Mitigating Arp Poisoning attack

The test question states that you mitigate Arp poisoning through VLAN segregation.

Once an attacker gets on any desired segregated VLAN, what's to stop him from spoofing the legitimate MAC address. Ok you reduce the attack suffice with VLAN, but you don't mitigate it.

Find more posts tagged with

Comments

dead_p00l

Just off the top of my head port security should come into play.

cryptmod

dead_p00l wrote: »

Just off the top of my head port security should come into play.

I agree, disabling unused ports on a switch would be a more ideal solution, since this would stop an attacker from successfully plugging in his laptop into the spare port.

SteveO86

Disabling Ports, Port Security, DHCP Snooping, DOT1X authentication (In the real world)

but for the test do what the book says

ptilsen

cryptmod@net-secured.com wrote: »

Ok you reduce the attack suffice with VLAN, but you don't mitigate it.

mit·i·gate
to lessen in force or intensity, as wrath, grief, harshness, or pain; moderate.

Without VLANs (and in turn, network segmentation), ARP poisoning affects the entire network. With segmentation, the effects of ARP poisoning are lessened as they only apply to one segment.

Darril

ptilsen's answer is right on target.

You can't eliminate risks. IT security attempts to reduce threats and vulnerabilities which contribute to risks. This is the same as saying that IT security attempts to mitigate threats and vulnerabilities which contribute to risks. Risk reduction is the same as risk mitigation.

cryptmod

Here is a scenario, assume I am attacking you with Arp Poisoning, I would target a central device that every other devices connects to such as your DNS or central log server, firewall or the main router (all connected to the switch).

Once I am able to arp poison your log server through the switch for instance, I can then proceed to man-in-the-middle. VLAN or no VLAN I will be able to see all log traffic from every device and do what I want. Every device talks to the same DNS, Firewalls, & log server irrespective of their VLAN space.

ptilsen

You cannot ARP poison my firewall, router, or DNS server because they are not on the same segment as you, due to do being separated by VLANs and in turn a router or layer 3 switch. You can only ARP poison your segment and intercept traffic between devices on it. You can intercept traffic between your segment's gateway and other devices on your segment, but not between the devices on mine. So you could perform MitM between Bob's computer(also om your segment) and the DNS server, since you are spoofing the gateways MAC, but you cannot perform MitM between my SQL and Web servers because they are not on your segment. So in using VLANs and subnetting, I have mitigated the effects of ARP poisoning with regards to my sensitive SQL credentials. Bob's credentials are still subject to your attack,which is why the effects of ARP poisoning have been mitigated, rather than eliminated.

Edit: I am on a tablet and therewill be some tyops. My apologies.

I think you need to go back the OSI model and look at howtraffic reaches destinations across subnets. Within a subnet ARP says "who has x.x.x.x?". When you ask for an IP outside your subnet, your network stack instead goes to the gatewayfor that route. It sends an ARP packet saying " who has x.x.x.x?" such that x.x.x.x is the gateways IP. It then sends the traffic to the gateway. At no point can it communicate on layer two with a destination outside its subnet, and assuch is incapable of knowing or spoofing its MAC. Since it cannot see ARP packets on the destination's subnet, it cannot spoof them, either.

cryptmod

I could if I walked into your (shared) data center and unused ports aren't turned off on the switch.

The point of the debate was that turning off unused port was more important then VLAN.

But I take your point, thank you.

ptilsen

Physically securing the ports mitigates against all attacks that would require physical access, not ARP poisoning in particular. The point of the question was to test if you realize ARP poisoning is mitigated by segmentation, not to imply that subnetting alone is sufficient to mitigate against any particular attack.

Security+ (and Network+) have lots of OSI-centered questions, and this is a great example.

quinnyfly

Reconfiguirng and securing your swithes may help mitigate ARP poisoning. The use of encryption, encrypted packets transversing the network are more secure than those that are not. Attacks related to ARP cache poisoning are DOS and man-in-the-middle attacks, as we all know IPv4 has no native authentication so anyone can spoof an IP address and poison the ARP cache.

Setting NICs to non-promiscuous mode and using randomised TCP sequencing may also help. I recommend that you do some research on DNS poisoning also, as zone transferes are able to poison the DNS cache, it is similar to ARP cache poisoning <one uses a DNS server or the host file, while the other corrupts a switches cache table>.

