Immune network is the most fundamental solution to ARP (1)

ARP spoofing and attacks are a major concern for enterprise networks. The discussion on this issue has been very in-depth, with a thorough understanding of the mechanism of ARP attacks, and various preventive measures have emerged.

But the problem is, are you sure you want to get rid of the ARP problem? I learned from users that although I have tried various methods, this problem has not been fundamentally solved. The reason is that there are currently many ARP preventive measures. First, the prevention capability of the solution is limited, which is not the most fundamental solution. Second, network management is highly restrictive, inconvenient, and not practical. Third, some measures may cause loss to the network transmission efficiency, slow network speeds, and wasted bandwidth.

This article analyzes the four common ARP prevention measures to find out why ARP problems cannot be solved. It further analyzes how ARP is completely eliminated in the immune network mode, and why only the immune network can do it.

Article 1: Analysis of Four Common Anti-ARP measures

I. Double binding measures

Double binding is a IP-MAC binding measure on both the router and the terminal, it can be on both sides of ARP spoofing, counterfeit gateway and interception data, both have the role of constraint. This is a defense measure Based on ARP spoofing principles and is also the most common method. It is effective in dealing with the most common ARP spoofing.

But the defect of double binding lies in three points:

1. Static binding on the terminal is easily destroyed by the upgraded ARP attack. A virus ARP-d command can completely invalidate the static binding.

2, in the router to do IP-MAC table binding work, time-consuming and labor-consuming, is a tedious maintenance work. To change the network adapter or IP address, you must reconfigure the route. For mobile computers, binding at any time is a huge burden of network maintenance, and almost impossible for network administrators.

3. Dual binding only prevents computers and routers at both ends of the network from receiving ARP information. However, a large amount of ARP attack data can still be sent and transmitted over the Intranet, greatly reducing the Intranet transmission efficiency, problems still occur.

Therefore, although double binding was once a basic measure of ARP defense, it is too difficult to manage because of limited defense capabilities. Now, its effect is getting increasingly limited.

Ii. ARP Personal Firewall

In some anti-virus software, the ARP Personal Firewall function is added. It binds the gateway on the terminal computer to ensure that the gateway is not affected by the fake gateway in the network, this protects your data against theft. The arpfirewall is widely used. Many people think that with the firewall, ARP attacks do not constitute a threat. In fact, this is not the case.

ARP Personal Firewall also has major defects:

1. It cannot ensure that the bound gateway is correct. If ARP spoofing has already occurred in a network and someone is forging a gateway, the ARP personal firewall will bind the wrong gateway, which is highly risky. Even if a prompt is not sent by default in the configuration, users who lack network knowledge may be at a loss.

2. ARP is a problem in the network. ARP can both forge a gateway and intercept data. It is a "dual-headed monster ". ARP defense on a personal terminal is not a complete solution, no matter what the gateway is. ARP Personal Firewall is used to prevent data from being stolen. However, ARP Personal Firewall is powerless to address network problems, such as disconnection and lag.

Therefore, the ARP Personal Firewall does not provide reliable assurance. Most importantly, it is a measure unrelated to network stability. It is personal, not a network.

3. VLAN and switch port binding

It is also a common prevention method to prevent ARP by dividing VLANs and binding vswitch ports. The practice is to carefully divide VLANs to reduce the scope of the broadcast domain, so that ARP works in a small range, without large-scale impact. At the same time, some network management switches have the MAC address learning function. After learning, disable this function to bind the corresponding MAC address and port, prevents viruses from using ARP attacks to tamper with their own addresses. That is to say, the risk of data interception in ARP attacks is eliminated. This method does play a certain role.

However, the problem between VLAN binding and switch port binding is:

1. There is no protection for the gateway. No matter how VLAN is subdivided, once the gateway is attacked, it will still cause disconnection and paralysis of the entire network.

2. Place every computer firmly on a switch port, which is too rigid. This is not suitable for mobile terminals. from the Office to the conference room, I am afraid this computer will not be able to access the Internet. What should I do with wireless applications? Other methods are needed.

3. To bind switch ports, advanced network management switches and layer-3 switches must be used. The cost of the entire switch network is greatly increased.

Because the exchange network itself supports ARP operations unconditionally, its own vulnerabilities may cause ARP attacks, and its management methods are not for ARP. Therefore, implementing ARP prevention measures on the existing exchange network is a shield against attacks. In addition, complicated operation and maintenance is basically a thankless task.

Iv. PPPoE

Each user is assigned an account and password under the network, and must pass PPPoE authentication when accessing the Internet. This method is also used to prevent ARP attacks. The PPPoE dialing method encapsulates packets twice so that they are not affected by ARP spoofing. Many people think that they have found the ultimate solution to ARP problems.

The problems are mainly focused on efficiency and practicality:

1. PPPoE needs to encapsulate packets twice and then unencapsulate the packets on the access device. This will inevitably reduce the network transmission efficiency and cause a waste of Bandwidth Resources, you must know that the processing efficiency of adding PPPoE servers to routers and other devices is not an order of magnitude with the PPPoE Server of the telecom access provider.

2. Communication between local networks in PPPoE mode is not allowed. In many networks, domain control servers, DNS servers, email servers, OA systems, data sharing, and printing and sharing are available, communication between local networks is required, and PPPoE cannot be used and is unacceptable.

3. If PPPoE is not used for Intranet access, the ARP problem still exists and nothing is resolved, so the network stability is still not good.

Therefore, PPPoE technically avoids the underlying protocol connection, so it is difficult to get rid of it and exchange network stability at the cost of network efficiency. The most unacceptable is that the network can only be used for Internet access, and other internal sharing cannot be performed under PPPoE.

Through the analysis of the above four universal ARP prevention methods, we can see that the existing ARP prevention measures have problems. That is why ARP cannot be completely solved in practice even if it has been thoroughly studied for a long time.