Wireless network users don’t need to connect their computers to a physical network; they can just configure the wireless network’s name (or SSID [Service Set Identifier]), select the correct channel, and bring their wireless laptops and/or desktops into the range of a wireless access device (such as an access point or router). The wireless access device, in turn, will share its bandwidth with any other devices within range.

Of course, the convenience of wireless networking also presents its share of risks. As wireless networks spread throughout homes and offices, the potential for hacking, data theft, and bandwidth hijacking continues to increase. Consequently, keeping unwanted users out of your wireless network is sometimes more important (and more difficult) than letting authorized users in. Although security features such as WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access) can keep many intruders at bay, more recent tools such as MAC (Media Access Control) address filtering can restrict access to only selected users.

The Big MAC

The first step is to enable MAC (Media Access Control) address filtering and decide whether to allow or prohibit select MAC addresses.

Every network device is assigned a unique MAC address, which is hard-coded into the device’s firmware by the manufacturer. The MAC address consists of 12 hexadecimal digits (which means it includes numbers and the first six letters of the alphabet), and you can typically find the MAC address on a sticker somewhere on the individual network device itself.

For instance, a wireless router may have a MAC address of 00-0F-66-0C-49-A4, whereas a print server may have a MAC address of 00-0F-3D-11-84-AC. The important thing to remember is that every MAC address is completely unique. So even though many networks may use similar IP (Internet Protocol) addresses, unique MAC addresses ensure that data ultimately reaches the correct devices.

Designers realized that unique MAC designations could play a key role in network security. Instead of worrying about logon credentials and WPA encryption settings, network operators decided they could easily use MAC address filtering to block all but the MAC addresses on their list of authorized users, thereby limiting network access to specific devices. Thus, the idea of MAC address filtering has emerged as a popular security feature for wireless networks.

Let’s consider an example: Suppose you have a wireless router as part of your home network, and there are three wireless PCs in the house that should be able to access that wireless router. If your wireless router supports MAC address filtering, you can simply add the MAC addresses of all three PCs’ wireless NICs (network interface cards) to the router’s list, and from then on, only those three PCs will be able to access the wireless router. So, even if your nosy next-door neighbor tries to access your wireless router (maybe to use your broadband cable connection), he’ll be denied access because his PC’s wireless NIC isn’t on the list of allowed MAC addresses.

Feeling Enabled

Before you enable MAC address filtering, be sure to write down the MAC address for each PC’s wireless NIC that you want to give access to your wireless network. In virtually all cases, you can locate the MAC address on a label directly on the wireless NIC itself. (Of course, you may need to power down your PC, unplug it, properly ground yourself, and physically remove the NIC from your computer case to see the label.)

Now access your wireless router (or other wireless access device) using a Web browser (we’ll look at a Linksys Wireless-G Router for this example). With the browser running, just enter the address of your router, such as 192.168.1.1. A small dialog box appears for you to provide the username and password for the router; use the default logon credentials as outlined in the router’s documentation. Once the router’s main menu appears in your browser window, choose Wireless, click Wireless MAC Filter, and select Enable. You’ll see that there are two options: Prevent and Permit. The Prevent option is handy if you want to block specific MAC addresses from your network. For this exercise, however, we’ll select the Permit option, which lets only selected MAC addresses access the wireless network.

Click the Edit MAC Filter List button and a new window opens, letting you enter several MAC addresses (each MAC address that you enter will be able to access the wireless network). When you enter a MAC address, type all 12 hexadecimal digits in a field without including dashes or spaces. Make sure you enter all the MAC addresses you wrote down and remember to click the Save Changes button when you finish. You may need to reboot the wireless router or access point so that your changes can take effect.

That’s really all there is to it, but before you consider the process a success, make sure you try to access the Internet again from each of your wireless PCs. If you notice that any of the PCs can no longer access the Internet through your wireless network, recheck the MAC filter list because you may have forgotten to enter that particular PC’s MAC address (or perhaps you entered the address incorrectly). Once all of your PCs are working as they should, you’re finished.

(NOTE: The steps we covered here represent one example of MAC address filtering. Be sure to refer to the documentation for your specific wireless router or access point for precise MAC address filtering instructions.)

Exceptions To The Rule

Because hardware can be stolen and MAC addresses can be mimicked, you shouldn’t rely on MAC address filtering as your only security precaution. You still need to employ other security measures to protect your wireless access. For example, select a unique SSID and configure that same SSID for all of your wireless devices (don’t rely on the manufacturer’s default SSID). It’s also a good policy to enable WEP or WPA and configure the same encryption key on each of your wireless devices.

Finally, MAC address filtering requires a certain amount of administrative overhead, meaning you’ll need to update the MAC list periodically as hardware changes or as you add and/or remove users.

For instance, if you purchase a new PC with wireless access, you’ll need to update the MAC filter list to accommodate your new PC’s wireless NIC. Or, if your daughter takes the family PC to college with her, you’ll probably remove that PC’s wireless MAC address from your list.

Despite all of this, MAC address filtering can still be a very valuable tool to help protect your wireless network.

by Stephen J. Bigelow