SecBlade Firewall Cards ARP Attack Protection Configuration Examples

Transcription

1 SecBlade Firewall Cards ARP Attack Protection Configuration Examples Keywords: ARP Abstract: ARP provides no security mechanism and can be easily utilized by attackers to launch attacks. The device provides multiple features to detect and prevent ARP attacks. This document presents examples for configuring these features. Acronyms: ARP Acronyms Address Resolution Protocol Full spelling Hangzhou H3C Technologies Co., Ltd. 1/11

2 Table of Contents ARP Overview 3 Application Scenarios 3 Configuration Guidelines 3 ARP Attack Protection Configuration Examples 3 Network Requirements 3 Configuration Considerations 4 Software Version Used 4 Configuration on S7500E 4 Configuration on SecBlade 5 Specifying IP addresses for interfaces 5 Configuring Gratuitous ARP 7 Configuring ARP Automatic Scanning 8 Configuring Fixed ARP 8 Verification 9 Verifying Gratuitous ARP 9 Verifying ARP Automatic Scanning 10 Verifying Fixed ARP 10 References 11 Protocols and Standards 11 Related Documentation 11 Hangzhou H3C Technologies Co., Ltd. 2/11

3 ARP Overview ARP is simple and easy to use, but it provides no security mechanism and thus is prone to attacks. Currently, ARP attacks and viruses are threatening LAN security. The device provides multiple features to detect and prevent such attacks. Application Scenarios ARP attack protection is applicable to campus and enterprise networks Configuration Guidelines The gratuitous ARP feature configured on an interface takes effect only when the interface is up and has an IP address configured. If you change the interval for sending gratuitous ARP attacks, the configuration takes effect at the next sending interval. Do not enable gratuitous ARP on an interface configured with a VRRP group. Do not perform other operations during an ARP automatic scan. Fixed ARP can change dynamic ARP entries learnt on Layer 3 Ethernet interfaces, Layer 3 Ethernet subinterfaces, and VLAN interfaces into static ARP entries. ARP Attack Protection Configuration Examples Network Requirements This configuration example is applicable to the SecBlade firewall cards for the S7500E, S9500E, S12500, and S5800 switches. A SecBlade firewall card inserted in an S7500E switch is used in this example for illustration. Hangzhou H3C Technologies Co., Ltd. 3/11

4 Figure 1 Network diagram for configuring ARP attack protection As shown in Figure 1, Switch 7500E connects to the LAN through GigabitEthernet 1/0/1, connects to Ten-GigabitEthernet 0/0.10 and Ten-GigabitEthernet 0/0.11 of SecBlade through a 10 GE interface, and connects to the Internet through GigabitEthernet 1/0/2. Configuration Considerations Specify IP addresses for interfaces. Add interfaces to security zones. Configure gratuitous ARP. Configure ARP automatic scanning. Configure fixed ARP. Software Version Used SecBlade firewall card: Any of 3166 and F3166 series versions. Configuration on S7500E Configure the S7500E as follows: # Add GigabitEthernet 1/0/1 to VLAN 10. [H3C] interface GigabitEthernet1/0/1 [H3C-GigabitEthernet1/0/1] port access vlan 10 # Add GigabitEthernet 1/0/2 to VLAN 11. [H3C] interface GigabitEthernet1/0/2 [H3C-GigabitEthernet1/0/2] port access vlan 11 # Configure Ten-GigabitEthernet 2/0/1 that connects to the SecBlade card as a trunk port and configure the port to permit VLAN 1 through VLAN 11. [H3C] interface Ten-GigabitEthernet2/0/1 [H3C-Ten-GigabitEthernet2/0/1] port link-type trunk [H3C-Ten-GigabitEthernet2/0/1] port trunk permit vlan 1 to 11 Hangzhou H3C Technologies Co., Ltd. 4/11

5 Configuration on SecBlade Specifying IP addresses for interfaces Create sub interfaces Ten-GigabitEthernet 0/0.10 and Ten-GigabitEthernet 0/0.11 and specify their IP addresses Select Device Management > Interface from the navigation tree, create interface Ten-GigabitEthernet 0/0.10, specify its IP address , and add it to VLAN 10, as shown in Figure 2. Figure 2 Create sub interface Ten-GigabitEthernet 0/0.10 Click Apply. Select Device Management > Interface from the navigation tree, create interface Ten-GigabitEthernet 0/0.11, specify its IP address as , and add it to VLAN 11, as shown in Figure 3. Hangzhou H3C Technologies Co., Ltd. 5/11

