ARP ATTACKS, ARP DOS AND INSPECTION
ARP ATTACKS AND INSPECTION
Ø
Inside host of Firewall will exchanges ARP
packets with unprotected hosts on the outside.
Ø
A malicious host, however, can abuse ARP to
leverage a man-in-the-middle attack.
Ø
Example : Host 192.168.100.222 on the inside of
the ASA is configured to use 192.168.100.1 as its default gateway.
Ø
When the inside host needs to communicate with a
destination that is outside of subnet 192.168.100.0/24
Ø
It must send those packets to the gateway, which
will relay the packets on toward their destination.
Ø
The inside host does this by sending the packets
to the gateway router’s MAC address.
Ø
Now suppose that a malicious host exists on the
unprotected outside part, and would like to insert itself in the middle of the
inside host’s conversation so it intercept and examine the traffic.
Ø
When the ARP request packet is forwarded outside
then attacker catch it and reply his own MAC address with IP address.
Ø
Now by this host came under Man-In-The-Middle
attack.
ARP-Inspection
Ø
To detect and prevent ARP spoofing, you can
configure the ASA to support ARP inspection.
Ø
ARP inspection uses static ARP entries as the
basis for its inspection process.
Ø
The ASA will examines each ARP reply packet it
overhears and compare the source IP and MAC address, as well as the source
interface, to known static entries in its own ARP table.
Ø
If the ARP reply matches an existing entry, the
ASA forwards it out the other interface else drop it.
Define
the ARP configuration
Ø For
ARP inspection, we define static ARP entries for all of the known hosts:
Ciscoasa(config)# arp <interface> <ip-address> <mac-address>
Ø Static
ARP entries never age out. To clear a static ARP entry, repeat the command by
beginning with the “no” keyword.
Ø Enable
ARP-inspection by command:
Ciscoasa(config)# arp-inspection <interface> enable [ flood | no-flood ]
Ø As
ARP reply packets are received, the ASA will take one of the following actions:
·
If the MAC address and the IP address are both
found in a single ARP table entry, the ARP reply must be valid and therefore is
allowed to pass through the ASA.
·
If either the MAC address or the IP address is
found in ARP table, bit not both in a
single entry, the ARP reply contains invalid or spoofed information. Therefore,
it is dropped and not forwarded through the ASA.
·
If neither MAC address nor IP address is found
in the ARP table, we can select the action as either flood (forward ot
flood the ARP packet out the other firewall interface so it can reach its
destination) or no-flood (drop the ARP packet without forwarding) . By
default flood action is assumed.
Disabling
MAC-Address Learning:
Ø
In transparent Firewall mode, an ASA will learn
MAC addresses as they are received on either of its interfaces.
Ø
Suppose a malicious host is located on the
outside of the ASA, as below figure.
Ø
Before the malicious host begins it work, the
inside host has sent a packet and the ASA has learned that its source MAC
address (0000.2222.2222) is located on the inside interface.
Ø
Now malicious host begin sending its own
packets, but with spoofed MAC addresses in the source MAC address field.
Ø
By sending a packet with source address
0000.2222.2222, the host can force the ASA to learn what is actually the inside
host’s address on the outside interface.
Ø
At this point, any packets arriving from the
outside and destined for the inside host will simply be drooped because the
host’s MAC address has been learned on the outside.
Ø
So far so good, but the malicious host might not
stop with just one spoofed MAC address. It might also send so many packets with
spoofed addresses that ASA’s MAC table is overrun.
Ø
That meant it’s a DOS attack on the ASA,
rendering it unable to forward any packets correctly.
Ø
To prevent by it , disable MAC address learning
dynamically. And firewall must use statically configured MAC address entries.
Ø
The command to disable learning:
Ciscoasa(config)# mac-learn <interface>
disable
Ø
Now configure a static MAC address entry by also
specify the interface and MAC:
Ciscoasa(config)# mac-address-table
static <interface mac-address>
0 responses to “ARP ATTACKS, ARP DOS AND INSPECTION”