ARP spoofing attacks and ARP cache poisoning can occur because ARP allows a gratuitous reply from a host even if an ARP request was not received. After the attack, all traffic from the device under attack flows through the attacker's computer and then to the router, switch, or host (Cisco).
Figure 1 (illustrating the problem)
Solution (Cisco)
To mitigate the chances of ARP spoofing, the following procedures are recommended:
a) Implement protection against DHCP spoofing.
Enable dynamic ARP inspection.
DAI is a security feature that verifies the integrity of a ARP packet in a network, it does this by verifying invalid IP to MAC address bindings before updating the local ARP cache or forwarding packets to its destination, if IP to MAC address bindings are not valid, the switch drops the packet.
DAI verifies a packet IP to MAC binding validity from the trusted database, if the network has DHCP snooping enabled the trusted database is the switch DHCP binding database. DAI can also intercept packets from statically configured IP address; this is achievable by configuring user configured ARP access control lists.
DAI operates on 2 interface states, Trusted and un-trusted, if an ARP packet is received on the trusted interface, the switch forwards the packet without any DAI verification , if received on the un trusted interface it goes through the inspection (valid IP to MAC binding) process.
In a typical network, host connecting to switches are configured as un-trusted and switch to switch connections are configured as trusted.
Considering the scenario in figure 2, if the connection between DLS 1 to DLS 2 is configured as un-trusted and Host 1 and Host 2 both acquires there IP address from a DHCP server connected to switch A, in this case only switch A will have IP to Mac bindings for Host 1 and switch B will not have any bindings for Host 1, therefore switch B will drop all packets from Host 1 as there will be no valid IP to MAC binding in switch B trusted database.
Figure 2(Explaining Trusted / Un-trusted interfaces)
- DAI ensures that hosts (on un-trusted interfaces) connected to a switch running DAI do not poison the ARP caches of other hosts in the network. However, DAI does not prevent hosts in other portions of the network from poisoning the caches of the hosts that are connected to a switch running DAI. (Website)
- it’s important to understand the priority mechanism of ARP ACL’s and DHCP snooping, ARP ACL’s take precedence over entries in DHCP snooping binding database, the switch first compares the ARP packets to the ARP ACL’s, if ARP ACL’s denies the packet the switch also denies it irrespective if a valid binding exist for the same packet in the DHCP snooping database.
Figure 3 (Examples of switch configuration for DHCP snooping)
Configuration example of DHCP snooping
Switch DLS1
DLS1#config t
DLS1(config)#ip dhcp snooping
DLS1(config)#interface fastethernet 6/6
DLS1(config-if)#ip dhcp snooping trust
DLS1(config-if)#exit
DLS1(config)# interface fastethernet 6/3
DLS1(config-if-range)#ip dhcp snooping trust
DLS1(config-if-range)#exit
DLS1(config)#ip dhcp snooping vlan 1
DLS1(config)#end
DLS1(config)#end
Switch DLS2
DLS2#config t
DLS2(config)# interface fastethernet 3/3
DLS2(config-if-range)#ip dhcp snooping trust
DLS2(config-if-range)#exit
DLS2(config)#ip dhcp snooping vlan 1
DLS2(config)#end
DLS2(config)#end
Configuration example for Dynamic ARP inspection
This configuration shows how to configure DAI when two switches support this feature. Host 1 is connected to DLS1, and Host 2 is connected to DLS 2. Both switches are running DAI on VLAN 1 where the hosts are located. A DHCP server is connected to DLS1. Both hosts acquire their IP addresses from the same DHCP server. DLS 1 has the bindings for Host 1 and Host 2, and DLS 2 has the binding for Host 2. DLS 1 Fast Ethernet port 6/3 is connected to the DLS 2 Fast Ethernet port 3/3.
Switch DLS1
DLS1(config)#ip arp inspection vlan 1
DLS1(config)#interface fastethernet 6/3
DLS1(config-if)#ip arp inspection trust
DLS1(config)#interface fastethernet 6/4
DLS1(config-if)ip arp inspection limit rate 20 burst interval 2
DLS1(config)#ip arp inspection log-buffer entries 64
DLS1(config)#ip arp inspection log-buffer logs 12 interval 2
Switch DLS2
DLS2(config)#ip arp inspection vlan 1
DLS2(config)#interface fastethernet 3/3
DLS2(config-if)#ip arp inspection trust
DLS2(config)#interface fastethernet 3/4
DLS2(config-if)ip arp inspection limit rate 20 burst interval 2
DLS2(config)#ip arp inspection log-buffer entries 64
DLS2(config)#ip arp inspection log-buffer logs 12 interval 2
In scenarios where DLS2 does not have DAI and DHCP snooping configured, consider configuring the interface’s connecting to those switches as un-trusted. Also to verify packets from the switches where DAI is not configured, configure ARP ACL’s on the switch running DAI.
DLS1(config)# arp access-list StaticAcl1
DLS1(config-arp-nacl)# permit ip host 10.10.10.10 mac host 0010.0010.0010
DLS1(config-arp-nacl)# end
DLS1(config)# ip arp inspection filter StaticAcl1 vlan 1
Huzeifa Bhai
No comments:
Post a Comment