Performance Advantage

MAC filtering has one advantage over all other security methods. Because it does not involve any data encryption, MAC filtering has no packet overhead and thus does not have any performance impact on network traffic or bandwidth.

We did a simple test using a 3Com 802.11b wireless router and two computers - a notebook with an Intel 802.11b wireless adaptor and a PC with a wired connection to the router. We transferred a large file, several GB in size, from the notebook to the PC and determined the average transfer rate with MAC filtering and with 64-bit WEP encryption. Here are the test results :

Of course, 128-bit WEP encryption will show even lower transfer rates than 64-bit WEP, due to the larger packet overhead. But MAC filtering's performance advantage is obvious, even when compared against the weaker but faster 64-bit WEP encryption. So, MAC filtering is definitely good for people who are interested in maximizing network throughput.

However, this increase in performance may not be worth the poorer security. Let's find out why.

MAC Spoofing

Although MAC filtering sounds foolproof, it really is not. In fact, it is now considered to be one of the easiest security methods to be bypass!

MAC spoofing is a technique by which a hacker assumes your role as a legitimate user over a wireless network. It actually doesn't require any hacking skills. Anyone can do it with tools that can alter the MAC address on your wireless adaptor.

Free software that can intercept MAC addresses and spoof them, like NetStumbler, are readily available. Alternatively, simply run a Google search for 'MAC Address Spoofing' and you will find tons of software that can locate MAC addresses from a wireless network and change an existing MAC address to any MAC address you wish.

Therefore, using MAC filtering on its own can be a security risk. It may be sufficient to deter casual computer users who can't tell router from modem, but it's really not safe against more technically-astute users. Anyone who does a little research can spoof a network secured only by MAC filtering.

I used to think that MAC filtering is sufficient for my wireless security needs but not anymore. It is more dangerous to rely solely on MAC filtering, than to rely on WEP, weak as it is. The best way to protect your wireless network is to put on as many layers of protection as possible.

Doing so may reduce the network's throughput but it's worth that price for better network security, especially if you have valuable data to protect. The more layers of protection you stack on, the more time, skill and effort the hacker need to penetrate your network, making it less and less attractive.

There are actually software that can prevent MAC spoofing. One of them is Sygate Firewall, which has an “Anti-MAC Spoofing” feature. All you need to do was to activate the feature and you are protected against MAC spoofing. Unfortunately, Sygate was acquired by Symantec in November 2005 and the software discontinued. I'm sure Symantec will eventually incorporate this feature in their firewall but as of this moment, it has not been added to the feature list yet.

MAC Filtering And WEP/WPA

For a more secure network, MAC filtering can go hand in hand with WEP/WPA. Even when someone sniffs out your MAC address, he/she will still need to provide a pass phrase, as required by WEP. This will definitely cut down on the potential of someone breaking into your network.

Of course, you can further improve security by NOT broadcasting your wireless network's SSID (Service Set Identifier). By default, all access points or wireless routers broadcast the SSID which is your network's name. They will automatically notify wireless adaptors that your wireless network is in range.

By removing the SSID broadcast, only people who know about the exact network name or SSID will be able to gain access to the network. Unauthorized users would not even know about the existence of your network. This, of course, makes connecting to a wireless network more complicated. Guests to your network will wonder why Windows XP’s Zero Configuration feature still requires so much configuration!