

Ewan Leith
  • 1,705
  • 8
  • 7
  • -1 for inaccuracy. WPA2 does not encrypt the MAC addresses in the wireless frames. Otherwise, any listening wireless network card would have to decrypt every packet to see if it was addressed to it, before dropping the packet or decrypting and sending the packet up the stack. – Josh Brower Dec 25 '09 at 01:37
  • Sorry I didn't make myself clear, I didn't say that the MAC addresses were encrypted in WPA2, just that it's much harder to crack WPA2 (assuming a decent key) than it is to spoof a MAC address. – Ewan Leith Jan 04 '10 at 14:12