Allied Telesis Managing ARP GARP and Gratuitous ARP for Enhanced Network Security

Page 15
2.7.6 and later

Rejecting Gratuitous ARP (GARP)

Hosts can use GARP to announce their presence on a subnet. It is a helpful mechanism, particularly when there is a chance of duplicate addresses. However, attackers can use GARP to penetrate the network by adding themselves to the switch’s ARP table.

Identifying the user

Products

All switches listed on page 2

Software Versions

2.5.1 and later

You can configure Allied Telesis switches and routers to ignore GARP packets. Ignoring GARPs does not completely prevent IP spoofing, but it does shut down one easy avenue for an attacker.

Example To ignore GARPs on VLAN 1:

set ip interface=vlan1 gratuitousarp=off

Note: We do not recommend disabling GARP reception if a server with teamed network cards is attached to the switch. In a teamed-NIC redundancy set-up, another card takes over if a card fails. In many implementations, the NIC that takes over sends a GARP to inform the switch of the port and MAC address change.

DHCP snooping

The AlliedWare DHCP snooping feature is a series of layer 2

Products

AT-8600 Series

techniques. It works with information from a DHCP server

to:

AT-8700XL Series

z track the physical location of hosts

Rapier i Series

z ensure that hosts only use the IP addresses assigned to

Rapier Series

AT-8800 Series

them

AT-8948

z ensure that only authorised DHCP servers are accessible.

x900-48 Series

 

In short, DHCP snooping ensures IP integrity on an L2-

AT-9900 Series

switched domain.

Software Versions

 

With DHCP snooping, only a whitelist of IP addresses may access the network. You configure this whitelist at the switch

port level, and the DHCP server manages the access control. Only specific IP addresses with specific MAC addresses on specific ports may access the IP network.

DHCP snooping also stops attackers from adding their own DHCP servers to the network. An attacker could set up a server to wreak havoc in the network or even control it.

There are a number of options for DHCP snooping. You can:

zlet the switch snoop DHCP packets and decide who is authorised to access the IP network. See “Setting up DHCP snooping” on page 16.

zstatically bind IP address and MAC combinations to switch ports. See “Using static binding for rigid control” on page 16.

zuse option 82 to track users. See “Using DHCP snooping to track clients” on page 17.

zuse ARP security to reject ARP messages unless they come from an IP address in the DHCP snooping database. See “Using ARP security” on page 17.

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

15

Image 15 Contents
Introduction ContentsEdge switch Access Router Securing the device Protecting the networkProtecting against packet flooding Bandwidth limiting Configuration To use storm protection Using QoS policy-based storm protectionProtecting against rapid MAC movement Reboot after turning on enhanced modeRest of the QoS configuration is as normal, so Configuration on one or more portsIgmp snooping Controlling multicast trafficConfiguration For each port Igmp filteringIgmp throttling Using Secure Shell SSH ConfigurationManaging the device securely Using SSL for secure web access Using SNMPv3Configuration 1. Enable Snmp Managing the device securely Building a whitelist through layer 3 filters Whitelisting telnet hostsBuilding a whitelist through QoS Identifying the user IP spoofing and trackingTrouble with ARP Dhcp snooping Rejecting Gratuitous ARP GarpUsing static binding for rigid control Setting up Dhcp snoopingUsing 802.1x port authentication Using Dhcp snooping to track clientsUsing ARP security Protecting the user Using private VLANsTo remove ports from the Vlan Using local proxy ARP and MAC-forced forwardingLocal proxy ARP Configuration of access router Example Add ip int=vlan104 ip=address-in-192.168.4.0-subnet MAC-Forced Forwarding Macff Edge Using IPsec to make VPNsSwitches AccessBlocking worms through classifier-based filters Protecting against wormsBlocking worms through QoS actions Edge switch 1 is directly connected to the access router Edge switchEdge switch Add ip int=vlan500 ip=172.16.5.103 mask=255.255.255.0 Access Router C613-16103-00 REV a