Back

Enable MAC address filtering for Wireless Access Points.


CONTROL ID
04592
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Configure Wireless Access Points in accordance with organizational standards., CC ID: 12477

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Wireless networks should not use Media Access Control address filtering. (Control: 1320, Australian Government Information Security Manual: Controls)
  • Does the organization use Mandatory Access Control address filtering on a per-port basis? (App Table Active Content Filtering Row 3, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • MAC address filtering should be enabled if automatic device network registration is operational. If automatic device network registration is not operational, manual registration may not be justified for wireless devices. Fast Secure Roaming may be adversely affected by MAC address filtering. (§ 2.3.1 (2.3.1.100), The Center for Internet Security Wireless Networking Benchmark, 1)
  • MAC address filtering should be enabled. (§ 1.2 (2.3.1.100), The Center for Internet Security Wireless Networking Benchmark, Apple Addendum, 1)
  • MAC address filtering should be enabled. (§ 1.2 (2.3.1.100), The Center for Internet Security Wireless Networking Benchmark, Cisco Addendum, 1)
  • MAC address filtering should be enabled. (§ 1.2 (2.3.1.100), The Center for Internet Security Wireless Networking Benchmark, DLINK Addendum, 1)
  • MAC address filtering should be enabled. (§ 1.2 (2.3.1.100), The Center for Internet Security Wireless Networking Benchmark, Linksys Addendum, 1)
  • The organization must use MAC address authentication for wireless devices. (CSR 10.10.5(5), Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • MAC address filters allow or disallow the forwarding of unicast and multicast packets sent from or addressed to specific MAC addresses. MAC address filtering should be enabled at each access point. Examine the wireless LAN access points or security gateway device configuration by viewing the MAC ad… (§ 3.1 (WIR0160), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2)
  • The agency shall deploy Media Access Control Access Control Lists for wireless implementations and when Wired Equivalent Privacy and Wi-Fi Protected Access security features are used for wireless security in conjunction with the criminal justice information services required minimum encryption speci… (§ 5.5.7.2 ¶ 2(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Has MAC address filtering for the Wireless Local Area Network access points, wireless routers, and wireless bridges been enabled? (IT - WLANS Q 9d, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Wireless access points should be configured to have a unique service set identifier (SSID), disable SSID broadcast, and enable MAC filtering at a minimum. (§ 6.2.1.5 ICS-specific Recommendations and Guidance ¶ 1 Bullet 4, Guide to Industrial Control Systems (ICS) Security, Revision 2)