How Intranet security technology prevents illegal access

ARPIs a protocol that converts an IP address into a physical address. There are two ways to map IP addresses to physical addresses: Table and non-table. ARP is to resolve the network layer IP layer, that is, the layer 3 of OSI, to the MAC layer of the Data Connection layer, that is, the Layer 2 of OSI ). Simply put, there must be a ing between the IP address and the MAC address, and ARP is the protocol used to determine this ing.

ARP spoofing Blocking: In the same IP subnet, data packets are addressable Based on the MAC address of the target machine, and the MAC address of the target machine is obtained through the ARP protocol from the IP address of the target machine. Each host, including the gateway, has an ARP cache table. Under normal circumstances, this cache table can effectively maintain a one-to-one relationship between IP addresses and MAC addresses. However, there are some imperfections in the implementation mechanism of the ARP cache table and the mechanism of ARP request response, which may easily cause ARP spoofing.

ARP spoofing blockingIntranet SecurityIn terms of products, scientific and rational use is required to maximize the effectiveness. Due to the simple implementation of ARP spoofing blocking methods, most vendors in China use ARP spoofing blocking methods, especially for unregistered blocking and illegal access blocking.

First, ARP spoofing blocking has a great impact on the network load.

When ARP is working, the host is requested to send an Ethernet broadcast packet containing the desired IP address, the owner of the target IP address then responds to the request host with a packet containing the IP address and MAC address. In the implementation of ARP spoofing blocking, an ARP request may receive dozens and set hundreds of ARP responses. Some ARP spoofing blocking programs also send ARP requests to implement spoofing, therefore, the use of a large number of ARP packets in the network is very huge for the occupation of network resources, may lead to a decline in the performance of network equipment, affecting the normal business of users.

Secondly, the Entry Effect of ARP spoofing blocking is unreliable.

ARP spoofing cannot be guaranteed to be 100% effective. For example, the ARP response packets and spoofing packets of the target machine can correctly reach the ARP requestor, and there is a probability that the requestor will be cheated, or the client is installed with anti-ARP spoofing software. If ARP spoofing packets are used to control the access of terminal devices, the effect can be imagined. Its own defects greatly reduce the access reliability.

Finally, ARP spoofing blocking is difficult to distinguish from true ARP spoofing.

If ARP spoofing blocking is enabled in a network, the consequences of ARP spoofing are disastrous. The user cannot distinguish between Active ARP spoofing blocking and true ARP spoofing, which will bring great difficulties to the user's troubleshooting and seriously affect the user's business. On the other hand, in most ARP spoofing blocking implementations, all computers in the subnet often cheat the target computer at the same time. If the target computer does not need to be cheated, all computers are required to stop spoofing. However, if a computer does not receive a command to stop spoofing, the target computer will not be able to access the network normally, resulting in user O & M accidents.

To sum up, there are many problems with ARP spoofing blocking methods. Therefore, Intranet security products should use this method dialectically.

1. Avoid being single and adopt multiple blocking methods

The Intranet security risk management and audit system connects terminals to vswitches through network access control measures to block illegal terminals from accessing the Intranet. At the same time, it applies access control to important backend servers, blocks illegal terminals from accessing important servers and service resources. That is to say, seamless access control is implemented from the Intranet access boundary, backend server resources, and the client itself. In an environment that does not support network access and application access, although the Tianji product also uses ARP spoofing blocking, this blocking method is greatly standardized and restricted, in particular, as long as the Personal Firewall intercepts ARP spoofing attacks, it immediately stops the client from sending spoofing packets to other clients, which completely changes the adverse situation of ARP spoofing. In addition, the Intranet Security System and the tianqing hanma USG integrated security gateway UTM form a UTM square uniform condom, which provides internet border access control and can block illegal terminal access to the internet.

2. actively defend against ARP Spoofing

The Intranet security system checks the IP packet header to prevent packet spoofing. By monitoring processes initiated by network behavior, Trojan horses are prevented from accessing the network in a hidden process mode. Monitors ARP requests or response packets, automatically binds the gateway MAC, and rejects delayed ARP response packets to prevent Intranet ARP spoofing attacks. The built-in powerful enterprise-level host firewall system uses access control, traffic control, ARP spoofing control, network behavior mode control, illegal external access control, and other means, it implements active defense against threats to computer terminals and network behavior control, so as to ensure two-way access security and behavior control of computer terminals, effectively protecting the dangers caused by suspected attacks and unknown viruses on the intranet of enterprises.

3. Active threat defense based on terminal network behavior pattern

The Intranet security system provides an active threat defense mechanism based on the terminal network behavior mode. It centrally controls the network behavior of each computer terminal and limits the subjects, objectives, and services of network behavior, network access is controlled based on the security status of computer terminals, which can effectively cut off the transmission channels of independent process worms and the attack routes of Trojans and hackers, and make up for the weaknesses of Anti-Virus Software Prevention and Control. By monitoring the number of concurrent TCP connections, the network damage caused by the worm is slowed down. Restrict network access to abnormal processes by monitoring UDP packet sending behaviors.

Intranet security systems can closely focus on compliance, including enterprise-level host firewall systems, and provide five-dimensional management through Terminal Access Control, terminal security control, desktop compliance management, terminal Leak Control, and terminal audit, improve Intranet security protection and compliance management.