Hello Look ‘n’ Stop fans

I’m writing this tutorial for all of you Look ‘n’ Stop fans out there to give you taste of an exciting exploration of all-new Look ‘n’ Stop v2.05 Plug-In support, using PluginEditRawRule.dll Plug-In (which allows you to create raw rules) which is available for download on http://www.looknstop.com/En/Plugins/plugin_ruleedition_use.htm, also instructions for applying Plug-In and using it are also on that page. Unlike any other Software Firewall that I’m aware of, Look ‘n’ Stop v2.05 Plug-In support can be used to create unique RAW rules, wow talk about getting down right dirty with your rules!

As a demonstration I worked on ARP security, for long time most if not all Software Firewalls allowed ARP packets by Ethernet Type ARP only and didn’t provide any comparison of source/destination MAC addresses, now today there are few that actually do provide comparison of source/destination MAC addresses giving that the individual actually do use it. However under most circumstances this just isn’t enough, NOW with NEW Look ‘n’ Stop v2.05 Plug-In support and the usage of PluginEditRawRule.dll Plug-In and my four rules which are available in Importable rule format can be used to uniquely do more than just allowing by Ethernet Type ARP and more than just comparison of source/destination MAC addresses found in the packet header.

Phant0m``s ARP $v1.0 Importable rule file download is available HERE (http://www.wilderssecurity.info/downloads/download.php?get=ARP-rules.zip), and following are Instructions.



MAC & IP Address index
-------------------------------
01.01.01.01.01.01 = Your-PC Physical Address
11.11.11.11.11.11 = Gateway Physical Address
192.168.0.1 = Your-Private IP
192.168.0.0 = Gateway IP
192.168.0.2 = Client-A Machine


Basically what needs to be done is you import all four rules from the importable rule file into your rule-set and make modifications to all four rules

http://www.wilderssecurity.info/images/ARP-rules.png

and “THEN” disable the rule named “ARP : Authorize all ARP packets” which should be located second rule from the bottom, easy as that! I’ll even go through modifications of the first rule to help get you started…

Router: ARP Reply modifying

http://www.wilderssecurity.info/images/rre-1.png

* under "Field (0 to 9)" access drop-list and select 1
* under "Value Display Mode" access the drop-list and select "Hexa - Byte split"
* under "Field Value(s)" make modification to the "Value1:" field by replacing with your PC Physical Address

http://www.wilderssecurity.info/images/rre-2.png


* under "Field (0 to 9)" access drop-list and select 2
* under "Field Value(s)" make modification to the "Value1:" field by replacing with your Gateway Physical Address

http://www.wilderssecurity.info/images/rre-3.png


* under "Field (0 to 9)" access drop-list and select 3
* under "Field Value(s)" make modification to the "Value1:" field by replacing with your PC Physical Address

http://www.wilderssecurity.info/images/rre-4.png


* under "Field (0 to 9)" access drop-list and select 4
* under "Field Value(s)" make modification to the "Value1:" field by replacing with your Gateway Physical Address

http://www.wilderssecurity.info/images/rre-5.png


* under "Field (0 to 9)" access drop-list and select 5
* under "Value Display Mode" access the drop-list and select "Decimal - Byte split"
* under "Field Value(s)" make modification to the "Value1:" field by replacing with your your Private IP Address

http://www.wilderssecurity.info/images/rre-6.png


* under "Field (0 to 9)" access drop-list and select 6
* under "Value Display Mode" access the drop-list and select "Decimal - Byte split"
* under "Field Value(s)" make modification to the "Value1:" field by replacing with your your Gateway IP Address
* Now Click on OK button


Congratulations!!! Now you ready to move onward the next ARP rule!

Here is alittle something to help many understand a few things about ARP.

---

At the heart of every Man-In-The-Middle and password interception attack resides a
person with the skills to see everything that traverses the network. There are tools available
on the Internet that allow one to see every single packet that passes by your
computer, and with the proper knowledge, even data that is destined for another computer.

This technique is referred to as network sniffing, and ironically is already built in to your
network card. Network cards that allow the users to see all the packets are in a
whats called promiscuous mode. This mode tells the NIC to pass all data up to a
higher application such as WinPCap, LibPCap, packet.dll, or any other package.

When a user can see the data that is sent across the network, it gives them the ability to
intercept a lot of juicy information such as e-mail, instant message conversations,
password hashes, administrative data, and almost everything else imaginable.

