| |
Lns firewall settings to resolve the ARP Defend
For purposes of illustration Lns firewall ARP Defend setup, we assume a subnet environment:
Gateway: IP = IP-1, MAC = 11: 11: 11: 11: 11: 11
The machine: IP = IP-2, MAC = 22: 22: 22: 22: 22: 22
Host A: IP = IP-A, MAC = AA: AA: AA: AA: AA: AA
Host B: IP = IP-B, MAC = BB: BB: BB: BB: BB: BB
Host C: IP = IP-C, MAC = CC: CC: CC: CC: CC: CC
......
Any two hosts on the subnet (gateway also be seen as a host) to communicate properly, we need to know each other's network card address MAC. If the party does not know each other's MAC, will be carried out ARP queries.
ARP query process
In normal within a subnet, a complete broadcast ARP query needs a query and one-point response. Query broadcast to query contains the host IP, this card can be broadcast each host subnet received, whether the card checks to query their IP and IP equal, unequal will be discarded will be equal this data package submitted to the system kernel (a break), the kernel calls the network card driver received packet parsing, and then build a query response packet back to the host, the host receives a query response updated its ARP cache table.
Corresponding to LnS setting, this communication process takes two rules to native queries MAC Host B Case
1) 22: 22: 22: 22: 22: 22 => FF: FF: FF: FF: FF: FF (to allow native broadcasting outbound)
2) 22: 22: 22: 22: 22: 22 for outgoing, FF: FF: FF: FF: FF: FF (to allow native broadcasting outbound)
2) 22: 22: 22: 22: 22: 22 BB: BB: BB: BB: BB: BB (Allow the unit answers Host B Outbound)
Apparently the rule is 2)4) in LnS can be combined, the two machines complete communication only three rules:
1) 22: 22: 22: 22: 22: 22 => FF: FF: FF: FF: FF: FF (to allow native broadcasting outbound)
2) FF: FF: FF: FF: FF: FF
Simple ARP spoofing
I said earlier, a query process requires time and a broadcast response, but the agreement does not require ARP broadcast and answer pairs, that is, you can not broadcast any host can take the initiative to send a response packet, if the target host does not use static MAC, as long as the answer is received broadcast will update their ARP cache table. Therefore, we can build a human error response packets make the target host to update their ARP cache.
For example, from the local control, not to communicate with Host A Host B:
The machine sends a response packet to Host A, telling it to MAC IP-B are XX: XX: XX: XX: XX: XX
The machine sends a response packet to Host B, tell it to MAC IP-A is YY: YY: YY: YY: YY: YY
At this time ARP cache host A and B in the MAC on the other side are wrong, they send each other data will be sent to a wrong or non-existent between both (depending on the fake MAC) network card, A, B, Natural communication failure. (In fact, as long as a communication station ARP cache error, A, B between the performance will not normal)
Think about it, if the response packet is forged tell the host B: IP-1 MAC is ZZ: ZZ: ZZ: ZZ: ZZ: ZZ What happens? Host B will not normal communication with the gateway, it will show off the network. If both the gateway to deceive, tell it to host B MAC as an error value, and this deception continues, the host B can not get online.
We often say that the network agents is the use of ARP spoofing kicking. Marshalls will first send a large number of run-time broadcast, access to all the host MAC address, and then, trying to deceive someone, sending forged reply packet to whom.
Of course, ARP spoofing must not stop here, for example, can also make the target host will break its own MAC faked be deceived host MAC to achieve a particular purpose, or both deceive the gateway and the destination host, but instead of using its own MAC forgery answer packet random MAC and turn on the machine's data forwarding function, and inserted into the gateway acts as a proxy target host communication, the purpose of the intercepted target host. But the purpose of this article is to explain how the rules LnS the ARP settings, ARP spoofing is not the point.
ARP prevention
Speaking of this, I am sure you have found a problem: cheater cheater must be capable of communication in order to send forged reply packet, otherwise cheat process can not be completed. Based on this, we can from several places to prevent ARP spoofing:
First, let untrusted hosts to check their MAC, cheaters can not this machine communication, naturally impossible to deceive
It can intercept queries broadcast (the money be allowed to the door)
The machine can intercept its response (have come to it, I sentence, money, dead pig is not afraid to open Shui Tang)
Second, the use of static MAC, refused to update the ARP cache.
Even with counterfeit answering reach the unit, but the unit does not use the package to update their ARP cache spoofing fails.
