ARP is used to find out the MAC address of a receiver based on its IP address. This is necessary in order to send frames to the correct receiver. However, this process can be manipulated by an attacker called ARP spoofing or ARP cache poisoning.
This attack uses the moment where an ARP request is sent and the receiver is asked to reply if they have the corresponding MAC address. An attacker, will reply as if they have the corresponding address and sends its MAC address to the sender. The sender will not know this manipulation and therefore accepts the MAC address of the attacker as valid and will send frames to that attacker that actually belongs to the receiver. The attacker can forward the received packages to the real destination (as if a normal process happens between the sender and receiver) to deceive the sender and receiver,. This is dangerous since the attacker has the ability to monitor, listen, and check to the frames first (including passwords!). This is also called as "man in the middle attack" because of the position of the attacker relaying frames from the sender to the receiver.
This attack can be prevented by using Dynamic ARP Inspection (DAI). In this process the switch will build a database with paired IP-MAC addresses which can be configured static or automatic based on DHCP Snooping process. DAI uses the concept of trusted and non-strusted ports as in DHCP Snooping. However, incoming frames from untrusted ports will not be automatically dropped (as what happens in DHCP Snooping), but will be checked based on IP-MAC address pairing. If it is valid, the frames will be forwarded, but if it is not valid then the frames will be dropped. If the frames comes from a trusted port, the frames will be directly forwarded without being checked for its IP-MAC address pair.
There are some recommendations of Cisco to secure the network where all ports connected to host should be set as untrusted, where ports connected to switches should be set as trusted. Ohter notes are that DAI runs only on ingress switch's ports, and DAI can be run on trunk ports or etherchannel ports.
To activate DAI:
(config)#ip arp inspection vlan
To trust ports:
(config)#int fa // configure a specific port
(config-if)#ip arp inspection trust // to create a trusted port
To validate:
(config)#ip arp inspection validate // to validate. src-mac checks whether the source of the ethernet header is the same as the source of the ARP message. dst-mac checks whether the destination of the ethernet header is the same as the destination of the ARP message. ip compares the IP header of the sender of the ARP request against the destination address of the ARP reply.
To show DAI:
SWx#show ip arp inspection
This attack uses the moment where an ARP request is sent and the receiver is asked to reply if they have the corresponding MAC address. An attacker, will reply as if they have the corresponding address and sends its MAC address to the sender. The sender will not know this manipulation and therefore accepts the MAC address of the attacker as valid and will send frames to that attacker that actually belongs to the receiver. The attacker can forward the received packages to the real destination (as if a normal process happens between the sender and receiver) to deceive the sender and receiver,. This is dangerous since the attacker has the ability to monitor, listen, and check to the frames first (including passwords!). This is also called as "man in the middle attack" because of the position of the attacker relaying frames from the sender to the receiver.
This attack can be prevented by using Dynamic ARP Inspection (DAI). In this process the switch will build a database with paired IP-MAC addresses which can be configured static or automatic based on DHCP Snooping process. DAI uses the concept of trusted and non-strusted ports as in DHCP Snooping. However, incoming frames from untrusted ports will not be automatically dropped (as what happens in DHCP Snooping), but will be checked based on IP-MAC address pairing. If it is valid, the frames will be forwarded, but if it is not valid then the frames will be dropped. If the frames comes from a trusted port, the frames will be directly forwarded without being checked for its IP-MAC address pair.
There are some recommendations of Cisco to secure the network where all ports connected to host should be set as untrusted, where ports connected to switches should be set as trusted. Ohter notes are that DAI runs only on ingress switch's ports, and DAI can be run on trunk ports or etherchannel ports.
To activate DAI:
(config)#ip arp inspection vlan
To trust ports:
(config)#int fa
(config-if)#ip arp inspection trust // to create a trusted port
To validate:
(config)#ip arp inspection validate
To show DAI:
SWx#show ip arp inspection
No comments:
Post a Comment