How To Restrict traffic from only selected MAC addresses using MAC-IP Anti-Spoof Protection
10/14/2021 193 People found this article helpful 492,392 Views
Description
This article explains how to restrict traffic initiated from internal network, based on MAC addresses, using MAC-IP Anti-spoof protection. The MAC-IP Anti-Spoof feature lowers the risk of these attacks by providing administrators different ways to control access to a network, and by eliminating spoofing attacks at OSI Layer 2/3.
The MAC-IP Anti-Spoof cache validates incoming packets and determines whether they are to be allowed inside the network. An incoming packet's source MAC and IP addresses are looked up in this cache. If they are found, the packet is allowed through. The MAC-IP Anti-Spoof cache is built through one or more of the following sub-systems:
- DHCP Server-based leases (SonicWall's - DHCP Server)
- DHCP relay-based leases (SonicWall's - IP Helper)
- Static ARP entries
- User created static entries
This article explains the use of Static ARP (Address Resolution Protocol) by Binding an IP to a MAC address and ensuring only IP's with static ARP entries are allowed on the network and rest will be blocked. This would serve two purposes, blocking unauthorized access, and allow only listed Mac addresses in the network.
Resolution
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
Step 1: Enable MAC-IP Anti-Spoof protection under System | MAC-IP Anti-Spoof on a specific interface (it is based on interface and not on zones), for example enable it on X0 as shown below:
Step 2: Click on the "Configure" pencil edit circle to to configure settings for interface X0, select the options as shown below:
Step 3: Check if the settings have been applied as shown below:
Note: Once ARP Lock and Enforce Ingress anti-spoof options are enabled SonicWall firewall will check the static ARP entries and load them in MAC-IP Anti-Spoof cache. Traffic from any other MAC address and IP address combination would be dropped.
How to Test:
If another machine whose MAC address is not listed in the cache would try to communicate through firewall , it would be dropped as shown below: MAC-IP Anti-Spoof check enforced for hosts.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
Step 1: Enable MAC-IP Anti-Spoof protection under Manage| Network | MAC-IP Anti-Spoof on a specific interface (it is based on interface and not on zones), for example enable it on X0 as shown below:
Step 2: Click on the "Configure" pencil edit circle to to configure settings for interface X0, select the options as shown below:
Step 3: Check if the settings have been applied as shown below:
Note: Once ARP Lock and Enforce Ingress anti-spoof options are enabled SonicWall firewall will check the static ARP entries and load them in MAC-IP Anti-Spoof cache. Traffic from any other MAC address and IP address combination would be dropped.
How to Test:
If another machine whose MAC address is not listed in the cache would try to communicate through firewall , it would be dropped as shown below:
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
Step 1: Enable MAC-IP Anti-Spoof protection under Network | MAC-IP Anti-Spoof on a specific interface (it is based on interface and not on zones), for example enable it on X0 as shown below:
Step 2: Click on the "Configure" pencil edit circle to to configure settings for interface X0, select the options as shown with pointing arrows below:
Note: Once ARP Lock and Enforce Ingress anti-spoof options are enabled SonicWall firewall will check the static ARP entries and load them in MAC-IP Anti-Spoof cache. Traffic from any other MAC address and IP address combination would be dropped.
How to Test:
If another machine whose MAC address is not listed in the cache would try to communicate through firewall , it would be dropped as shown below:
Related Articles
Categories