Introduce Hardware Barriers

The use of bridges or switches removes the threat of sniffing between network segments; likewise, the use of routers removes the threat of ARP spoofing between IP subnets. You can separate the trusted hosts (those with IP addresses that might benefit an attacker using ARP spoofing) from subnets on which an attacker might obtain access. Subnetting for security is helpful if physical security prevents attachment to the subnet of the trusted machine. Such subnetting prevents a spoofer from powering down one of the trusted machines and attaching to the subnet on which ARP requests from the trusting machine are broadcast.

A temptation when considering using subnetting to protect from ARP spoofing is to place the machine extending trust on a separate subnet from the machines to which it is extending trust. However, this setup simply places the router in the position of being deceived by an ARP spoof. If trust is extended on the basis of IP addresses, the machine extending the trust is in turn trusting the routers to deliver the IP datagrams to the correct machine. If the trusted machines are on a separate subnet that is susceptible to ARP spoofing, the router for that subnet must bear the burden of ensuring that IP datagrams get to their legitimate destination. With this setup, you might need to place permanent ARP cache entries for the trusted machines in the router itself.

Finally, it is also important that trusted machines be protected from an ARP spoofer that is attempting to masquerade as the router. Fortunately, routers are typically physically secure and crash rarely or for very little time, which makes them difficult to impersonate.

Sniffing Case Study Revisited

To illustrate ARP spoofing in a familiar context, recall the solution to the sniffing problem adopted by Computer Science in the case study earlier in the chapter (refer to fig. 5.7). The solution to the sniffing problem was to divide the portion of the network servicing Computer Science into five segments. These segments connect to a switch in the Computer Science machine room. The only router being used is the router that joins Computer Science with the two-segment subnet for Mathematics and the one-segment subnet for English. All five segments in Computer Science are part of a single subnet.

Within a single subnet an ARP request goes out to all machines on the subnet and a reply may come back from any of them. Thus, an ARP spoof attack may be launched from any of the segments. To prevent this, the segments may be divided into a group of subnets rather than a single larger subnet.

The analysis of the situation for the ARP spoofing problem is analogous to that for the sniffing problem. The trust that a machine will not sniff is replaced by the trust that a machine will not ARP spoof. The hardware barrier used to control ARP spoofing is a router to induce subnetting rather than a bridge or a switch to induce segmenting.

The simple solution to the ARP spoofing problem for Computer Science is to simply place each segment on its own single-segment subnet by replacing the switch with a router. However, the two staff segments that were kept separate for reasons other than satisfying the trust constraints may share a subnet.

One major benefit to this solution is the ease in which routers can perform media conversion. The subnet for the machine room can use high-speed network media such as 100 Mbps Ethernet, FDDI, or HyperChannel. The client and staff subnets can use lower speed network media such as 10 Mbps Ethernet or 4 Mbps token-ring.

Problems arise, however, with respect to routing protocols. If the Central Computing router controls the router in the communication closet and does not trust the Computer Science router, they cannot exchange routing information. The Central Computing router will refuse to accept the routes advertised by the Computer Science router, cutting off a way for remote machines to send datagrams to machines on subnets not directly attached to the Central Computing router. Machines on the Computer Science subnets not directly connected to the Central Computing router will be forced to interact with the central computing facility by using the hosts in the Computer Science as intermediaries. Such a use of intermediaries is known as a “proxy” arrangement.

A proxy arrangement is actually an attractive setup from a security standpoint, but can be quite awkward for end users. A simple proxy web server in the Computer Science machine room will reduce this awkwardness. Another, more sophisticated proxy arrangement would be to give IP addresses to Computer Science machines that make them appear to be on the same subnet from the perspective of the Central Computing router. The Central Computing router will make ARP requests to determine where to send the datagrams it is forwarding to a Computer Science segment it is not connected to. The Computer Science router can perform a “proxy ARP” and reply with its own hardware address. The datagrams will be delivered to the Computer Science router for forwarding, while the Central Computing router is led to believe it delivered the datagram to its destination. In essence, the Computer Science router is performing a beneficial ARP spoof: it benefits the machines on the Computer Science subnets, and it spoofs the Central Computing router.

Detecting an ARP Spoof

Unless you have the capability to introduce the kind of hardware barriers described previously, preventing an ARP spoof is probably not practical. The best you can usually hope for is rapid detection followed by some form of intervention. When an anomaly is detected in the ARP protocol it may be legitimate, accidental, or a security breach. Policies and procedures should be in place to handle each type of incident. This chapter limits its discussion to mechanisms; it is up to the reader to decide what policies and procedures to implement after detection of a potentially serious problem takes place.

Several mechanisms exist for detecting an ARP spoof. At the host level, an ordinary host may attempt to detect another machine using its own IP address either by passively examining network broadcasts or by actively probing for such a machine. At the server level, a machine providing a supposedly secure service to the network—perhaps a file server or a router—may also attempt to detect an ARP spoof by one of its clients. Finally, at the network level, a machine under the control of the network administrator may examine all ARP requests and replies to check for anomalies indicating an ARP spoof is underway.