AlliedWare TM OS How To. Use DHCP Snooping and ARP Security to Block ARP Poisoning Attacks. Introduction. Related How To Notes



Similar documents
This How To Note describes one possible basic VRRP configuration.

Configure WAN Load Balancing

Apply Firewall Policies And Rules

AlliedWare Plus OS How To. Configure QoS to prioritize SSH, Multicast, and VoIP Traffic. Introduction

Configure A Secure School Network Based On 802.1x

What information will you find in this document?

What information will you find in this document?

Configure QoS on x900-24, x900-12, and SwitchBlade x908 Series Switches

Configure the Firewall VoIP Support Service (SIP ALG)

What information will you find in this document?

Allow Public and Private Address Access to Servers at a Service Provider Client Site. What information will you find in this document?

AlliedWare TM OS How To. Create a VPN between an Allied Telesis Router and a Microsoft Windows XP 1 Client, Without Using NAT-T.

Configure A Secure Network Solution For Schools. What information will you find in this document?

Use MAC-Forced Forwarding with DHCP Snooping to Create Enhanced Private VLANs

Chapter 25 DHCP Snooping

In fact, the three most common reasons for a network slow down are: congestion data corruption collisions

How To Create A VPN Between An Allied Telesis Router And A Microsoft Windows XP 1 Client, Without Using NAT-T

How To Behind A Dynamically-Assigned Public IP Address

Network Security. Ensuring Information Availability. Security

Solutions for LAN Protection

AlliedWare TM OS How To. Create a VPN between an Allied Telesis Router and a Microsoft Windows 7 Client, with or without NAT-T.

The example in this Note uses Linux for both the access controller (RADIUS server) and the supplicant (client).

Configure Policy-based Routing

AlliedWare Plus OS How To Use Web-authentication

configure WAN load balancing

Configuring DHCP Snooping

Case Study Ministry of Agriculture, France

x900 Switch Access Requestor

Use 802.1x EAP-TLS or PEAP-MS-CHAP v2 with Microsoft Windows Server 2003 to Make a Secure Network

Security Technology White Paper

AT-S63 Version Patch 5 Management Software for the AT-9400 Basic Layer 3 Gigabit Ethernet Switches Software Release Notes

This Lecture. The Internet and Sockets. The Start If everyone just sends a small packet of data, they can all use the line at the same.

AlliedWare Plus OS How To Use sflow in a Network

The network configuration for these examples is shown in the following figure. Load Balancer 1. public address

AT-S95 Version AT-8000GS Layer 2 Stackable Gigabit Ethernet Switch Software Release Notes

Create a VPN between an Allied Telesis and a SonicWALL Router, with NAT-T

Management Software. Web Browser User s Guide AT-S106. For the AT-GS950/48 Gigabit Ethernet Smart Switch. Version Rev.

CCT vs. CCENT Skill Set Comparison

Executive Summary. This white paper includes the following sections: A.What Does 802.1x Do? B. An Overview of the 802.1x Standard

CTS2134 Introduction to Networking. Module Network Security

Packet Sniffing on Layer 2 Switched Local Area Networks

Own your LAN with Arp Poison Routing

Local Area Networks. LAN Security and local attacks. TDC 363 Winter 2008 John Kristoff - DePaul University 1

Create a VPN between an Allied Telesis and a NetScreen Router

ICS 351: Today's plan

Campus LAN at NKN Member Institutions

AlliedWare Plus Version AT-9000 Layer 2-4 Gigabit Ethernet EcoSwitches Software Release Notes

Security Considerations in IP Telephony Network Configuration

Configuring the Transparent or Routed Firewall

What is VLAN Routing?

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Packet Sniffer Detection with AntiSniff

Cisco Nexus 1000V Switch for Microsoft Hyper-V

Tested Solution: Network Configuration and Inventory Management using Upgrade Manager

How To Understand and Configure Your Network for IntraVUE

ProCurve Networking. Hardening ProCurve Switches. Technical White Paper

Solution Profile. Branch in a Box

hp ProLiant network adapter teaming

Allied Telesis provide virtual customer networks

How To Configure some basic firewall and VPN scenarios

1. Firewall Configuration

AlliedWare Plus OS How To Configure Switches for Maximum Security and Network Stability

Exploiting First Hop Protocols to Own the Network. Rocket City TakeDownCon Paul Coggin Senior Principal Cyber Security

ARP Poisoning (Man-in-the-Middle) Attack and Mitigation Techniques

The Trivial Cisco IP Phones Compromise

Configuring DHCP Snooping and IP Source Guard

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

AlliedWare TM OS How To. Create a VPN between an Allied Telesis Router and a Microsoft Windows XP 1 Client, over NAT-T.

