Shulou(Shulou.com)06/01 Report--

In the local area network where Internet behavior management is deployed, there will always be people who will think of various ways to break through the Internet control. Common methods are:

IP address theft.

MAC address clone.

First of all, you can consider not opening administrator privileges, or using domain control to prohibit clients from modifying network settings. Secondly, these behaviors can be prevented through the management and control strategy of online behavior management. In this article, I will introduce how to use the WSG Internet behavior Management Gateway to deal with IP address embezzlement and MAC address cloning.

How to prevent IP address misappropriation?

There are two possibilities for IP address embezzlement: the first is to modify the IP address outside the scope of control, and the second is to modify the IP address of other terminals in the local area network.

For the first case, you only need to disable everything outside the scope of IP through firewall policy or behavior management policy. As shown in the figure:

Embezzling existing IP addresses can lead to IP address conflicts, and few people dare to do so openly. Of course, to prevent the embezzlement of existing IP addresses, you can also turn on IP-MAC binding. When binding is enabled, you can surf the Internet only if the IP address and MAC address match. As shown in the figure:

As long as the IP-MAC binding is done, even if the IP address is changed to the IP address of other permissions in the local area network, it will not be able to access the Internet. In this way, you can put an end to the behavior of modifying IP by yourself.

How to prevent MAC address cloning?

Basically, there are two ways to clone MAC addresses:

1)。 Modify your MAC address to bypass surveillance. But most of the control policies are based on IP addresses, so it is useless to modify MAC. If you want to prevent MAC from being modified, it is sufficient to turn on the IP-mac binding.

2)。 Connect the router privately and modify the MAC and IP of the router to the MAC and IP of the computer. Then use routers to bring devices such as PCs and mobile phones.

The second situation is much more complicated than the first. From the perspective of upper-level Internet behavior management and firewall devices, both IP and MAC addresses are legal, but in fact there are more private devices. At this point, you need to use another module, "shared detection". As shown in the figure:

The sharing detection module can detect the above network sharing behavior, and can see the secondary terminal devices under this device. As shown in the figure:

In this way, the behavior of the private router can be detected.

To sum up, with the combination of ip control, IP-MAC binding, and sharing detection, we can effectively control violations such as "mac address cloning" and "IP embezzlement" in the LAN.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.