6 Figure 3 Create sub interface Ten-GigabitEthernet 0/0.11 Add Ten-GigabitEthernet 0/0.10 to the Trust zone Select Device Management > Zone from the navigation tree. Figure 4 Security zones Click the icon of the Trust zone to enter the Modify Zone page. Add Ten-GigabitEthernet 0/0.10 to the Trust zone as shown in Figure 5 and then click Apply to return to the Zone page. Hangzhou H3C Technologies Co., Ltd. 6/11

7 Figure 5 Add Ten-GigabitEthernet 0/0.10 to the Trust zone Follow the same steps to add Ten-GigabitEthernet 0/0.11 to the Untrust zone. Configuring Gratuitous ARP Introduction to gratuitous ARP In a gratuitous ARP packet, the sender IP address and target IP address are the IP address of the sending device, the sender MAC address is the MAC address of the sending device, and the target MAC address is the broadcast address ff:ff:ff:ff:ff:ff. A device sends gratuitous ARP packets to: Determine whether its IP address is already used by another device. Inform other devices of its MAC address change. A device that receives a gratuitous ARP packet adds the information carried in the packet to its own dynamic ARP table if no corresponding ARP entry exists. Configure an interface to send gratuitous ARP packets Select Firewall > ARP Anti-Attack > Send Gratuitous ARP from the navigation tree. Select Ten-GigabitEthernet 0/0.10, use the default sending interval or type a specific value, click, and then click Apply. After that, all devices on the LAN can learn an ARP entry that contains the IP and MAC addresses of Ten-GigabitEthernet 0/0.10. Hangzhou H3C Technologies Co., Ltd. 7/11

8 Figure 6 Configure sending of gratuitous ARP packets Configuring ARP Automatic Scanning Introduction to ARP automatic scanning With ARP automatic scanning enabled, an interface scans neighbors, requests their MAC addresses by sending ARP requests, and creates dynamic ARP entries. Configure ARP automatic scanning Select Firewall > ARP Anti-Attack > Scan from the navigation tree. Select Ten-GigabitEthernet 0/0.10 and type the start IP address and the end IP address, as shown in Figure 7. If neither start IP address nor end IP address is specified, the system scans the IP addresses in the subnet where the interface attaches. Figure 7 Configure ARP scanning Configuring Fixed ARP Introduction to Fixed ARP Fixed ARP allows the device to change dynamic ARP entries (including those generated through automatic scan) into static ARP entries, and can effectively prevent attackers from modifying ARP entries. Hangzhou H3C Technologies Co., Ltd. 8/11

9 Configure fixed ARP Select Firewall > ARP Anti-Attack > Fix from the navigation tree. All dynamic and static ARP entries are displayed, including those obtained by ARP automatic scanning. Figure 8 ARP entries Select dynamic ARP entries, and click Fix to modify them into static ARP entries. Or select static ARP entries, and click Del Fixed to remove them. To change all dynamic ARP entries into static ARP entries, click Fix All. To delete all static ARP entries, click Del All Fixed. Figure 9 Configure fixed ARP Verification Verifying Gratuitous ARP Capture packets on the internal network /24. A gratuitous ARP packet sent from Ten-GigabitEthernet 0/0.10 is captured every two seconds. Figure 10 Capture gratuitous ARP packets Hangzhou H3C Technologies Co., Ltd. 9/11

10 Verifying ARP Automatic Scanning After an ARP automatic scan is complete, all ARP entries of the internal network are displayed in the ARP table. Select Firewall > ARP Anti-Attack > Fix from the navigation tree to view all ARP entries. For example, you can view the ARP entries for network segment /24 as shown in Figure 11. Figure 11 ARP entries Verifying Fixed ARP Verify fixed ARP On the Firewall > ARP Anti-Attack > Fix page, select the dynamic ARP entry containing and then click Fix. The dynamic ARP entry is changed into a static ARP entry that is displayed on the top of the ARP table. Figure 12 Verify fixed ARP Verify deletion of fixed ARP entries On the Firewall > ARP Anti-Attack > Fix page, select the static ARP entry containing and then click Del Fixed. A message box is displayed as shown in Figure 13. Click OK and then the static ARP entry is removed. The entry is not displayed until it is learnt again or an ARP automatic scan is carried out on the corresponding interface. Hangzhou H3C Technologies Co., Ltd. 10/11

11 Figure 13 Verify deletion of a fixed ARP entry References Protocols and Standards Table 1 Protocols and standards Standard No. RFC 826 Title An Ethernet Address Resolution Protocol Related Documentation ARP Attack Protection Configuration in the Web configuration documentation set Copyright 2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd The information in this document is subject to change without notice Hangzhou H3C Technologies Co., Ltd. 11/11