All MAC addresses should resolve to a list of known vendors, or at the very least indicate the type of MAC address. In this case, SONAR can discover new devices that connect to your network with MAC addresses that are neither locally administered address (LAA) nor resolvable to a known vendor in the published list. This post will help you understand more about the published OUI vendor list.
Understanding MAC address
MAC Address, or media access control address in full, is a unique ID assigned to network interface cards (NICs). Sometimes MAC address is also referred to as a hardware or physical address. Naturally, MAC address is used for network communication between devices in a network segment. Other times, network admins use the unique ID to identify devices’ manufacturers.
Normally, the network adapters or network interface cards come with a MAC address fed into the hardware, mainly in BIOS systems or read-only memory (ROM). The addresses are 48-bit (6 bytes or 12 hex characters) values, commonly split by colons, dashes, or dots.
What is an OUI?
PCMag defines organizational unique identifier (OUI) as the part of the MAC address that identifies the vendor of a network adapter. The OUI is the first three bytes (24-bit number) of the six-byte field assigned to a network device or station manufacturer or vendor.
MAC addresses are commonly split, with the leading bits representing the OUI. In our MAC address example, the corresponding 24-bit OUI would be aabbcc, while the host bits would be ddeeff.
The Institute of Electrical and Electronics Engineers (IEEE) Registration Authority assigns these globally unique identifiers. A statement on the IEEE website reads, “OUI is an IEEE Registration Authority (RA) specific term referred to in various standards and may be used to identify companies on the IEEE Public Listing.”
OUI Vendor List and Wireless Security
All the details about the MAC address and OUI are interesting. But what does it have to do with security? OUI and MAC addresses are useful in diagnosing network and security issues, especially because they never change, as opposed to dynamic IP addresses that can range from time to time. With MAC addresses, a network admin or security analyst can identify senders and receivers of data on a network.
More frequently when looking at MAC address tables, we see something ‘odd.’ It would be essential to have a quick lookup tool that maintains an OUI table in an understandable format. That way, security analysts working on an incident where MAC/OUI information is crucial in determining a mitigation solution can look up the address to determine the vendor and possible vulnerabilities in a network device.
Examining MAC address information reveals details about the vendor behind a device connected to a network. Also, you can look through logs to identify devices attempting to connect to wireless access points (APs).
With an appropriate MAC Address Lookup Tool, you can search your MAC Address or OUI in the mac address vendor database. A MAC Address vendor database consists of a list of mac addresses of all devices manufactured till date.
That way, users can deploy a look-up tool to find the mac address from this database, consequently revealing information on which manufacturer originally manufactured a device and the prefix and postfix of a given mac address. What’s more, the MAC Address vendor database shows details of the country where a device was manufactured. Overall, such information helps verify the generated mac address with the vendor in the OUI vendor database.
Once you discover a new device connected to the network with a MAC address that does not resolve to a vendor in the published list, you can deploy a MAC filtering process. This security measure configures your router or AP to reject traffic and requests from this specific MAC address.
This way, devices whose MAC addresses fail to resolve will not communicate through the network, even if they receive new IP addresses from DHCP. The process effectively blocks such new devices, which might belong to malicious cyber actors. The wireless network will block a hacker who has hijacked a network IP address, but their MAC address fails to resolve to a vendor in the published list.