How to effectively prevent ARP attacks

ARP spoofing and attacks are a major concern for enterprise networks. The discussion on this issue has been very in-depth, with a thorough understanding of the mechanism of ARP attacks, and various preventive measures have emerged.

But the problem is, are you sure you want to get rid of the ARP problem? I learned from users that although I have tried various methods, this problem has not been fundamentally solved. The reason is that there are currently many ARP preventive measures. First, the prevention capability of the solution is limited, which is not the most fundamental solution. Second, network management is highly restrictive, inconvenient, and not practical. Third, some measures may cause loss to the network transmission efficiency, slow network speeds, and wasted bandwidth.

This article analyzes the four common ARP prevention measures to find out why ARP problems cannot be solved.

Article 1: Analysis of Four Common Anti-ARP measures

I. Double binding measures

Double binding is a IP-MAC binding measure on both the router and the terminal, it can be on both sides of ARP spoofing, counterfeit gateway and interception data, both have the role of constraint. This is a defense measure Based on ARP spoofing principles and is also the most common method. It is effective in dealing with the most common ARP spoofing.

But the defect of double binding lies in three points:

1,
Static binding on the terminal is easily destroyed by the upgraded ARP attack.
-D command to make the static binding completely invalid.

2,
The binding of IP-MAC table on the router is time-consuming and laborious, and it is a tedious maintenance work. To change the network adapter or IP address, you must reconfigure the route. For mobile computers, binding at any time is a huge burden of network maintenance, and almost impossible for network administrators.

3,
The dual-binding mechanism does not allow computers and routers at both ends of the network to receive ARP information. However, a large amount of ARP attack data can still be sent and transmitted over the Intranet, greatly reducing the Intranet transmission efficiency, problems still occur.

Therefore, although double binding was once a basic measure of ARP defense, it is too difficult to manage because of limited defense capabilities. Now, its effect is getting increasingly limited.

Ii. ARP Personal Firewall

In some anti-virus software, the ARP Personal Firewall function is added. It binds the gateway on the terminal computer to ensure that the gateway is not affected by the fake gateway in the network, this protects your data against theft. The arpfirewall is widely used. Many people think that with the firewall, ARP attacks do not constitute a threat. In fact, this is not the case.

ARP Personal Firewall also has major defects:

1. It cannot ensure that the bound gateway is correct. If ARP spoofing has already occurred in a network and someone is forging a gateway, the ARP personal firewall will bind the wrong gateway, which is highly risky. Even if a prompt is not sent by default in the configuration, users who lack network knowledge may be at a loss.

2. ARP is a problem in the network. ARP can both forge a gateway and intercept data. It is a "dual-headed monster ". ARP defense on a personal terminal is not a complete solution, no matter what the gateway is. ARP Personal Firewall is used to prevent data from being stolen. However, ARP Personal Firewall is powerless to address network problems, such as disconnection and lag.

Therefore, the ARP Personal Firewall does not provide reliable assurance. Most importantly, it is a measure unrelated to network stability. It is personal, not a network.

3. VLAN and switch port binding

It is also a common prevention method to prevent ARP by dividing VLANs and binding vswitch ports. The practice is to carefully divide VLANs to reduce the scope of the broadcast domain, so that ARP works in a small range, without large-scale impact. At the same time, some network management switches have the MAC address learning function. After learning, disable this function to bind the corresponding MAC address and port, prevents viruses from using ARP attacks to tamper with their own addresses. That is to say, the risk of data interception in ARP attacks is eliminated. This method does play a certain role.

However, the problem between VLAN binding and switch port binding is:

1. There is no protection for the gateway. No matter how VLAN is subdivided, once the gateway is attacked, it will still cause disconnection and paralysis of the entire network.

2. Place every computer firmly on a switch port, which is too rigid. This is not suitable for mobile terminals. from the Office to the conference room, I am afraid this computer will not be able to access the Internet. What should I do with wireless applications? Other methods are needed.

3. To bind switch ports, advanced network management switches and layer-3 switches must be used. The cost of the entire switch network is greatly increased.

Because the exchange network itself supports ARP operations unconditionally, its own vulnerabilities may cause ARP attacks, and its management methods are not for ARP. Therefore, implementing ARP prevention measures on the existing exchange network is a shield against attacks. In addition, complicated operation and maintenance is basically a thankless task.

Iv. PPPoE

Each user is assigned an account and password under the network, and must pass PPPoE authentication when accessing the Internet. This method is also used to prevent ARP attacks. The PPPoE dialing method encapsulates packets twice so that they are not affected by ARP spoofing. Many people think that they have found the ultimate solution to ARP problems.

