MAC filtering is a way to enforce security on a Wi-Fi network at a deeper level than WEP encryption.
Each device on a Wi-Fi network has a MAC (Media Access Control) address, or unique identification number baked into the hardware. (See Appendix A, "Wireless Standards," for more information about the MAC layer.)
The idea behind MAC filtering is to tell the Wi-Fi access point that it can only communicate with the devices on your network that are explicitly identified to it by their MAC address. You go into the access point/router's administrative application, and say, "Use these MAC addresses and no others!"
MAC filtering is a great security tool. But as an administrative matter it would probably get out of hand if you have more than a handful of devices using the Wi-Fi network, or if you added and deleted devices regularly.
The only trick to this is that you've got to round up the MAC addresses for all the devices you want to be able to connect to your Wi-Fi network.
The good news is that the client software for most Wi-Fi cards will easily tell you the MAC address for the card.
Figure 19.9 shows the MAC address for an older Orinocco Wi-Fi card, which you can find on the Diagnose screen of the Client Manager software for the card.
Figure 19.9. You can find the MAC address for this card on the Diagnose screen of the Client Manager software that ships with the card.
Figure 19.10 shows the MAC address for the D-Link DWL-520 card, which you can find on the About window of the D-Link Air Utility.
Figure 19.10. The MAC address for the D-Link wireless card can be found on the About window of the D-Link Air Utility.
Windows XP Professional (but not Home) also provides a utility, getmac, that shows the MAC addresses of all the network devices on your system (it is a bit dicey knowing which is which if you have more than one).
To run getmac, choose Command Prompt from the Accessories group in the Start menu to open a command window. With the command window open, type getmac at the prompt and press Enter.
As you can see in Figure 19.11, the program will display the MAC addresses of the devices on your system.
Figure 19.11. The getmac program displays the MAC addresses for the devices on your Windows XP system.
You can also use getmac to find the MAC addresses of devices running remotely on your network by supplying the program with the IP or network name of the remote device.
Under Windows XP, to use the D-Link utility rather than the Windows XP wireless network configuration utilities, you need to uncheck the Use Windows to Configure My Wireless Network Settings box in the Wireless Network Connection Properties window.
If this box is checked, the D-Link Air utility will not run, and you won't see the MAC address for the device.
After you've gathered the MAC addresses for the wireless devices that will use your Wi-Fi network, the next step is to enter them into the Wi-Fi access point/router.
Obviously, this will vary depending on the specific piece of equipment.
Using the Linksys Wireless Broadband Router described in Chapter 12, "Working with National Wi-Fi Networks," you would open the administrative application by entering the address http://192.168.1.1/ in a connected Web browser, followed by the password when prompted. Next click the Advanced tab.
You can use Ipconfig, explained in Chapter 15, to find the MAC address of devices on your current computer. In contrast, getmac gives you a way to find the MACs for all active devices on your network.
In the Filters pane of the Advanced setup, go down to the Private MAC filter item, and click the Edit button. The MAC Access Control Table, shown in Figure 19.12, will open.
Figure 19.12. The MAC Access Control Table is used to enter the MAC addresses of the devices that are allowed access.
Enter the MAC addresses of the devices that are to be allowed access in the table, and click Apply when you are done.
The MAC Access Control Table shown in Figure 19.12 uses a drop-down list to enter more addresses if you need to add more than ten MAC addresses.
The Absolute Minimum
Here are the key points to remember from this chapter:
Because Wi-Fi networks are not physically secure, some level of security protection is a good idea.
The level of security protection that you require depends on the confidentiality of the information you are protecting.
If you do nothing else, you should change the default SSID for your wireless access point, set it not to broadcast the SSID, set the access point to use WEP encryption, and change the default administrative password for the access point.
Complete security for a wireless network is probably impossible, but there are many steps you can take to make your Wi-Fi network more secure.