A design of egress NAC using an authentication visa checking mechanism to protect against MAC address spoofing attacks

An egress Network Access Controller (NAC) is important to authenticate internal users before accessing external networks (such as browsing the Internet). It is generally deployed at most Wi-Fi hotspots. It can be also used to control wired access on any open Ethernet jacks (such as business centers or hotel rooms). However, a MAC address spoofing attack is a very simple but powerful technique to bypass the egress NAC. By spoofing their MAC Address to a legitimate user´s, attackers can easily access network resources under that user´s permission. There have been several previous proposals to solve this problem. However, all of them have been proven to be ineffective. In this paper, we therefore propose a new solution using an authentication visa checking mechanism. From experimental results on a test-bed, our new egress NAC has shown its effectiveness and efficiency in protecting against the MAC address spoofing attack on both wireless and wired network environments.