What is IP Source Guard?
IP Source Guard (IPSG) is a network security feature at the switch level that only allows network traffic from valid IP-MAC combinations. It blocks Spoofing attempts where a device tries to impersonate another system using a false IP address.
In OT environments, IP Source Guard helps protect critical communication — such as between PLC and SCADA — from malicious or erroneous IP traffic.
🧠 Why is IP Source Guard needed?
- Prevents IP spoofing – A device cannot impersonate another IP
- Improves the integrity of network traffic – Only legitimate sources are accepted
- Protects against Man-In-The-Middle and Rogue Devices
- Supports Zero Trust Architecture at Layer 2/3
- Per-port scoping – Each port has allowed IP/MAC combinations
🔧 How does IP Source Guard work?
| Step | Description |
|---|---|
| 1. DHCP Snooping gathers IP-MAC-port data | A binding table is built up by observing DHCP traffic |
| 2. The switch compares outbound IP traffic against the bindings | Only matching IP/MAC/port combinations are forwarded |
| 3. Invalid packets | Are blocked or logged |
IPSG is typically only active on untrusted switch ports and requires an active DHCP binding.
📌 Example in OT networks
| Scenario | Effect of IP Source Guard |
|---|---|
| Rogue laptop with spoofed PLC IP | Traffic is blocked at the port |
| Wrongly connected device in the field | No IP communication possible without a valid lease |
| Supply chain attack via a compromised edge device | Cannot inject traffic without the correct IP binding |
| Per-VLAN host monitoring | Only known devices are allowed onto the correct segment |
✅ Best practices
| Recommended setting | Why? |
|---|---|
| Combine with DHCP Snooping | Without DHCP bindings, IPSG does not work |
| Monitor static IP devices | For OT devices without DHCP, IPSG only works with manual configuration |
| Restrict access to trusted ports | Allow only real DHCP servers to initiate traffic |
| Log blocked traffic | Use SIEM or syslog for forensic analysis |
| Combine with DAI and Port Security | For a complete spoofing-protection package |
🔄 Difference from related techniques
| Technique | Protects against | Operates on the basis of |
|---|---|---|
| IP Source Guard | IP spoofing | IP ↔ MAC ↔ port via DHCP Snooping |
| MAC Binding | MAC spoofing | MAC ↔ port linkage |
| Dynamic ARP Inspection | ARP spoofing | DHCP binding + ARP verification |
| Port Security | Unknown devices | Number/type of MAC addresses per port |
📌 In summary
IP Source Guard is a powerful defence against IP Spoofing in OT networks. It ensures that devices may only send traffic if their IP and MAC address match known, trusted data — essential in Zones with PLCs, HMIs or data recorders.