LnS settings
LnS can intercept (second countdown default rule will disable or block it) all ARP packets, so that security touches on security, but our machines will become orphans, and can not communicate with anyone. Must be set to the host trust clearance rules, the gateway is to be released, or else not on the external network.
For our hypothetical subnet environment, as follows:
1) 22: 22: 22: 22: 22: 22 => FF: FF: FF: FF: FF: FF (to allow native broadcasting outbound)
2) FF: FF: FF: FF: FF: FF
(Annex illustrates three rules below)
LAN sharing needs, we want to share a host for each increase as 2)3) two rules, the gateway to the MAC trusted hosts MAC.
A little trouble, each host needs to add two rules, and firewall rules are better, and the number of rules LnS easily reach the limit, as we were about to set up a little compromise: for all stations broadcasting into release, do not trust for each host to add rules. Some people may think this is unsafe, because any non-trusted host can send queries to the broadcast of the machine, in fact, do not worry, because there is no corresponding rule out the release of answering stations. (You take it, and I will not give you money, you can gnaw?)
The optimized rule is as follows:
1) 22: 22: 22: 22: 22: 22 => FF: FF: FF: FF: FF: FF (to allow native broadcasting outbound)
2) FF: FF: FF: FF: FF: FF
Finally, the penultimate of the rules to interception (second column red bars) or disable (cancel front of the hook).
Do not worry disabled, the final rule will block all packets that do not match (provided that no modification of the rule)
LnS Filter
Forum there are several ARP is set up, in fact, from the principle that the purpose to be achieved are the same, intercepts the blocking, the release of the release. But there is a wrong approach, some look different, in fact, set method and Z are the same boss.
Filtering firewall can blacklist (ban untrusted, the other allowed), you can also use a whitelist filtering (permit trust, other prohibited) may be mixed use. Filtered target selection method is divided directly select and set up options.
I explained above rules using a whitelist approach, that is, the rules listed above is to be released, and then intercept all need a rule (rule is the penultimate paragraph, block or cancel).
Is a good way to blacklist or whitelist mode is good? The principle of universality should be a priority target select few. If there are 10 kinds of data to be filtered packet (packet with 1-10 numbers), number 1 and 3 should be released, and the other should be filtered.
You can select the white list mode:
Release 1 (whitelist)
Release 3 (whitelist)
Block all
You can also select blacklisting:
Interception 2 (blacklist)
Interception 4 (blacklist)
Interception 5 (blacklist)
...... (Blacklist)
Interception 10 (blacklist)
Allow all
By contrast of course, should choose whitelist mode.
A variant:
Allow 1 or 3 (white list a selection method)
Block all
Variants Two:
Interception than 1 and not 3 (a selection method blacklist)
Allow all
Note that two variants of the way it uses a combination of the choice of target, if the firewall can implement this rule, of course, the effect is the same, but the Arp LnS rules can only fill a MAC address. Special variant two ways, the addition of combination can not be split into multiple rules to achieve the same purpose interception.
The second is the variant that prohibit non-native to the rules of non-bidirectional gateway into reciprocal second method allowed. This method is equivalent to the previous "LnS Settings" section for three rules in the last gateway, others have been intercepted. Should say this is a wrong method only allows this unit to the response packet gateway through the penultimate match of the rules can only answer this machine and gateways. Yet, if the response does not work, we have to allow the broadcast, only into the normal ARP queries.
So why use two variants of the method of actual users of "feasible" it? Say possible because the filter is too strict, can prevent the vast majority of large ARP spoofing, add quotation marks because feasible is temporary, long continuous test, it might break the network.
This specific network environment with the relationship, possibly more reasons. One possible reason is that LnS have BUG, after filtering function in the unit to establish a connection with the gateway, or use a static MAC, specify the IP to avoid failure of the DHCP lease classes, I also analyzed the specific unclear. But in principle that this approach is wrong.
Safety is relative
The best way to prevent ARP cheating on the gateway and each slave are static MAC binding. Firewall can only increase the safety factor, can not completely guarantee, first, because the firewall function itself may have BUG or incomplete or if set properly, the second is the reality of compromise may be flawed. For example, the unit trust to the Internet gateway, while trust in order to share the host B, host B but there is no security, an attacker could host B from the start, forcing the host B when the machine will forge their own Host B IP and MAC, gain the ability to communicate with the machine and then use other means to attack, more serious cases, if the gateway itself is unsafe, then the machine how protection can not achieve better results. |
|
|
|