Currently, most intranet security products mainly use ARP spoofing blocking to prevent illegal access. However, ARP spoofing blocking has many shortcomings. Starling has put forward a new idea, the daily Intranet security system uses multiple blocking methods to implement active defense and compliance management.
With the popularity of Intranet security management products in the market, products with various ideas emerge one after another. However, there is a significant trend in product homogeneity, especially in the aspect of terminal illegal access to the Intranet blocking, ARP spoofing blocking is mainly used. Any technology has two sides of reality. ARP spoofing blocking requires scientific and rational use of Intranet security products to maximize its effectiveness. Qiming Xingxing, a leading information security enterprise in China, has carried out active practical exploration in many underlying technologies of Intranet security management products, and proposed new methods and ideas to prevent illegal access.
I. What is ARP spoofing blocking?
ARP (Address Resolution Protocol) is a Protocol that converts an IP Address into a physical Address. There are two ways to map IP addresses to physical addresses: Table and non-table. ARP is to resolve the network layer (IP layer, that is, the third layer of OSI) to the data connection layer (MAC layer, that is, the second layer of OSI ). Simply put, there must be a ing between the IP address and the MAC address, and ARP is the protocol used to determine this ing.
ARP spoofing blocking: In the same IP subnet, data packets are addressable Based on the MAC address of the target machine, and the MAC address of the target machine is obtained by the IP address of the target machine through ARP. Each host (including the gateway) has an ARP cache table. Under normal circumstances, this cache table can effectively maintain a one-to-one relationship between IP addresses and MAC addresses. However, there are some imperfections in the implementation mechanism of the ARP cache table and the mechanism of ARP request response, which may easily cause ARP spoofing.
Due to the simple implementation of ARP spoofing blocking methods, most vendors in China use ARP spoofing blocking methods, especially for unregistered blocking and illegal access blocking.
Ii. Limitations of ARP spoofing Blocking
First, ARP spoofing blocking has a great impact on the network load.
When ARP is working, the host is requested to send an Ethernet broadcast packet containing the desired IP address, the owner of the target IP address then responds to the request host with a packet containing the IP address and MAC address. In the implementation of ARP spoofing blocking, an ARP request may receive dozens and set hundreds of ARP responses. Some ARP spoofing blocking programs also send ARP requests to implement spoofing, therefore, the use of a large number of ARP packets in the network is very huge for the occupation of network resources, may lead to a decline in the performance of network equipment, affecting the normal business of users.
Secondly, the Entry Effect of ARP spoofing blocking is unreliable.
ARP spoofing cannot be guaranteed to be 100% effective. For example, the ARP response packets and spoofing packets of the target machine can correctly reach the ARP requestor, and there is a probability that the requestor will be cheated, or the client is installed with anti-ARP spoofing software. If ARP spoofing packets are used to control the access of terminal devices, the effect can be imagined. Its own defects greatly reduce the access reliability.
Finally, ARP spoofing blocking is difficult to distinguish from true ARP spoofing.
If ARP spoofing blocking is enabled in a network, the consequences of ARP spoofing are disastrous. The user cannot distinguish between Active ARP spoofing blocking and true ARP spoofing, which will bring great difficulties to the user's troubleshooting and seriously affect the user's business. On the other hand, in most ARP spoofing blocking implementations, all computers in the subnet often cheat the target computer at the same time. If the target computer does not need to be cheated, all computers are required to stop spoofing. However, if a computer does not receive a command to stop spoofing, the target computer will not be able to access the network normally, resulting in user O & M accidents.
Iii. New blocking methods for Intranet Security Products
To sum up, there are many problems with ARP spoofing blocking methods. Therefore, Intranet security products should use this method dialectically, qi Ming and stars put forward different ideas in their daily internal network security risk management and audit systems.
1. Avoid being single and adopt multiple blocking methods
The daily internal network security risk management and audit system connects terminals to vswitches and blocks illegal terminals from accessing the internal network through network access control. At the same time, in important backend servers, application access control is used to block illegal terminals from accessing important servers and service resources. That is to say, seamless access control is implemented from the Intranet access boundary, backend server resources, and the client itself. In an environment that does not support network access and application access, although the Tianji product also uses ARP spoofing blocking, this blocking method is greatly standardized and restricted, in particular, as long as the Personal Firewall intercepts ARP spoofing attacks, it immediately stops the client from sending spoofing packets to other clients, which completely changes the adverse situation of ARP spoofing. In addition, the Starling skyline Intranet Security System and the tianqing hanma USG Integrated Security Gateway (UTM) form a UTM square uniform condom to provide Internet border access control, attackers can block illegal terminals from accessing the internet.
2. actively defend against ARP Spoofing
By checking the IP packet header, the Intranet security system can ensure that packet spoofing is not allowed. By monitoring processes initiated by network behavior, Trojan horses are prevented from accessing the network in a hidden process mode. Monitors ARP requests or response packets, automatically binds the gateway MAC, and rejects delayed ARP response packets to prevent Intranet ARP spoofing attacks. The built-in powerful enterprise-level host firewall system uses access control, traffic control, ARP spoofing control, network behavior mode control, illegal external access control, and other means, it implements active defense against threats to computer terminals and network behavior control, so as to ensure two-way access security and behavior control of computer terminals, effectively protecting the dangers caused by suspected attacks and unknown viruses on the intranet of enterprises.
3. Active threat defense based on terminal network behavior pattern
The internal network security system provides an active threat defense mechanism based on the terminal network behavior mode. It centrally controls the network behavior of each computer terminal and limits the subjects, objectives, and services of network behavior, in addition, network access is controlled based on the security status of computer terminals, which can effectively cut off the transmission channels of the "independent process" worm and the attack routes of Trojans and hackers, make up for the weakness of anti-virus software "Prevention and Control lagging. By monitoring the number of concurrent TCP connections, the network damage caused by the worm is slowed down. Restrict network access to abnormal processes by monitoring UDP packet sending behaviors.
The internal network security system is closely centered on "compliance" and includes enterprise-level host firewall systems, it comprehensively improves the Intranet security protection capability and compliance management level through the five-dimensional Management of terminal access control, terminal security control, desktop compliance management, terminal Leak Control and terminal audit. Tianyao Intranet security system has led a new change in the Intranet security management mode. While exercising the terminal security management function, it is also integrated with tianqing hanma USG Security Gateway (UTM) A unified UTM square condom with "network border and terminal border" as the main protection target, and collaborative construction of a multi-level in-depth defense system, it has changed the traditional Intranet Security Management Model of "passive and event-driven" and created a new era of Intranet security management with the goal of "active defense and compliance management.