ARP Virus network prevention and control Practical manual

According to the user's actual network environment, we divided the ARP virus Network prevention and control scheme into two-layer switch-based and three-layer switch-based two environments are described respectively.
For the network management software installed on the PC in the form of bypass, if it is managed by the form of ARP spoofing, it is similar to the real ARP virus attack, this kind of software includes the public security one machine dual-use monitoring system, XX Intranet Trust management system, network hillock, aggregated network manager, hundred Network Police, peer Terminator , Network law enforcement officer, if it is normal use, please register the MAC address of each PC, and then access the network, the following prevention and control measures are mainly for ARP virus, kangaroo IP-induced IP conflicts and other anomalies.

The first two-layer switch-based network environment

Policy summary

• Terminal Control : Closed USB interface, Install ARP firewall and antivirus software, turn on PC firewall

• intranet Prevention and control : partition security Domain, bind ip&mac address, monitor ARP log, find poison pc

• External Network prevention and control : Filter URLs with dangerous file suffixes, open bad URL libraries, enable gateway antivirus
  
  

1 Implementing step
1.1 dividing the security domain
      According to the importance and type of networked devices to divide the security domain, for example: leadership, accounting departments and other important departments of the computer divided into a domain, ordinary employees of the computer according to the department is divided into one or more domains, network management of the computer into a domain, the server is divided into one or more domains, Each security domain is configured with an access switch that connects computers within the security domain to prepare for a later connection to the gateway or hub switch. Security Domain partitioning is described in.
650) this.width=650; "src=" http://www.trustcomputing.com.cn/utmwall-rom/company/antiarp1.jpg "border=" 0 " title= "ARP Virus network prevention and control security Domain Division" width= "height=" 407 "style=" color: #222222; Font-family:verdana, Geneva, Arial, Helvetica, sans-serif;line-height:18px; "/>

1.2 Client settings
1.2.1 Assigning IP addresses
As far as possible static allocation of IP addresses, each security domain corresponding to the network segment is not the same, for example: Security Domain 1 is 192.168.1.0/24, the default gateway is 192.168.1.254, security Domain 2 of the network segment is 192.168.2.0/ 24, the default gateway is 192.168.2.254, the network segment of security Domain 3 is 192.168.3.0/24, the default gateway is 192.168.3.254. The client default gateway IP is the IP of each NIC in the gateway.
If only one segment is available, it can be interconnected by multiple transparent bridges that are isolated from each other (requires gateway support).
1.2.2 Installing the ARP Firewall
to implement two-way IP&MAC address bindings for gateways and clients, it is advisable for clients to install an ARP firewall or manually bind the gateway's IP&MAC address via a command: Arp–s < gateway Ip> < Gateway MAC address, to ensure the permanent effect, you can enter this command into the C:\autoexec.bat file. At the same time, ensure that the antivirus virus database is updated and the PC firewall is enabled. If necessary, you can close the USB port of the computer to prevent ARP virus from spreading through the USB stick.

1.3 Registering the NIC MAC address and manufacturer information
Register each security domain in each PC, notebook, server IP address and network card MAC address and factory information, for later based on the ARP monitoring log to find the poison computer preparation.

1.4 Setting the Gateway policy
1.4.1 Setting the ARP policy
each security domain is automatically scanned, set up the IP and MAC address of the online computer correspondence, through pre-registration information to be bound, for the computer can be manually bound, the remaining unused IP address is bound to a special MAC address, for example: AA:BB:CC :D D:ee:ff, in order to prevent users to private IP or outside the guest notebook free access to the intranet. In the case of transparent access, you can also bind the IP and MAC addresses of the upper-level gateway.
the gateway ARP policy setting is as shown.
650) this.width=650; "src=" http://www.trustcomputing.com.cn/utmwall-rom/company/antiarp2.jpg "border=" 0 "title=" Gateway ARP policy setting "width=" 452 "height=" 173 "style=" color: #222222; Font-family:verdana, Geneva, Arial, Helvetica, Sans-serif; line-height:18px;width:452px;height:173px; "/>
1.4.2 Setting access control policies
1) Default policy: Deny otherwise unless allowed.
2) Intranet strategy: According to the actual situation to set the security domain between the access control policy, for example: the leader of the network segment can access other network segments, other network segments cannot access the leader of the network segment, that is, one-way ACL; access to public OA, mail or file server traffic through IPs filtering and so on.
3) Extranet policy: Only allow the registered IP address Sisu Network, prohibit the unassigned IP address Sisu network; the server can only passively accept access, not actively access other computers, virus database Upgrade exception.
1.4.3 Setting Internet behavior management Strategy
as the ARP virus can be in the user's Internet browsing, so to the user's Internet behavior management, generally only to JS, EXE, SWF and other file suffixes to filter, while you can open malware, virus trojan website Bad URL Library, if necessary, you can turn on the Gateway Anti-virus function, The ARP virus is intercepted at the entrance of the network by using antivirus engines such as Kaspersky to enforce real-time checks on network traffic. Some reputable websites can be placed on a whitelist to avoid affecting normal productivity.
1.4.4 Setting Alarm information
set up syslog server, alarm email, mobile phone and other real-time receiving tool, convenient to receive alarm information in real time. Set block action, when an ARP exception occurs, block the IP address out of the net.

1.5 Daily Maintenance
When a networked user is unable to surf the internet or is slow to surf the internet, it is possible that the computer that is already in the ARP virus is online and is interfering with other computers to surf the internet, by looking for poisoned computers on gateways, switches, and PC terminals.

