What Is Unauthorized Terminal Access Prevention?

Unauthorized access refers to unauthorized terminals accessing the network.Unauthorized Access Prevention (UAP) is an important security access and authentication feature. It analyzes traffic information to determine whether terminals are authorized to access the network. If unauthorized access occurs, it generates alarms and blocks these unauthorized terminals. This feature prevents security risks caused by unauthorized network access and prevents economic losses caused by fee evasion.

Contents

Why Is Unauthorized Terminal Access Prevention Required?

As more and more terminals connect to enterprise, education, and healthcare campuses, unauthorized access frequently occurs, bringing both high security risks and economic losses caused by fee evasion. Conventional methods for preventing unauthorized access encounter the following problems:

IP Source Guard (IPSG) can prevent unauthorized access from hubs by binding a unique IP address and MAC address to a port. However, this requires complex configurations.
DHCP snooping can discard DHCP reply packets from untrusted interfaces to ensure that DHCP clients obtain IP addresses only from authorized DHCP servers. However, this method cannot detect unauthorized access types.
Terminal identification can identify the types of access terminals using Layer 2 and Layer 3 identification technologies, such as DHCP, Link Layer Discovery Protocol (LLDP), and Multicast Domain Name Service (mDNS), as well as application-layer identification technologies, such as user-agent (UA) identification and Simple Service Discovery Protocol (SSDP). However, this method has low accuracy in identifying unauthorized routers, and cannot identify unauthorized Wi-Fi access.

This is where the intelligent UAP technology comes into play.

What Are the Application Scenarios of Unauthorized Terminal Access Prevention?

In dormitories and labs, students may connect unauthorized hubs and unauthorized routers to the campus network for Internet access, which threatens the network security and bypasses accounting by carriers. Meanwhile, as enterprises have increasing requirements for mobile office and terminal access types become more and more complex, employees' unauthorized hotspots and router access pile pressure on enterprise network O&M and increase the risk of enterprise information leakage.

UAP applies to the following scenarios:

Unauthorized hub access: Students and enterprise employees connect unauthorized hubs to the network and connect unauthorized terminals to the hubs for Internet access. This complicates network O&M.
Unauthorized router access: For convenient Internet access, students and enterprise employees connect unauthorized routers to access switches or APs and share accounts for Internet access.
Unauthorized Wi-Fi sharing: For information security, organizations such as governments and financial institutions forbid wireless networks from being established on their intranets. However, some employees may use shared Wi-Fi on their devices such as mobile phones. This will expose the intranet to attackers, who can easily intrude into the intranet environment and cause losses to the organizations.

Unauthorized terminal access

In these scenarios, devices can detect unauthorized access behaviors and their locations in real time, and report alarms to iMaster NCE-Campus, which then delivers the configuration to block the behaviors.

Understanding Unauthorized Terminal Access Prevention

A network administrator enables the UAP function on an access device with one click. The access device then obtains uplink packets transmitted in the forwarding process, constructs a flow feature profile, determines whether the flow is abnormal and whether unauthorized access occurs using a terminal flow detection algorithm, identifies the unauthorized access type (if any), and reports an alarm to iMaster NCE-Campus accordingly. Unauthorized access includes unauthorized hub access, unauthorized router access, and unauthorized Wi-Fi access.

Detection of Unauthorized Hub Access

Unauthorized users may extend ports using hubs, enabling multiple users to access a single port. However, this brings security risks to the network.

Detection of unauthorized hub access

When a port receives packets with different IP and MAC addresses in a certain period, it can be determined that unauthorized hub access occurs. Under normal situations, a port only receives packets of a single IP and MAC address in a certain period.

Detection of Unauthorized Router Access

A user may connect multiple terminals to the network through an unauthorized router to evade being charged, which brings economic losses and security risks to the network.

Detection of unauthorized router access

Characteristics of protocols such as TCP/IP, HTTP, and DNS can be used to detect unauthorized access. To be specific, the device obtains packets such as TCP SYN, HTTP, and DNS packets in a given IP flow to analyze characteristics such as the IP time to live (TTL), UA information, and domain name. Based on these characteristics, the device determines whether unauthorized router access occurs. The following describes the detection of unauthorized access with different characteristics:

TTL: The initial TTL value varies between operating systems and can be 128, 64, 255, or 32. The initial TTL value of a packet decrements by 1 each time NAT is performed on the packet by an unauthorized router. When the device detects that the TTL value in the packet sent from a terminal is invalid (not the preceding initial TTL value) or that the IP packet flow has multiple TTL values, the device determines that unauthorized access occurs.
UA: It is the User-Agent field in an HTTP header. This field contains information about the vendor, terminal type, operating system, and browser. The device can parse and extract operating system characteristics from the User-Agent field and detect unauthorized access based on these characteristics.
DNS: When connecting to the network, the operating system performs operations such as connectivity tests and update checks. The DNS packets sent during these operations contain special domain names (including operating system information), which can be used to identify operating system characteristics.

Based on these characteristics, the device checks whether the operating system that accesses the network keeps changing within a certain period to determine whether unauthorized access occurs.

Detection of Unauthorized Wi-Fi Access

Unauthorized users access the network through a shared Wi-Fi network provided by authorized users to evade being charged, which brings economic losses and network security risks.

Detection of unauthorized Wi-Fi access

In the scenario where the shared hotspot or proxy is enabled, the technologies and characteristics (including the IP TTL, UA, and domain name) used for detection of unauthorized Wi-Fi access are similar to those used for detection of unauthorized router access. The difference is that in the scenario where the shared hotspot and proxy are enabled, the TCP/IP protocol stack characteristics of unauthorized terminals are masked, so unauthorized Wi-Fi access cannot be detected based on the IP TTL.

References

1CloudEngine S1700, S5700, and S6700 V600R025C00 Configuration Guide - User Access and Authentication - UAP Configuration

2High-Quality 10 Gbps CloudCampus Solution V100R025C00 & iMaster NCE-Campus V300R025C00 Product Documentation - Configuring Terminal Unauthorized Access Prevention