Advantage and Disadvantage of MAC Address Filtering

By Ruri Ranbe

Your router includes a number of functions designed to improve the security of your network, but not all of them are useful. Media access control (MAC) filtering, for example, might seem beneficial, but doesn't necessarily provide the level of protection you would expect.

What Is a MAC Address?

Modern computers ship with two kinds of network adapters: a wired adapter and a wireless adapter. The former allows a computer to establish a connection to a modem or router via Ethernet; the latter lets it detect and connect to remote hot spots. Each adapter features a unique label called a MAC address; routers use this address to identify, and sometimes authenticate, computers connecting to the network. A MAC address is 12 hexadecimal digits long and appears in the format of "00:00:00:00:00:00" or "00-00-00-00-00-00."

What Does a MAC Filter Do?

Most routers include the option to blacklist or whitelist certain computers based on their MAC address. You can configure the filter to allow connections from all computers except those included in the blacklist, or restrict access to any computer that isn't included in the whitelist. Whitelists provide greater security than blacklists because the router grants access only to select devices.

What Are the Drawbacks?

If you set up your router to use a whitelist, you must modify the whitelist any time you purchase a new computer or mobile device, or any time you want to grant network permissions to visitors in your home. You must also add two MAC addresses for each PC: one for the wired adapter and one for the wireless adapter. In other words, the filter forces you to sacrifice convenience for increased protection.

How Secure Is the Filter?

Filtering is useless against a hacker, as any intruder can "spoof," or mimic, the MAC address of an authorized computer. Spoofing is even easier if a blacklist is in place: a hacker can choose another address almost at random to bypass the filter. To get around whitelists, hackers use a program called a sniffer, which intercepts data passing through a network; the sniffer can report to the user the MAC address of any device communicating on the LAN. Neither spoofing nor sniffing is difficult to execute -- you can even spoof your address in Windows without using any third-party tools.