Securing Your Network by Filtering MAC Addresses

If you live in the middle of nowhere you probably wonder why you should secure the access to your network. If you’re setting up a company network however, this probably seems obvious to you: you don’t want unwanted access to the network. Even at home, with wireless networks becoming more and more popular, you could very well be concerned by this problem. For instance, if you have a Wifi router at home which connects you to the Internet, chances are that people around you (your neighbours?) are connecting through it to access the Internet via your Internet account.

There are many ways to secure a network, and even more ways to secure a wireless network. In this article we will see how to secure the access to a router by filtering the MAC addresses.

Introduction to MAC addresses

MAC addresses are to network devices what car plates are to cars. Every device in the World which is capable to connect to an Ethernet network has a unique address called a MAC address. This address is burnt into the device itself and cannot be changed (well nothing’s impossible right?). It uniquely identifies the device and its manufacturer.

A MAC address is a sequence of numbers which looks like this:

00-14-38-13-02-35

The first three numbers uniquely identify the company which manufactures the device, and the last three numbers uniquely identify the device made by this company. Each device in the world has a unique MAC address. For instance you probably have a Bluetooth enabled phone, a PDA, a Wifi card, and an Ethernet card at home and they all have unique addresses which identify them. No other cards or devices in the World have the same MAC address.

Basically, manufacturers apply for manufacturers addresses (the first three numbers in the MAC address) and burn them into their devices and cards with a unique address (the last three numbers in the MAC address) which uniquely identify the piece of hardware. When a manufacturer runs out of unique addresses, it applies for a new manufacturers address. These addresses are uniquely assigned to manufacturers by a central organization.

In Linux, you can see the MAC address of your network devices by typing “ifconfig -a”. The MAC address corresponds to the entry called “HWaddr”.

ifconfig -a

You can also see the mac addresses of nearby computers. When you ping a computer, IP (Internet Protocol) sends something called an ARP Request, which basically asks the computer you’re pinging to return his MAC address. Linux keeps a record of recently received MAC addresses which you can access by typing:

arp -a

You can also find out which is the manufacturer of a device by using this website: http://www.coffer.com/mac_find/
For instance, in the MAC address 00-14-38-13-02-35, the manufacturer’s address is 00-14-38 which corresponds to “Hewlett Packard”.

Filtering MAC Addresses

Most routers and Wifi Access Points allow to filter MAC addresses. If you’re ready to buy a router or an access point, make sure it provides this functionality. The way it works is extremely simple, the router keeps a table of allowed MAC addresses, which you can configure (generally through the router’s web interface). When a device or a computer tries to connect to the router to access the Internet or the network, the router checks its MAC address and sees if it is present in its table. If it’s the case it allows the connection, otherwise it refuses it.

Some routers even allow advanced configuration based on MAC address. For instance if you know the MAC address on your child’s computer you may configure the router to forbid him to access porn sites. Similarly you may assign priorities depending on MAC addresses, to make sure your PDA can connect to the Internet effectively even when the computers are busy wasting the bandwidth downloading things via Peer to Peer. The limit to what you can do depends on what level of configuration your router offers.

Warning

It is possible to change the MAC address of a network interface. In fact it has become quite easy. By listening on the network, somebody can intercept ARP calls and change his MAC address to one that is allowed by your router. Most people are not aware of MAC addresses and if people are connecting through your Wifi access point it’s probably simply because its essid appeared on their Windows box. Keep in mind though, that it is possible and easy for somebody to change his MAC address and that you can’t rely on filtering MAC addresses to effectively secure your network.

If you’re using a wireless network, consider using WPA encryption and make sure you’re access point doesn’t broadcast its essid. If you’re using a traditional cabled network simply make sure you close your door when you leave home!