Every device with a network card is assigned a Media Access Control (MAC) address. Often referred to simply as a physical or hardware address, the MAC is a 6-byte-long unique identifier issued to every network interface. They are assigned to both Ethernet and wireless cards. Even if a system has multiple network ports, each port still has a unique MAC address. The goal of a MAC is to uniquely identify every single network port so that network traffic can be sent to and received from the correct device. Without unique MAC addresses, network infrastructure like routers and switches would not be able to make any sense of a network’s structure.
MAC addresses operate at Layer 2: Data Link of the OSI Model and are written in hexadecimal format. MAC addresses come pre-configured on every network interface and generally cannot be altered by admins. The MAC is broken into two parts. Each hardware manufacturer has a 3-byte organizationally unique identifier (OUI). Every MAC address for every network card produced by the manufacturer will have the OUI at the start of the MAC address. The remaining three bits are filled in with a unique series of hexadecimal characters.
When you begin configuring your business network, you can usually check the dashboard of your router to see each device currently connected, along with its MAC address. Switches also contain what is known as a MAC address table, which serves as a map between network interfaces and the end MAC addresses. A protocol known as Address Resolution Protocol (ARP) maps MAC addresses to individual IP addresses. You can view the ARP cache present on your current system using the terminal.
Windows Command Prompt
arp -a
Linux Terminal:
ifconfig -a
ip link list
ip address show
MAC addresses can be targets for a number of different network attacks by threat actors. Man-in-the-Middle (MiTM) attacks are the most common, such as ARP spoofing, where a threat actor connects their MAC address to an IP currently assigned to a legitimate device. This means that all traffic supposedly destined for the legitimate device will instead be sent to the threat actor under the assumption that it is the proper host.
Businesses can implement a security control known as MAC address filtering to weed out all unknown devices trying to connect to their networks. There are two forms of MAC address filtering. Blacklisting allows all network interfaces connected to the network, except specific ones that are added to a blacklist. If an employee was consistently misusing network resources, you could add the MAC address of their device to the blacklist to halt the noncompliance. The more common implementation is Whitelisting. Under this strategy, all network interfaces are denied by default. Then, as devices are vetted and approved for use with company resources, their MAC addresses can be whitelisted to enable network access.
Whitelisting is a more secure and manageable strategy, especially in high-security business networks where there is an expectation that only company assets will be used. In Stage 1, you created a Hardware Asset Inventory of all company systems that have been approved and implemented into your environment. The inventory includes the associated MAC addresses with each system. You can simply configure whitelisting on your network infrastructure and input each documented MAC address to allow access. Any outside devices will be denied access by default until they have been approved and added to the whitelist. A good overall configuration is to implement whitelisting on your internal business network and blacklisting on your Guest network. Combined with Continuous Monitoring of the Guest network, you can weed out end devices demonstrating malicious or inappropriate activity and add them to a blacklist, cutting off their access without punishing other users.