375
SonicOS 5.8.1 Administrator Guide
CHAPTER 25
Chapter 25: Configuring MAC-IP Anti-Spoof
Network > MAC-IP Anti-Spoof
This chapter describes how to plan, design, implement, and MAC-IP Anti-Spoof protection in
SonicWALL SonicOS Enhanced. This chapter contains the following sections:
• “MAC-IP Anti-Spoof Protection Overview” section on page 375
• “Configuring MAC-IP Anti-Spoof Protection” section on page 376
MAC-IP Anti-Spoof Protection Overview
MAC and IP address-based attacks are increasingly common in today’s network security
environment. These types of attacks often target a Local Area Network (LAN) and can originate
from either outside or inside a network. In fact, anywhere internal LANs are somewhat exposed,
such as in office conference rooms, schools, or libraries, could provide an opening to these
types of attacks. These attacks also go by various names: man-in-the-middle attacks, ARP
poisoning, SPITS. The MAC-IP Anti-Spoof feature lowers the risk of these attacks by providing
administrators with different ways to control access to a network, and by eliminating spoofing
attacks at OSI Layer 2/3.
The effectiveness of the MAC-IP Anti-Spoof feature focuses on two areas. The first is
admission control which allows administrators the ability to select which devices gain access
to the network. The second area is the elimination of spoofing attacks, such as denial-of-service
attacks, at Layer 2. To achieve these goals, two caches of information must be built: the MAC-
IP Anti-Spoof Cache, and the ARP Cache.
The MAC-IP Anti-Spoof cache validates incoming packets and determines whether they are to
be allowed inside the network. An incoming packet’s source MAC and IP addresses are looked
up in this cache. If they are found, the packet is allowed through. The MAC-IP Anti-Spoof cache
is built through one or more of the following sub-systems:
• DHCP Server-based leases (SonicWALL’s - DHCP Server)
• DHCP relay-based leases (SonicWALL’s - IP Helper)
• Static ARP entries
• User created static entries
The ARP Cache is built through the following
subsystems: