Since the disadvantages outweighed the benefits during operation, I stopped the MAC address filtering function.
Background for Introducing MAC Address Filtering Function
During office relocation, the network construction company proposed MAC address filtering functionality, so we implemented it.
At the time, I thought “Setting up MAC address filtering functionality would improve security and seems good,” but it shouldn’t have been implemented carelessly.
Looking back now, I realize that setting up MAC address filtering functionality was overkill since the only devices connected to the internal network besides employee PCs were printers and scanners.
Advantages & Disadvantages of MAC Address Filtering
Advantages
I thought the advantage was security functionality, but according to the following quote, that doesn’t seem to be the case:
However, it's known that MAC address filtering has almost no security meaning against cyber attacks targeting modern enterprises. It's not just "limited effectiveness" or "better than nothing" level - in some cases, "being secure by setting MAC address filtering" can provide attackers with an opportunity to be notified that this is a network with lax security management.One reason MAC address filtering is “dangerous” is that spoofing is easy. Since MAC addresses are not encrypted on the network, they’re completely visible from the outside if you capture wireless LAN packets. Tools that can change MAC addresses are distributed on the internet and easily obtainable. In other words, malicious attackers can easily bypass filtering simply by using those tools to spoof MAC addresses. (「しかし、MACアドレスフィルタリングは、昨今の企業を対象にしたサイバー攻撃に対して、セキュリティ上、ほとんどなんの意味も持たないことがわかっている。『効果は限定的』『無いよりはまし』といったレベルではなく、場合によっては『MACアドレスフィルタリングを設定して安心している』ことが、セキュリティ管理の甘いネットワークであることを攻撃者に対して通知する機会を与えることにもつながっている。MACアドレスフィルタリングが”危ない”理由の1つは、なりすましが容易いことだ。MACアドレスはネットワーク上で暗号化されないため、無線LANのパケットをキャプチャすれば外部から丸見えだ。MACアドレスを変更できるツールはインターネットで配布されており簡単に入手できる。つまり、悪意を持った攻撃者は、それらツールを使ってMACアドレスを偽装するだけで、フィルタリングをあっさり、かいくぐることができるのだ。」)
In the process of writing this article, when I researched “MAC address filtering,” I was painfully aware of my lack of knowledge. The functionality I had set up to improve security seemed to be almost meaningless.
Disadvantages
- MAC address filtering needs to be maintained every time someone joins or leaves the company
- Throughput decreases
That’s all from the Gemba where stopping MAC address filtering reduced the operational burden of the internal network and made us happy.