Exploring Layer 2 Network Security in Virtualized Environments. Ronny L. Bull & Jeanna N. Matthews

co Characterizing and Tracing Packet Floods Using Cisco R

Configuring Triple Play Security with CLI

AT-S84 Version ( ) Management Software for the AT-9000/24 Gigabit Ethernet Switch Software Release Notes

GregSowell.com. Mikrotik Security

How To Configure Some Basic OSPF Routing Scenarios. Introduction. Technical Guide. List of terms

VCStack - Powerful Simplicity. Network Virtualization for Today's Business

Case Study Goldsmiths. Chip and PIN technology jewel in the crown for Goldsmiths thanks to Allied Telesis and NewLife Data Communications

Catalyst Layer 3 Switch for Wake On LAN Support Across VLANs Configuration Example

BASIC ANALYSIS OF TCP/IP NETWORKS

INTRUDER DETECTION MONITORING APPLICATION USING SNMP PROTOCOL

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

AT-S63 Version Management Software for the AT-9400 Basic Layer 3 Gigabit Ethernet Switches Software Release Notes

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

Denial of Service Attacks and Countermeasures. Extreme Networks, Inc. All rights reserved. ExtremeXOS Implementing Advanced Security (EIAS)

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

What information will you find in this document?

Lab VI Capturing and monitoring the network traffic

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

Error and Event Log Messages

Detection of Promiscuous Nodes Using ARP Packets

GregSowell.com. Mikrotik Basics

CYBER ATTACKS EXPLAINED: THE MAN IN THE MIDDLE

What information you will find in this document

Predictability of Windows DNS resolver. ing. Roberto Larcher robertolarcher@hotmail.com

Transcription:

AlliedWare TM OS How To Use DHCP Snooping and ARP Security to Block ARP Poisoning Attacks Introduction When you use DHCP servers to allocate IP addresses to clients on a LAN, you can also configure DHCP snooping to bolster the security on the LAN. DHCP snooping only allows clients to access the network if they have specific IP and/or MAC addresses. With DHCP snooping, you can control access by: allowing only known IP addresses on the LAN allowing only a specific number of clients to access the LAN on any given port providing a record of where on the network any given IP address was in use at any given time Through a sub-feature known as ARP security, DHCP snooping can also impose very strict control over what ARP packets are allowed into the network. This How To Note concentrates on this ARP security aspect of DHCP snooping, and shows how you can use it to guard against certain information-stealing attacks. Related How To Notes The following How To Notes give overviews and configuration guides for DHCP snooping: How To Use DHCP Snooping, Option 82 and Filtering on Rapier Series Switches How To Use DHCP Snooping, Option 82 and Filtering on the x900 Series Switches How To Use MAC-Forced Forwarding with DHCP Snooping to Create Enhanced Private VLANs How To Create A Secure Network With Allied Telesis Managed Layer 3 Switches How To Notes are available from www.alliedtelesis.com/resources/literature/howto.aspx. C613-16114-00 REV A www.alliedtelesis.com

ARP cache poisoning Which products and software version does this apply to? This configuration applies to the following Allied Telesis switches, running AlliedWare Software Version 2.7.6 or later: AT-9900 series AT-8948 and x900-48 series AT-8800 series AT-8600 series Rapier and Rapier i series AT-8700XL series ARP cache poisoning ARP cache poisoning is a tried-and-true method of stealing information on a LAN. In this process, the malicious host uses bogus ARP replies to trick other hosts into sending sensitive information to it (such as passwords). ARP cache poisoning is also called: IP spoofing ARP spoofing ARP poisoning When a host sends out an ARP request for a server, the malicious host replies to say that it possesses the server IP ARP poison routing (APR) address that was being ARPed for. The tricked host then sends its packets to the MAC address of the malicious host, instead of sending them to the MAC address of the server. This lets the malicious host learn the usernames and passwords that are in the packets that the tricked hosts send it. ARP security prevents this cache poisoning. It does this by determining whether ARP replies contain legitimate IP address information and dropping replies that do not. The following figure shows the process flow. Switch drops ARP reply and (optionally) logs the event. no no start Host sends ARP reply for target IP address Switch receives ARP reply and examines IP address in Source Protocol Address field. Is IP address in switch s DHCP snooping database? yes Is IP address registered to port via which ARP reply arrived? yes Switch forwards ARP reply. process.eps Therefore, ARP security makes it impossible for a host to poison the ARP caches of other hosts, because the switch only forwards ARP packets that have genuine information in the Source Protocol Address field. Page 2 AlliedWare OS How To Note: ARP security

Example: Guarding against ARP poisoning by Cain & Abel Cain & Abel is a password recovery tool for Microsoft Windows OSs. It uses a variety of methods, ranging from simple dictionary attacks to analysis of routing protocols. It also includes ARP poison routing, which it uses to direct network traffic to its host. This enables it to sniff on a switched network by hijacking the IP traffic of multiple hosts in the same broadcast domain. Note that ARP poisoning is only effective in a single broadcast domain, because ARP packets are not routed. The following figure shows a simple scenario in which the operation of Cain & Abel can be observed and then blocked by ARP security. DHCP server port 23 Switch LAN client Malicious client running Cain & Abel LAN client cain-and-abel.eps In this scenario, the DHCP server is connected to port 23 on an AT-9924 switch, and three clients are also connected to the AT-9924 switch and receive a valid IP address from the DHCP server. Once the clients have received their DHCP leases, successful L3 connectivity can be verified by pinging from the DHCP server to each client on the LAN. The malicious client then uses Cain & Abel to send out a bogus ARP packet. If the switch initially has no configuration, so that it just acts as an L2 switch, then the Cain & Abel tool is quite able to go about the business of maliciously directing traffic towards itself. Then, if the configuration in the following section is configured on the switch, this malicious behaviour is blocked (once the ARP caches on the other clients age out their bogus entries). Page 3 AlliedWare OS How To Note: ARP security