Also disable unused ports and physically secure switches, the monitoring port can be used to sniff traffic (hence non-promiscuous mode). Logging and auditing using a network analyzer (even though this is a past-tenths exercise) helps mitigate attacks based on the fact that you may be able to determine the origin of the attack and block its IP so no future attacks are waged from its origin.

That is the best off the top of my head straight out of bed......hope it helps and sorry if I am a little vague on details.

Jake.

Since you guys are talking about subnets... Has anyone seen any questions on IP addresses in the same subnet or calculating subnets on the actual CompTIA Security+ SY0-301 exam? I haven't heard of anyone who took the test being provided with a calculator to date.

I take the test in June + or -. I'm using both audio files (EXCELLENT!!!), Darril's paperback book and recently put that same book on my Kindle. I listen to the "Remember This" while I'm on the track and when I do the audio test questions, I read with the Kindle and listen to the questions, pause the audio, answer the question then move on because the audio gives the answer after the pause. It's helping a lot to "brain wash" myself with CompTIA Security+ SY0-301 info!!!

ptilsen

Everyone says you can't go wrong with Darril's book. No calculating subnets, at least not with a calculator.

powerfool

DHCP Snooping is a way to eliminate this threat, assuming that the attacker doesn't find a way to circumvent it (it would be rather difficult without access to the switch). DHCP snooping is a feature in Cisco switches that watches DHCP requests and builds a table of IP address-to-MAC address (similar to an ARP table, but relies on the DHCP server to be the trusted authority) and can be used, in conjunction with Port Security, to bring an interface down to block the attacker. At that point, you need to protect from rogue DHCP servers; this is performed as a feature of DHCP snooping, as well, by setting the interface that contains the DHCP server to be "trusted." If there is no DHCP server on that VLAN and you use an ip address helper, don't trust any interfaces and no DHCP servers will be allowed.
Catalyst 6500 Release 12.2SXF and Rebuilds Software Configuration Guide - DHCP Snooping [Cisco Catalyst 6500 Series Switches] - Cisco Systems

Forsaken_GA

cryptmod wrote: »

I could if I walked into your (shared) data center and unused ports aren't turned off on the switch.

You're making a huge assumption that the unused ports are going to be on the same segment as the services you want to co-opt. Personally speaking, I'm not willing to risk trespass at best, B&E at worst in order to find out whether or not that's true. Shutting down unused ports and dropping them into a blackhole vlan (and turning off autonegotiation of a trunk on switches that default to using it) are good security measures, certainly, but it's easier and less risky to co-opt an existing host and abuse it for your MitM attacks.

Forsaken_GA

powerfool wrote: »

DHCP Snooping is a way to eliminate this threat, assuming that the attacker doesn't find a way to circumvent it (it would be rather difficult without access to the switch).

Unfortunately, DHCP snooping doesn't always work right, particularly if you're moving stuff around.

Private VLAN's are a much, much better way to go IMHO. When you can't talk to anything on your local segment but the default gateway, good luck getting MitM to go through.

powerfool

Forsaken_GA wrote: »

Unfortunately, DHCP snooping doesn't always work right, particularly if you're moving stuff around.

Private VLAN's are a much, much better way to go IMHO. When you can't talk to anything on your local segment but the default gateway, good luck getting MitM to go through.

That is an excellent solution, as well. I have tried to get buy-in to implement PVLANs at several places and nobody has bitten. There are very few situations where client computers need to talk with each other... and if they do, like Help Desk folks, you put them in a separate VLAN, entirely, and then use ACLs on the router (or L3 switch) that only permit those workstations to communicate with the other client systems.

Someone mentioned 802.1X, which is also a great solution, as it will keep unauthorized systems off of the protected network interfaces, entirely.

The best method would be a "Security In-Depth" solution that uses multiple layers of controls, that even overlap. This way folks may breach one control, but there is a backup control that offers similar mitigation.

Jake.

ptilsen wrote: »

Everyone says you can't go wrong with Darril's book. No calculating subnets, at least not with a calculator.

Great! Thank you for the info because I take the test next week. I'm quite nervous since I haven't taken an exam since college, a long time ago... My DOD job now requires the Comptia Security+ exam.

Also I'm curious if the questions on the actual test are structured the same as the 100 practice questions on the Comptia Security+ website? They seemed rather involved and lengthy for 1 minute per question if they are the same way on the actual test.