UTT Technologies User Management Menu
http://www.uttglobal.com Page 91
behaviors of the LAN users. In this section, we will describe how to implement user
identification.
The Device provides IP/MAC binding feature to implement user identification. Using
the IP/MAC address pair as a unique user identity, you can protect the Device and
your network against IP spoofing attacks. IP spoofing attack refers to that a host
attempts to use another trusted host’s IP address to connect to or pass through the
Device. The host’s IP address can easily be changed to a trusted address, but MAC
address cannot easily be changed as it is added to the Ethernet card at the factory.
The IP/MAC binding feature allows you to add the IP and MAC address pairs of
trusted LAN hosts in the
IP/MAC Binding List. Note that in the IP/MAC Binding List,
you can allow or block Internet access for each IP/MAC binding user. After you have
added a LAN user’s IP and MAC address pair into the
IP/MAC Binding List, if its Allow
check box is selected (check mark √ appears), it will allow the user to access the
Device and Internet, else block the user.
9.2.1 The Operation Principle of IP/MAC Binding
For the sake of convenience, we firstly introduce several related terms including legal
user, illegal user and undefined user.
Legal User: A legal user’s IP and MAC address pair matches an IP/MAC binding
whose
Allow Internet Access check box is selected.
Illegal User: An illegal user’s IP and MAC address pair matches an IP/MAC binding
whose Allow Internet Access check box is unselected, or the IP address or MAC
address is the same with an IP/MAC binding’s, but not both.
Undefined User: An undefined user’s IP address and MAC address both are different
from any IP/MAC binding. The undefined users are all the users except legal and
illegal users.
It allows the legal users to access the Device and access the Internet through the
Device and denies the illegal users. And the parameter of
Allow Undefined LAN PCs
determines whether it allows the undefined users to access the Device and access
the Internet through the Device, that is, it will allow them if the
Allow Undefined LAN
PCs check box is selected, else block them.
IP/MAC binding feature can act on the packets initiated from the LAN hosts to the
Device or outside hosts. When receiving a packet initiated from LAN, the Device will
firstly determine the sender’s identity by comparing the packet with the bindings in the
IP/MAC Binding List, and then process the packet according to the sender’s identity.
The details are as follows:
1) If the sender is a legal user, the packet will be allowed to pass, and then be further
processed by the firewall access control function module.
2) If the sender is an illegal user, the packet will be dropped immediately to prevent
IP spoofing.
3) If the sender is an undefined user, there are two cases:
To Next Page
Loading...
