Is MAC filtering and DHCP reservations providing any real benefit?

[neil0311]

Happy New Year!

I’ve been using wireless MAC filtering with an allow list, along with setting up manual IP assignment with DHCP reservations and no free DHCP addresses.

Back when I started doing this 20 years ago, it seemed like a good idea that provided security benefit. Now, with newer hacking tools, it may just be a huge pain in the butt, since every time I upgrade the firmware, all of the info has to be reentered.

What do others do? Is WPA2 enough with dynamic IP assignment and no MAC filtering on the wireless networks?

Any thoughts either way? Thanks.

 

[ColinTaylor]

There are negligible security benefits to what you're doing, although you still may want to use MAC filtering to direct certain clients to specific access points.

Creating zero free DHCP addresses would only deter someone with no technical knowledge from connecting, like kids (maybe).

 

[neil0311]

There are negligible security benefits to what you're doing, although you still may want to use MAC filtering to direct certain clients to specific access points.

Creating zero free DHCP addresses would only deter someone with no technical knowledge from connecting, like kids (maybe).

Thanks. I’ve disabled MAC filtering on the wireless networks and switched to dynamic DHCP with a pool of addresses.

Only security measure now is WPA2 with a very strong password. Updating firmware will be much simpler.

 

[CaptainSTX]

The security advantage I see in assigning static IPs is when I see a DHCP assigned device on my network I can investigate it to determine what it is and what it is doing on my network.

 

[dosborne]

A true hacker would not care if they used DHCP or a static IP to access your network (and in my experience a static is preferred). There is zero security either way. If they are smart enough to exploit whatever method is required to access your network, then an IP is the least of their worries.

Similarly, mac filtering is essentially useless. Once they compromised your network to the extent that mac addresses come into play, it would be simple to sniff out a mac that they could clone from the network traffic.

Keeping up to date with firmware, security patches, O/S patches, etc is typically your best approach. WPA2 offers reasonable security, at least today. But, physical access (or in this case proximity for wireless) is typically low risk to begin with.

Most intrusions will come remotely, from far far away. By following the basics, you make yourself less of a target from the 100000+ "next guys" that don't thus not making it worth the effort to bother breaching your network. There are more than enough open or poorly secured networks out there to keep botnet scroungers busy.

Non default user IDs and passwords is critical to security.

Not having anything worth hacking into or stealing is also a good plan, along with offline backups

 

[SomeWhereOverTheRainBow]

Not having anything worth hacking into or stealing is also a good plan, along with offline backups

Agreed, the best security is not putting anything out there, or having anything worth hacking. Save important stuff to offline only storage. When in doubt the best security is the power button or pulling the power cord.

 

[Zonkd]

I agree with a lot of what others have said. There are no real security benefits to this stuff in a home environment. Anyone committed enough can break wifi encryption/password, spoof their MAC addresses to bypass the MAC blocking and join the Wifi network. Reducing the DHCP pool range doesn’t stop someone from manually configuring their interface to use an IP address outside that range. DHCP reservations apply to each MAC address so them spoofing a new MAC means they get a different IP anyway. There are ways to harden enterprise networks with per interface MAC addressing port security and VLANs but it’s just not worth pursuing with a basic home wifi router network. It‘s common practice in enterprise to use subnetting to limit available hosts range of IP addresses so any new host on the network couldn’t communicate. You could look into that. I wouldn’t bother though. Guests would have trouble joining.