ARP Spoofed packets [split posts]

No the SSID is hidden, Yes I use WPA2-AES

thx for the tip

 

Stem,

Thanks for the excellent post. This clarifies a lot. On my router I have FireWall, Network (on IP) and Access (on Mac) control. It seems that the router operates in a default SPI/NAT setting. The Network access is a simplified rule syntax to add limited DPI on IP address only.

With your example I finally figured it out.

I have two questions.

First my guess is that Nat features are related to Mac Adress control, FireWall control enables the SPI rules and Network control enables the limited DPI rules. Does this makes sense?

Second question: would it be normal on a 802.11n/g WL-Fixed line network to loose 25% download bandwith when using old fashioned 54Kbs 802.11g client devices, while using DPI in stead of SPI. Strange thing that with the 802.11n WL client and the fixed lines the loss in download bandwith is minimal (when switching from SPI to DPI). Illogical about this observation is that you would assume that the added processing power it takes to perform DPI in stead of SPI would hit the router, where the drop in performance is noticed with different client devices. This is strange at the least.

Regards Kees

 

Good to hear.

Nat is for the routing of traffic to/from the internal LAN to WAn (and vice-vera)

Yes, The firewall with SPI will control/filter packets at the perimeter, the DPI will filter packets allowed in and within the perimeter.

Your second question;
I really do not know enough about routers as I do not use/test them enough, so would not want the possibility of giving you bad/incorrect info.


- Stem

 

Hello Stem,
I am ditching Jetico which I have had for about 18 months and I am switching to Outpost which you seem to recommend and like.

I've been following these posts on ARP spoofing and am wondering if there are other firewalls that you recommend?


Thank you,

 

Hello,

I like the current implementation of ARP protection provided by OP Pro, but as for recommending it, I do not follow such a path. What may be good on one setup can have problems on another. It can also be said that a good firewall/packet filter may be no good to a user if they do not understand how to config, so the best packet filter in the world would be no good if manual rules need to be set and the user cannot correctly do that..

Recommending or denouncing a firewall purely on its ability(or lack of) to filter out ARP spoof would not be correct.
My intention as always been to help users config the firewall they choose rather than attempting to push them to a specific firewall based on my own belief.


- Stem

 

How is the ARP protection in Jetico Firewall v2 and v2.1 beta? Is there something missing that could make it better?

I was planning on testing the current version this weekend to see how it is.

 

Is the ARP protection provided by OP Pro good out of the package or do I need to make manual rules?

If I need them, what manual rules should I have?

My computer and 6 untrusted computers share a router.

 

Re: Outpost Firewall Pro 2009 Testing and Optimization Thread

There is evidence that my computer is being spoofed and it could very well be the router that is being spoofed.

Do you know of any brands of home routers that protect against ARP/DHCP/DNS spoofing?

Thankyou,

 

Hello,

To enable all ARP protection, open OP- settings- Attack detection, and enable all rules (there is a screen gab of that window here)


- Stem

 

I was unable to install the latest beta version, it would not "connect to service". The previous beta, and the current full release does contain what Jetico calls "ARP SPI. Unfortunately this does not protect against ARP spoofing. I have easily ARP spoofed DOS Jetico 2. There are manual rules that can be added to filter ARP, but the rules only check the Ethernet Header info rather than the payload, so they are no good to prevent ARP spoof.

I did make a post to the Jetico support forums concerning this, but the forum appears dead from any support, and the report of this as remained unanswered for almost 2 months.
With Jetico2, it is going too much in the direction of "Leak test" prevention rather then the Vendor adding better packet filtering, which is what as been requested by myself and many of its users for the last 2 years.


- Stem

 

Hi Stem,
I think the home router that is in front of my computer and 6 other untrusted computers is compromised.

Apparently there are'nt any home routers that protect against ARP Spoofing. The routers above home routers with ARP Spoofing protection are very expensive.

Apparently anyone with a Server can Spoof any home computer with a router- and that's scary!

I am going to look into building my own Nix Distro router to take the place of the home router.

 

What makes you so sure?

There are some ways we can check this. But I would need some info and for you to run some checks for me.

We can also go through some steps to avoid such a situation. But it would mean removing the router and connecting directly.


