Hardening Wireless LAN Connections Part 1 - Using MAC Address Filtering

One of the most valuable hardening steps you can undertake with your WAP is to implement MAC address filtering. MAC address filtering enables you to specify the MAC addresses that will be allowed to connect to the WAP. At that point, even if someone manages to obtain all the information necessary to connect to the WAP, if their MAC address is not permitted, they still cannot connect. The drawback to this method, however, is that it may require significant overhead for managing all the MAC addresses that may need to be permitted. In addition, MAC addresses can be spoofed, so it is not a panacea but rather another component of the hardening process.

The Cisco Aironet 1200 uses the well-documented Cisco access-list function to restrict/permit clients from establishing an association with the WAP. The first step is to build the access list. You can do this at the Services | Filters screen by selecting the MAC Address Filters tab, shown next.

Enter the appropriate filter index (ACL number) for the MAC address filter. Next, enter the MAC address you want to specify and a wildcard mask. Keep in mind that for Cisco, a value of “0” in the mask means that the corresponding bit in the MAC address must precisely match the filter entry. A value of “H” in the mask means that the corresponding bit in the MAC address is ignored for the purposes of filtering. This can be used, for example, to grant all of a certain vendor’s MAC addresses. Once you have entered this information, the next step is to decide whether the MAC address will be forwarded or blocked. My recommendation is to make the default action Block All and then configure a Forward action for the MAC addresses you explicitly want to forward. When you are finished, click Apply.

The next step is to apply that ACL to the WAP. You can do this at the Security | Advanced Security screen by clicking the Association Access List tab, shown next. Select the filter from the drop-down list and then click Apply.

You can enable MAC address filtering on the Linksys WAP54G at the Advanced | Filters screen, shown next. Simply select Enable from the drop-down box and specify how you want to perform the filtering. You can either filter to prevent the listed MAC addresses from being able to connect or to permit the listed MAC addresses to be able to connect. I recommend the latter in most circumstances, because it is generally easier to figure out who you want to allow to connect, as opposed to figuring out who you want to prevent. You can filter up to 40 MAC addresses by using the drop-down box to select MAC 21-40. When you have finished entering the MAC addresses to filter, click Save Settings.

The Dell TrueMobile 2300 uses a simplified MAC filtering process. You simply enter the MAC addresses you want to permit to connect. This is done at the Advanced Settings | Access Control Settings screen, shown next. Check the box Enable MAC Access Control and then add the MAC addresses you want to permit. When you are finished, click Submit.

This is from Hardening Network Infrastructure, by Wesely Noonan (McGraw-Hill/Osborne, ISBN 0072255021). Check it out at your favorite bookstore today. Buy this book now.

Comments On: Hardening Wireless LAN Connections Part 1

>>> Be the FIRST to comment on this article!