Controlling Authorized MAC / IP Spoofing Endpoints

An unauthorized endpoint may attempt network access by spoofing the MAC and IP of an authorized endpoint. If the same MAC and IP are used as an authorized endpoint, it is difficult to distinguish between authorized/unauthorized at the network level (IP, MAC address). Therefore, in addition to basic MAC/IP information, IP/MAC spoofing is controlled through detection of network packets with the same MAC/IP and MAC change detection from agents.

Solution

To control MAC/IP Clone endpoints, Genian NAC provides control methods through both Network Sensors and Agents.

  • Use the MAC/IP Clone detection function provided by the Network Sensor.
  • Use the MAC Clone detection function via the Agent.
  • Use the MAC/IP Clone risk detection policy.

Step.1 Configure Network Sensor MAC/IP Clone Detection

  1. Go to the top System menu.
  2. In the left panel, go to Sensor Management.
  3. Check the checkbox to the left of the Network Sensor item.
  4. In Select Action, click Bulk Sensor Settings.
  5. Check the MAC+IP Clone Detection item in the Node Status Check section.
  6. Click the Save button at the bottom.

Step.2 Confirm Network Sensor Node Status Check Settings

  1. Go to the top System menu.
  2. Click the IP of the Device for the Network Sensor configured in Step 1.
  3. Go to the Preferences tab.
  4. Confirm that the Node Status Check item in Other Settings is configured as follows:
    • Node Status Check: On
    • Node Status Check Method: Minimum Period

Step.3 Configure MAC/IP Clone Risk Detection and Assign Node Policy

  1. Go to the top Policy menu.
  2. In the left panel, go to the Risk Detection menu.
  3. Select MAC/IP Clone Risk Detection.
  4. In the Options section below, change the MAC Spoofing Detection option to On and click the Modify button at the bottom.
  5. Go to Node Policy in the left panel.
  6. Click the Node Policy Name of the target to which you want to apply MAC/IP Clone detection.
  7. Click the Assign button in the Risk Detection section at the very bottom.
  8. In the pop-up window, move the MAC/IP Clone item to the right and click the Modify button.
  9. Click the Modify button at the bottom to save the changes.
  10. Click the Apply Change Policy button in the top right to apply the policy.

Step.4 Network Blocking of Risky Nodes

Nodes detected as risky can be controlled via the network using the following method: Blocking Risky Nodes