The problems are mainly focused on efficiency and practicality:

1. PPPoE needs to encapsulate packets twice and then unencapsulate the packets on the access device. This will inevitably reduce the network transmission efficiency and cause a waste of Bandwidth Resources, you must know that the processing efficiency of adding PPPoE servers to routers and other devices is not an order of magnitude with the PPPoE Server of the telecom access provider.

2. Communication between local networks in PPPoE mode is not allowed. In many networks, domain control servers, DNS servers, email servers, OA systems, data sharing, and printing and sharing are available, communication between local networks is required, and PPPoE cannot be used and is unacceptable.

3. If PPPoE is not used for Intranet access, the ARP problem still exists and nothing is resolved, so the network stability is still not good.

Therefore, PPPoE technically avoids the underlying protocol connection, so it is difficult to get rid of it and exchange network stability at the cost of network efficiency. The most unacceptable is that the network can only be used for Internet access, and other internal sharing cannot be performed under PPPoE.

Through the analysis of the above four universal ARP prevention methods, we can see that the existing ARP prevention measures have problems. That is why ARP cannot be completely solved in practice even if it has been thoroughly studied for a long time.

 

Part II: immune network is the most fundamental solution to ARP

 

The network problem must be solved. At present, the immune network promoted by Xin Quan is the most practical method to completely solve the ARP problem.

In terms of technical principles, there are three key technical points for completely solving ARP spoofing and attacks.

1. the binding of the terminal to the gateway should be solid and reliable. This binding can resist the destruction of viruses.

2, access router or gateway to the following terminal IP-MAC identification always ensure unique and accurate.

3, the network should have a most reliable mechanism, to provide the most powerful protection of the gateway IP-MAC. It not only distributes the correct gateway information, but also immediately blocks false gateway information.

Immune networks have dedicated technical solutions to these three problems, and these technologies are the technical patents of the manufacturers. The following is a detailed description. Now, we will give a brief introduction to the structure and implementation of the immune network.

Immune Network is a security and management solution based on a common exchange network consisting of existing routers, switches, network cards, and network cables. In this way, in general network communication, security and management mechanisms are integrated to ensure security control in the network communication process, blocks the inherent security vulnerabilities of normal networks.

 

Structure of immune network

Implementing an immune network is not complicated and costly. All it has to do is replace the existing broadband access device with an immune wall router or an immune gateway. Under the immune wall router, you need to bring your own server to run the immune Operation Center 24 hours a day. The immune gateway is not required and has its own server. This is the hardware adjustment measures required by the solution.

Flexible network adjustment is the configuration and installation of IP address planning, grouping policies, and automatic installation of Internet access drivers on terminals to ensure the effective operation of the entire security management function. In fact, this part of work is not much different from the daily management of the network.

 

Immune Network Monitoring Center

Immune network has powerful basic network security and management functions, and its defense against ARP is only less than a tenth. However, this article is about ARP, so we need to look back and explain in detail the mechanisms of immune networks to prevent ARP spoofing and attacks. As for the more powerful immune networks, you can continue to study.

The above three technical points for ARP management, terminal binding, gateway, and organization, respectively, immune networks adopt special technical means.

1,
Terminal binding adopts the guard binding technology. The immune network requires that the driver be automatically installed on each terminal. the Internet cannot be accessed without installation or uninstallation. The guard binding in the driver is to store the correct gateway information in a non-public location for protection. Any changes to the gateway information cannot be successful due to the strict monitoring of the guard program, this completes the requirement for strong and reliable terminal binding.

2,
The ARP innate immune technology of the immune wall router or the immune gateway. In the process of NAT forwarding, due to the addition of a special mechanism, the immune wall router simply ignores any ARP statements on the terminal IP-MAC, that is to say, no one can cheat the gateway. Unlike other routers, the immune wall Router does not use the list of IP-MAC to work, of course, do not need to cumbersome router IP-MAC table binding and maintenance operations. Innate immunity, that is, this capability is also available without any need.

3,
Ensure that the gateway IP-MAC is always the correct mechanism, in the immune network is a set of security mechanisms. First, it can distribute the real gateway information obtained from the vro to each internal network terminal, while the terminal with a driver can only accept such information. Other information is unacceptable, the unique correctness of the gateway is ensured. Secondly, on each terminal, the immune driver will intercept the gateway from virus errors so that it does not flow into the network and cut ARP spoofing and attacks from the root.

From the above three measures, the immune network does solve the long-standing ARP problem, technically rigorous, practical, and low cost. Therefore, compared with the four common ARP defense methods, immune network is the most fundamental solution to ARP.