1.5.1 Gateway + Switch
Enable the gateway's "real-time monitoring" or "ARP log" function, log on to the Web management interface, view the current "system log" or/and "ARP log", or view "ARP log" source IP statistics more than the number of source IP addresses, if there is an IP conflict or ARP Exception log entries, You can record the MAC address of a non-native network card, find the poisoned computer, and then unplug the computer's network cable.
Note: The ARP log will increase rapidly during ARP virus flooding, please check and delete it in time, understand the actual situation can disable the "ARP log" function, and so on after the ARP virus clean up and then enable.
If the access switch is a manageable switch, you can log in to the access switch to query the ARP cache status, locate the switch port that corresponds to these MAC addresses, and then unplug the port network cable. If the IP conflict or ARP Exception Log entry is no longer generated, you can determine that the PC that was unplugged is a poisoned pc, need to disinfect it, reload the system, and then connect to the Internet.
Note: If the gateway device or switch is not able to log on to the management, you can unplug the device corresponding to the network port, directly to the administrator's notebook network port, and then log on to the query.

1.5.2 PC Terminal

You can verify ARP spoofing by ARP and ping on a computer that is unable to surf the internet or slow down the Internet, and locate the computer that has the ARP virus.
Step One : Arp–a
Open Windows DOS window, enter command: Arp–a, can display the current ARP cache situation, the following two cases indicate that this computer is spoofed by ARP:

(a) if the MAC address of the gateway IP is not the MAC address of the real gateway, but the MAC address of the other computer in the LAN;
(b) If multiple IP addresses correspond to the same MAC address.
The computer that corresponds to this MAC address is a machine that already has an ARP virus, or a computer that implements ARP spoofing manually.
at this point, enter the command: Ping < gateway Ip> If there is feedback and the time value is more than a few times the normal <1ms, for example: <10MS, the traffic has been forwarded to the poisoned computer, which confirms that the computer is being spoofed by ARP.

Step Two: Arp–d & Ping < gateway Ip> & Arp-a
in the DOS window, enter command: arp–d, you can delete all current ARP caches, followed by the input command: Ping < gateway Ip>, and then enter the command: ARP-A, you can get the real gateway IP corresponding MAC address. If the ping has feedback and the time value is normal <1ms, then the MAC address of the gateway is the MAC address of the real gateway.

Step three: Verify that the computer that is already in the ARP virus
to confirm that the ARP virus is already in the computer, you can unplug the network cable of the suspected computer, and then repeat the arp–d, ping < gateway ip> and ARP–A commands on computers that are unable to surf the internet or slow down the Internet, or browse directly to the Internet, If the situation is back to normal, it indicates that the computer that just pulled out the network cable is already in the ARP virus computer, need to its anti-virus, reload system, before connecting to the Internet.

2 program Features
1) Comprehensive and meticulous
ARP virus spread all the ways to do the proactive prevention, pre-planning, incident response, after the clean-up, terminal, gateway with each other, intranet, external network at the same time control.
2) Level protection
The internal network has made the partition of the security domain, reduces the risk of the whole network interruption due to the poisoning of individual computers, reduces the risk of all server poisoning caused by the individual servers in the DMZ, and reduces the risk of malicious stealing unit secret information by bad network molecules.

The second part of the three-layer switch-based network environment

Policy summary

• endpoint prevention and control : Close USB interface, install ARP firewall and anti-virus software, turn on PC firewall

• two-layer ARP prevention and control : two-layer ARP control for networks connected directly to gateways

• three-layer ARP prevention and control : three-layer ARP control via SNMP for networks not directly connected to gateways
  
  

1 Implementation Steps
1.1 Two-layer ARP control for networks connected directly to the gateway
for details, see the first section, which is not repeated here.
1.2 Three-layer ARP control for networks that are not directly connected to the gateway
1.2.1 SNMP Monitoring
turn on the SNMP function of layer three switch, set up SNMP monitoring content on the gateway according to the pre-registered Ip&mac address information, can block the abnormal IP and not let it sisu the network.
1.2.2 Setting access control policies
for details, see part 1.4.2, which is not repeated here.
1.2.3 Setting Internet behavior management Strategy
for details, see part 1.4.3, which is not repeated here.
1.2.4 Daily Maintenance
for details, see part 1.5, which is not repeated here.
2 program features
1) Simple and practical
while inheriting the merits of the two-layer ARP control scheme, it can monitor the subnets of the router (layer three switch) and alleviate the workload of the Administrators.
2) low overhead and low coupling
SNMP monitoring does not produce any redundant packets, which can help maintain the stability of the network. The super user password of the three layer switch is not required, only the SNMP read-only password is required, which guarantees the security of the central switch.

650) this.width=650; "src=" http://www.trustcomputing.com.cn/utmwall-rom/0/url.png "border=" 0 "width=" height= "16 "alt=" Url.png "/> Full text download: Http://www.trustcomputing.com.cn/utmwall-rom/anti-arpvirus.doc

Reference files:

1. Intranet security starts from the network segment

Http://www.trustcomputing.com.cn/cn/index.php/support/techdocs/109-netsegment

2. Eight key features of a firewall gateway for server access

Http://www.trustcomputing.com.cn/cn/index.php/support/techdocs/101-serverfw

3. The Avatar Utmwall-os FAQs

http://www.trustcomputing.com.cn/bbs/viewthread.php?tid=609

ARP Virus network prevention and control Practical manual