Policy and Implementation of ARP Intrusion Detection for low-end Switches

Abstract: This article introduces the definition and working principle of ARP Address Resolution Protocol, and analyzes the methods and principles of ARP intrusion attacks. This article focuses on the ARP intrusion prevention policy and the configuration method of the switch under two conditions: Dynamic Allocation and static allocation. The experiment demonstrates the effectiveness of the security policy.
Key words: ARP Protocol; ARP detection; configuration; Network Security
Graph classification: TP311 document logo Code: article A No.: 1009-3044 (2009) 36-10465-02
Strategies and semantic mences of the Low-End Switches on ARP Inspection
TAN Wei
(Shandong Electric Power School, Taian 271000, China)
Abstract: This paper introduces the definition of ARP Address Resolution Protocol and working principle of ARP intrusion analysis methods and principles. highlights the dynamic allocation and static specify both cases, the ARP intrusion prevention strategy and the switch-side configuration, and through experimental verification of the specified tiveness of the security policy.
Key words: ARP protocol; ARP detection; configuration; network security
1 ARP
ARP (Address Resolution Protocol) is an Address Resolution Protocol that converts IP addresses at the network layer to data link layer addresses. The TCP/IP Protocol specifies that the IP address is a 32-bit network number and a host number in the network. An IP address must be configured for each host connected to the LAN or Internet. When the source host communicates with the target host over Ethernet, the source host not only needs to know the IP address of the target host, but also the data link layer address of the target host, that is, the MAC address of the NIC, the MAC address must be 48 bits. The ARP protocol is used to query the MAC address corresponding to the IP address of the target host and implement communication between the two parties.
2. ARP Intrusion Detection Policy
2.1 ARP intrusion
According to the ARP protocol design, a host adds the correspondence between its IP address and MAC address to its ARP ing table even if the ARP response received by the host is not obtained by its own request. This reduces the amount of ARP Data Communication on the network, but also creates conditions for ARP spoofing.
For example, Host A, Host B, and Host C are connected to each other through A Switch. At this time, if A hacker (Host B) wants to listen to the communication between Host A and Host C, it can send forged ARP response packets to the two hosts respectively, enable Host A and Host C to use MAC_ B to update the table items corresponding to the IP address of the corresponding IP address in their ARP ing table. Since then, the seemingly "direct" communication between Host A and Host C is actually carried out indirectly through the Host where the hacker is located, that is, Host B acts as the "intermediary, information can be stolen and tampered.
2.2 ARP Intrusion Detection Policy
To prevent hackers or attackers from conducting spoofing attacks through ARP packets, the Ethernet switch supports ARP intrusion detection, that is, redirecting all ARP (request and response) packets sent through the switch to the CPU, use the DHCP Snooping table or the manually configured static IP binding table to check the validity of ARP packets.
After enabling the ARP intrusion detection function, if the source MAC address, source IP address, Port Number of the received ARP packet, and VLAN of the port in the ARP packet are consistent with the DHCP Snooping table or the configured IP static binding table, the packet is regarded as a valid ARP packet for forwarding; otherwise, the packet is regarded as an invalid ARP packet and is directly discarded.
You can configure a trusted port to flexibly control ARP packet detection. All ARP packets from trusted ports are not detected. ARP packets from other ports are detected by viewing the DHCPSnooping table or manually configuring the static IP binding table.
The vswitch filters IP packets in two ways:
1) filter based on the source IP address in the message. If the source IP address of the packet and the switch port number of the received packet are consistent with the items in the DHCP Snooping table or the manually configured IP address static binding table, the packet is regarded as a valid message, direct forwarding; otherwise, the message is considered illegal and discarded directly.
2) filter messages based on the source IP address and source MAC address. If the source IP address, source MAC address, and switch port number of the received packet are consistent with the items in the DHCP Snooping table or the IP address static binding table manually configured, the message is regarded as a valid message and forwarded directly; otherwise, the message is regarded as invalid and discarded directly.
3. Configure ARP Intrusion Detection
Before configuring the ARP intrusion detection function, you must enable the DHCP Snooping function on the switch and set the DHCP Snooping trust port. When the ARP intrusion detection function is used in combination with the VLAN Mapping function, to ensure the correct implementation of the function, you must enable the ARP Intrusion Detection Function in the original VLAN and the mapped VLAN. Generally, you need to configure the uplink port of the switch as the ARP trusted port.
When a network is established that does not use the DHCP Server to dynamically allocate Client IP addresses, you must use the "IP filtering" feature in the DHCP Snooping function to statically bind IP addresses to MAC addresses.
Because the DHCP Snooping table only records client information about Dynamically obtaining IP addresses through DHCP, If you manually configure a fixed IP address, the IP address, MAC address, and other information will not be recorded in the DHCPSnooping table. Therefore, you cannot use the IP address filtering check based on the DHCP Snooping table, resulting in a failure to access the external network.
To allow users with valid and fixed IP addresses to access the network, the vswitch supports manual configuration of static IP binding table items, namely: the binding relationship between the user's IP address and MAC address and the port connecting the user, so as to forward the user's packets smoothly.
3.1 Implementation Scheme for Dynamic Allocation of Client IP addresses using DHCP Server in the Network
1) required configurations on the vswitch:
#
Vlan 1
Arp detection enable
#
Interface Vlan-interface1
Ip address 192.168.16.2 255.0.0.0
#
Interface Ethernet1/0/3 (interface connecting to DHCP Server)
Dhcp-snooping trust
Ip source static binding ip-address 1.1.1.10 mac-address 0000-0000-0002 (to ping the DHCP Server, bind the IP address and MAC address of the Server)
#
Dhcp-snooping
#
3.2 Implementation Scheme for allocating Client IP addresses through static designation in the Network
1) required configurations on the vswitch:
#
Vlan 1
Arp detection enable
#
Interface Vlan-interface1
Ip address 192.168.16.3 255.0.0.0
#
Interface Aux1/0/0
#
Interface Ethernet1/0/1
#
Interface Ethernet1/0/41 (interface connecting to PC)
Ip source static binding ip-address 1.1.1.1 mac-address 0016-e50d-1645
#
Dhcp-snooping
#
In the network environment, if the DHCP Server is not used, you must configure the static IP binding table to prevent ARP attacks. This feature can be implemented only when the IP and MAC binding relationships are configured during static binding. If you only configure the detection IP address under the interface, the arp function does not work. The configuration is as follows:
#
Vlan 1
Arp detection enable
#
Interface Vlan-interface1
Ip address 1.1.1.2 255.0.0.0
#
Interface Aux1/0/0
#
Interface Ethernet1/0/1
#
Interface Ethernet1/0/41 (interface connecting to PC)
Ip source static binding ip-address 192.168.16.2
#
Dhcp-snooping
#
References:
[1] ke Xiaoyu. network protocol analysis [M]. Beijing: Machinery Industry Press, 2009.
[2] Li Feng. TCP/IP-Protocol Analysis and Application Programming [M]. Beijing: People's post and telecommunications Press, 2008.
[3] enterprise network solution design. H3C network College.