3. MAC
• MAC stands for Media Access Control
• In the 7 layer OSI model for computer networking,
Layer Data Unit
Host
Layers
7. Application
Data6. Presentation
5. Session
4. Transport Segments
Media
Layers
3. Network Packet/Datagram
2. Data link Bit/Frame
1. Physical Bit
Media Access Control
(MAC) sub-layer
responsible for controlling
how devices in a network
gain access to data and
permission to transmit it.
Logical Link Control
(LLC) sub-layer
controls error checking
and packet
synchronization.
4. MAC Address
• A unique identifier assigned to
network interfaces
(for communications on the physical
network segment)
• Network address for most IEEE
802 network technologies
(including Ethernet and WiFi)
• Most often assigned by the
manufacturer
• Stored in hardware
(on card's read-only memory or some other
firmware mechanism)
Image source: https://en.wikipedia.org/wiki/MAC_address#/media/File:MAC-48_Address.svg
5. What is MAC Filtering?
• Definition, as per wikipedia,
“In computer networking,
MAC Filtering refers to
a security access control method whereby the
48-bit address assigned to each network card
is used to determine access to the network. “
• Definition, as per TechNet,
“MAC address filtering
is a feature for IPv4 addresses
that allows you to include or exclude computers
and devices based on their MAC address”
MAC Filtering
=
GUI Filtering
=
Layer 2 Filtering
=
Link-layer Filtering
6. How to implement MAC Filtering?
• When configuring MAC address filtering, you can specify the
hardware types that are exempted from filtering
(By default, all hardware types defined in RFC 1700 are exempted from filtering)
• Before configuring MAC address filtering,
• Enable and define an explicit allow and deny list
(for DHCP to function smoothly)
• Enable and define an allow list and a block list
(the block list has precedence over the allow list)
7. How to implement MAC Filtering?
• Four step process to enable MAC address filtering on
Windows Computer:
1. In the DHCP console, double-click the IPv4 node, and then double-
click the Filters node
2. Right-click Allow or Deny as appropriate for the type of filter you
are creating, and then click New Filter
3. Enter the MAC address to filter, and then enter a comment in the
Description field if you want to. Click Add. Repeat this step to add
other filters
4. Click Close when you have finished
8. Summary
Unique address
for each card,
can’t be changed*
Blacklists and
Whitelists
Devices not Users
Effective in wired
networks
Not effective on
wireless
networks
Used on
Enterprise
Networking
Before you can configure MAC address filtering, you must do the following:
Enable and define an explicit allow list. The DHCP server provides DHCP services only to clients whose MAC addresses are in the allow list. Any client that previously received IP addresses is denied address renewal if its MAC address isn’t on the allow list.
Enable and define an explicit deny list. The DHCP server denies DHCP services only to clients whose MAC addresses are in the deny list. Any client that previously received IP addresses is denied address renewal if its MAC address is on the deny list.
Enable and define an allow list and a block list. The block list has precedence over the allow list. This means that the DHCP server provides DHCP services only to clients whose MAC addresses are in the allow list, provided that no corresponding matches are in the deny list. If a MAC address has been denied, the address is always blocked even if the address is on the allow list.
Before you can configure MAC address filtering, you must do the following:
Enable and define an explicit allow list. The DHCP server provides DHCP services only to clients whose MAC addresses are in the allow list. Any client that previously received IP addresses is denied address renewal if its MAC address isn’t on the allow list.
Enable and define an explicit deny list. The DHCP server denies DHCP services only to clients whose MAC addresses are in the deny list. Any client that previously received IP addresses is denied address renewal if its MAC address is on the deny list.
Enable and define an allow list and a block list. The block list has precedence over the allow list. This means that the DHCP server provides DHCP services only to clients whose MAC addresses are in the allow list, provided that no corresponding matches are in the deny list. If a MAC address has been denied, the address is always blocked even if the address is on the allow list.
MAC addresses are uniquely assigned to each card, so using MAC filtering on a network permits and denies network access to specific devices through the use of blacklists and whitelists. While the restriction of network access through the use of lists is straightforward, an individual person is not identified by a MAC address, rather a device only, so an authorized person will need to have a whitelist entry for each device that he or she would use to access the network.
MAC filtering is not an effective control in wireless networking as attackers can eavesdrop on wireless transmissions. However MAC filtering is more effective in wired networks, since it is more difficult for attackers to identify authorized MACs.
MAC filtering is also used on enterprise wireless networks with multiple access points to prevent clients from communicating with each other. The access point can be configured to only allows clients to talk to the default gateway, but not other wireless clients. It increases the efficiency of access to network