|
Posted by Moe Trin on November 7, 2005, 2:00 pm
If you were Registered and logged in, you could reply and use other advanced thread options
In the Usenet newsgroup comp.security.misc, in article
> I want to build up a resource containing all possibilities to defend ARP
> spoofing. As I think ARP spoofing is one of the most powerful, easiest
> and underestimated attacks I want to know all your tricks, patches,
> anything that you know/apply to defend ARP spoofing.
ARP is a protocol that only works on "this" network. The only way someone
from outside "this" network can do ARP spoofing is to gain control of a
computer on "this" network. One presumes that your firewall is set such
as to make this extremely difficult for "outsiders". This does mean that
your ordinary users are not running servers OF ANY KIND, and that your
servers do not allow users. (Server hardening is outside the scope of this
article. If your users need to run servers, they need to take full
responsibility for the security of these servers. If these servers are
personal - they belong in outside server facilities, not on the school
or company network.)
An application not normally accessible to ordinary users is needed to allow
ARP spoofing. Some operating systems have this application as part of the
normal tools (example, UNIX /sbin/ifconfig). Normal sanity is such that
this tool is not usable by ordinary users in that manner. Also, some network
cards do not accept MAC address alteration.
The days of the original 10Base5 and 10Base2 Ethernet is pretty much over
due in part to the growing number of systems that may be attached to a
network, and the increasing amount of "normal" network traffic. Our
original setup was 10Base5 with a 255.255.252.0 mask, allowing 1022 hosts
on a single collision domain. By the mid 1990s, we altered the physical
setup by adding network switches to break each network into more usable
chunks (no more than 50 systems on a single port). Later, we added new
100BaseT networks to slowly but surely replace the coax, and that in
turn is being superseded with Gigabit networks - copper and fiber. These
networks are ALL connected by switches, such that no more than 7 computers
can be on any port (normally only one), and that being a short term
exception while additional media is pulled in. The switches are
intelligent - they know what MAC addresses are on a given port. Think
about that one for a second. The switches are administered by a separate
network which gives no access to normal users or outsiders.
All users are allowed access to the network ON CONDITION. That is, there
are written policies that each user has seen and signed that indicate what
is acceptable, and what is not acceptable. Violation of these policies is
a disciplinary problem, and may be dealt with harshly. For students at a
university, this means loss of their computer privileges. This may cause
them to fail a course - tough bananas. In a work environment, the solution
may reach the level of termination for cause.
A wise policy is to not give privileged computer access ("root" or
"administrator") to normal users. We also expect that local privilege
escalation problems are corrected on a timely basis - making the task of
installing and/or running an ARP spoofing application that much more
difficult.
None of these solutions are within the user's realm of responsibility,
and are not normally even in that of the system/network administration.
This is policy level solution, and must be dealt with at the highest
levels. Convincing "The Powers That Be" that abuse is not to be tolerated
is usually easy - getting the policies in place is harder, but a viable
solution. Making the abuse more difficult (by network design, and smart
operating permissions) is secondary to this concept, though vital.
Old guy
|
|
Posted by Karl Levinson, mvp on November 7, 2005, 7:45 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Hi all,
>
> I want to build up a resource containing all possibilities to defend ARP
> spoofing. As I think ARP spoofing is one of the most powerful, easiest
> and underestimated attacks I want to know all your tricks, patches,
> anything that you know/apply to defend ARP spoofing.
>
> I know the standard things to do (like static ARP entries and so on),
> what I want to know from you is something like:
Here are some:
Use IPSec / VPN to verify client identities;
Use any solution that includes client certificates, such as SSL;
Use "port security" on switches to control which MAC addresses can access
that switch port;
Use physical security and personnel security to ensure that people on your
internal network are relatively trusted;
Train users to recognize and report the possible symptoms of ARP spoofing
[this is rarely done in real life]; and/or,
Harden all your hosts as best you can against compromise using the usual
methods;
Accept ARP spoofing as a theoretical risk.
I do not believe ARP spoofing happens all that frequently in real life.
Generally, someone doing ARP spoofing has physical or remote access to a
host on your internal network. Someone that is in the position to do ARP
spoofing is usually in the position to do whatever they want to you given
enough time.
Before wasting a lot of time and money trying to defend against ARP
spoofing, be sure you've done enough to get rid of the more commonly
exploited vulnerabilities on your systems first. I don't know too many
people that can say they are in that position.
> -OS x has a patch y which helps preventing ARP spoofing (like antidote)
> or
> -OS x in version y has a small built in ARP prevention (like SunOS)
> or
> -Firewall/IDS x is able to prevent/detect ARP spoofing
None of these really exist as far as I know.
|
|
Posted by on November 10, 2005, 6:51 am
If you were Registered and logged in, you could reply and use other advanced thread options
other part of the discussion. I do think that you need to be careful
not to fall into the trap of trying to protect from the wrong threats
for the specific environment. As stated by others the network design
will help mitigate some risk. What are you protecting, the client or
the network? Your role will greatly change the types of technology
available to you.
My basic tenets for security design are to eliminate the un-necessary,
harden the rest, monitor everything, know where your weaknesses are and
modify behavior to pickup the slack.
You did state that your concern was as a client in an environment that
cannot be controlled. In that case, you will always be at some level
of risk because you have to trust something to tell you the truth
initially. To mitigate risks at this level use secure sessions with
cryptography and keys that you trust.
IMHO Denial of service protection is an unwinnable battle on the client
side. Only a tightly controlled network design are likely to be able
to work here. In a large network with thousands of hosts, you
prioritize. Put the extra efforts into protecting critical business
functions, and network services. Let the rest of the clients operate
at a higher level of risk.
Good luck
/D
Dion
|
| Similar Threads | Posted | | TCP Spoofing Details | January 4, 2006, 12:19 pm |
| NAT routers - is IP spoofing a risk? | November 20, 2005, 9:38 am |
| Spoofing fingerprint scanners - NEWBIE() | May 1, 2006, 1:57 pm |
| ARP spoofing detection tool XArp 2 | July 26, 2006, 2:37 pm |
| sniffing in a switched network - a presentation on ARP spoofing | June 14, 2005, 4:30 pm |
|
XML site map