Configuration for AT-9900 series, x900-48 series, and AT-8948 switches 1. Configure DHCP snooping and ARP security enable dhcpsnooping enable dhcpsnooping arpsecurity Note that you must turn on DHCP snooping and ARP security in separate commands. Enable logging, to record DHCP violations (see "Logging ARP poisoning attempts" on page 7). Use the command: enable dhcpsnooping log=arpsecurity 2. Make port 23 a trusted port because the DHCP server is attached to it Use the command: set dhcpsnooping port=23 trusted=yes 3. Create a flow group to allow traffic that has a valid DHCP snooping address create classifier=1 protocol=ip ipsaddr=dhcpsn create qos flow=1 action=forward 4. Create a flow group to discard all other IP traffic create classifier=2 protocol=ip create qos flow=1001 action=discard add qos flowgroup=1001 classifier=2 Page 4 AlliedWare OS How To Note: ARP security

5. Create the rest of the QoS hierarchy create qos trafficclass=1 create qos policy=1 add qos flowgroup=1 classifier=1 add qos trafficclass=1 flowgroup=1,1001 add qos policy=1 trafficclass=1 set qos port=1-22 policy=1 6. Create a hardware filter to trap unicast ARP replies from Cain & Abel When you turn on DHCP snooping, it automatically creates a hardware filter that traps broadcast ARP packets to the CPU for processing. Therefore with the above DHCP snooping and QoS configuration in place, the switch will drop invalid ARP requests broadcasted by the host running Cain & Abel. However, on AT-8948, AT-9900 and x900-48 series switches, this filter only traps broadcast ARP packets. Cain & Abel uses unicast ARP replies in its attacks. Therefore, you need to capture unicast ARP packets as well. To do this, create the following classifier-based hardware filter: create classifier=3 protocol=arp ethformat=ethii-untagged add switch hwfilter classifier=3 action=copy,discard This filter forces all ARP packets to the CPU (and the discard action ensures that they are not hardware switched). Then ARP security examines the packets, and drops any packets whose Source Protocol Address field does not hold an IP address that is currently DHCPallocated to a client downstream of their ingress port. Page 5 AlliedWare OS How To Note: ARP security

Configuration for AT-8800, AT-8600, Rapier, Rapier i, and AT-8700XL series switches Configuration on these switches is shorter, because the switch automatically creates the QoS hierarchy. 1. Configure DHCP snooping and ARP security enable dhcpsnooping enable dhcpsnooping arpsecurity enable dhcpsnooping log=arpsec Note that you must turn on DHCP snooping and ARP security in separate commands. 2. Make port 23 a trusted port because the DHCP server is attached to it Use the command: set dhcpsnooping port=23 trusted=yes Page 6 AlliedWare OS How To Note: ARP security

Logging ARP poisoning attempts It is very important to block attempted attacks on the network. It is also very useful if network administrators can be informed about the attempted attacks that were blocked. This sort of information alerts administrators to the presence of malicious hosts on their network, and gives them the opportunity to deal with those hosts in an appropriate manner. To enable this reporting of attempted attacks, ARP security can be configured to send a log message every time it drops an ARP packet. The output of the log message is: ARP Discarded, sender not found in DHCP Snoop DB src MAC=<MAC address> src IP=<Source Protocol Address found in the ARP packet> vlan=<vid> port=<port that the ARP arrived on> This message tells the administrator the exact location and identity of the malicious host, and the IP address of the host that it was trying to masquerade as. To enable this logging, use the command: enable dhcpshooping log=arpsecurity Probably the most convenient way to make use of the log output is to send it to a syslog server. To set this up, use the commands: create log output=2 destination=syslog server=<syslog server IP address> secure=yes add log output=2 module=dhcpsn USA Headquar ters 19800 Nor th Cr eek Parkwa y Suite 200 Bothell WA 98011 USA T: +1 800 424 4284 F: +1 425 481 3895 Eur opean Headquar ters Via Motta 24 6830 Chiasso Switzerland T: +41 91 69769.00 F: +41 91 69769.11 Asia-Pacific Headquar ters 11 T ai Seng Link Singapor e 534182 T: +65 6383 3832 F: +65 6383 3830 www.alliedtelesis.com 2007 Allied Tel esis, Inc. All rights reserved. Information in this document is subject to change without notice. Allied Telesis is a trademark or registered trademark of Allied Telesis, Inc. in the United States and other countries. All company names, logos, and product designs that are trademarks or registered trademarks are the property of their respective owners. C613-16114-00 REV A

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information