The quintissential flaw that spawns the ability to sniff network traffic resides in the actual
network devices themselves. The hub is the most basic of Ethernet
networking devices. It takes any packet that it receives and replicates that signal on all
ports, essentially broadcasting it across the network. Hence, any node connected
to that hub can view the network traffic between any other device. In technical networking terms this area where the data can be intercepted is called the
collision domain.

There are alternative technologies that allow more secure data transfer across networks,
using whats called microsegmentation. With microsegmentation, every node connected to the device gets mapped to a specific port. When data comes to the
device, the data is routed specifically to that node so that no one else can intercept the
data.

These devices are called switches, and they work by creating a table of MAC addresses.
The MAC address is the single identifier for any network device. When
the incoming data is received by the switch, the destination MAC address is
extracted and sent to the specific port for the destination.

The single greatest feature of a switch soon proves to be its greatest downfall. The table
of MAC addresses that is kept is created using a protocol called ARP (Address
Resolution Protocol). ARP tells the switch and other computers what its
MAC address is, and the switch/computers believe it (depending on certain
rules). This leaves switches vulnerable to an attack called ARP poisoning. The attacking
computer can send out fake ARP responses, tricking the remote nodes to
think that the victim computer is actually the attacker. This means that all of the
victims data will first be sent to the attacker for tampering and what not, bypassing anything that the switch has set up. Once the attacker is done with the data, the
node can forward the data back to the victim without any trouble at all. There are programs that you can run that will monitor all ARP traffic and report any
irregularities, such as ARPWatch.

---

Wow, Phant0m another great job putting this all together!

A few questions if you do not mind...

Are the other 3 rules configured in the same manner?

Would these rules effect file sharing in one's LAN?

Lastly, are these rules placed at the very top of the rule-set?

May the karma be with you ;)

Hey rerun2

-{ Quote: " Wow, Phant0m another great job putting this all together! " }-
Thanks!

-{ Quote: " A few questions if you do not mind... " }-
No I don’t mind one bit! To tell the truth, I’m excited you have!

-{ Quote: " Are the other 3 rules configured in the same manner? " }-
Yes they are.

-{ Quote: " Would these rules effect file sharing in one's LAN? " }-

Lets say Computer-A configured with Look ‘n’ Stop and uses these four ARP rules, if “PC: ARP B-Request” rule is improperly configured to not authorize ARP Broadcasting Requests to Computer-B, Computer-A presence wont be known to Computer-B therefore its share access in “My Network Places” on Computer-B wont exists. And if there’s Computer-C and Computer-D and Computer-E and so forth, you must create additional “PC: ARP B-Request” rules authorizing ARP Broadcasting Requests to those. Does this answer your question? See below * - *

-{ Quote: " Lastly, are these rules placed at the very top of the rule-set? " }-
You can have them at the very top; I prefer to jump them at the bottom and just above the bottom rule to keep them out of sight and to avoid jumping newly created rules down below those to an destination in the rule-set.

* - *
As I mentioned the rule named “PC: ARP B-Request” contains Value in Field-6 that needs to be modified for Computer-B, if you have more than 1 other Client Computer on your Network you need to Export this rule per Client Computer, Import and make modifications to the rule-name and Value2 in Field-6.

See image attached…

Great work Phantom, you really are a great asset to LnS and the rest of the internet community! Keep up the good work! :)

CU
Jazzie

Thanks Jazzie1!

I like to thank you too for assisting me over MSN earlier, you found a problem with re-booting the Router generated re-connecting anomaly. That is now fixed and the Importable rules file has been updated on the server.

Thank you again for your assistance Jazzie1! ;D

PhantOm-sorry if Ishould be able to figure this out myself- but for stand alone computer which of the four rules do I have to import and modify per your instructions?Do I make exact same modifications to all rules?
greetings from former becky member,
no-idea :)

Hey no-idea4

For standalone Computer I don’t see these ARP rules necessary and especially if you on Dial-up. If you have xDSL or Cable+ Type Connection these rules can block unnecessary ARP traffic on your ISP.

It is always nice to see a former becky member, don’t be a stranger here! ;)

PhantOm,
Thanks for quick response!I have been here all along-just had no questions or imput.You got it covered :)By the way your writing style has evolved since back then-so clear,concise, and easy to follow :)Thanks again.

;D

Can I kiss you all over ?! :)