- Stem

 

1. I know that one of the untrusted computers is always using emule and limewire.

2. Starting a couple of months ago, when I log onto my credit card website with firefox or opera- I get a message saying that it can not verify the certificate or words to that effect.

A week ago, the same thing started happening with PayPal. This happens within Virtualbox.

3. I run internet confidential transactions from an older Virtualbox version and recently whenever I am one keystroke from completing a transaction, something or someone crashes Virtualbox. This has happened more than once with ebay, paypal, and my credit card.

What info do you need and checks run?

Can this be done using my laptop instead of my master monster computer?

Thank you,

 

That just means someone if filesharing

So what is your setup? Host OS/guest OS?
What security is on the Host OS (firewall/AV etc)?
What are you running in the VM?

- Stem

 

Yea but could the emule or limewire server try and hack into the 7 computers?

1. Running Windows XP on both the Host and the Guest
2. Running Jetico and SSM on both the Host and the Guest
3. Running Sun VirtualBox

Thank You,

 

I have never known it.

Running Jetico and SSM on the guest (Virtualbox) will more than likely cause conflict and make the VM crash.
How is the guest connecting through Jetico (Is that V2?), is it a local proxy on the host?


- Stem

 

Let me clarify that the WinXP guest session crashes and not VirtualBox, a keystroke before a credit card, ebay, or PayPal transaction and only then. This is one of the reasons why I think my computer is being spoofed.

1. I have been running this combo (Jetico V2 and SSM) on the host and VirtualBox guest for about a year without any problems until about 2 weeks ago.

2. A "popup" from Jetico asked me if I wanted to give VirtualBox access to the network and I gave it blanket permission (about a year ago).

 

Let me Clarify, the VM(Virtual Machine) is crashing and is more likely due to conflict with SSM and Jetico.

But are you running the same version of Jetico and SSM from a year ago? Even if you are, constant maintenance in such a setup is needed.
At one time I made many reports both to SSM and Jetico concerning conflicts and only SSM made changes, changes made to Jetico over the last few builds may well now cause new problems and on a VM can cause crashes.

From that point alone your security is flawed. non protection/filtering of the VM control is looking for problems.

I can see this going the same direction as when I put forward a router will not protect against inbound IP protocol attacks and others jump in with comments such as a software firewall is not needed with a router in place.
I really have better things to do than go around in circles discussing if your setup is corrupt or not, as you are already aware you have problems, but appear to not want to do anything about it apart from putting forward you are under attack and want help, But to protect a flawed probably corrupt setup is not something I am willing to attempt.

Maybe others can help with the great advice they have.



- Stem

.

 

I have to ask this:
Isn't Virtual PC solution for all problems and malware can cause while you're surfing (sure with an excellent quality firewall on)?
Malware simply can't hurt you, you can simply delete all changes.

 

Yes, that is the beauty of VMs and that is why I have this setup.

I use that hard drive for confidential INTERNET Sessions only- And only from the WinXP VM and never from the Host.

After an INTERNET Session, I reset the VM.

I don't have conflicts between Jetico and SSM- Never have!

Stem made an offer about helping me do tests in front of my Router- None of his questions have anything to do with his offer!

 

Hey Doc,

I ran my own simulate live hardware test on the latest 21.29.04 RIS 2009 all network system reported with alarms saying ARP Attack Blocked. The RIS green umbrella turns into animated red/white spinning rotor. Keep on blocking until I had stopped the attack on my network here.

 

Well, I found out that it was not the DPI what caused the drop in performance. Strangely the wireless intelligent stream processing and QoS engine strugle over each other, when playing with all settings (with WLg , WL n and fixed line clients).

Discovered that blocking our internal IP addresses (another option of the router) from outside the wan (seems a duplication of the in-out control, but what the heck it works), disabling wireless intellegint stream processing and setting QoS on our IP's (simply giving the gaming PC highest priority), decreased ping time with 30% and recovered the loss of bandwith on the WL- g devices.

Seems that using all capacities of your router needs some experimenting, before added security comes with no loss of bandwith. Also some default enhancements should be deselected (multicast. short GI, WISH, disabled, WMM enabled)

Stem thanks again, for the explanation, it pushed/motivated me to apply the extra rules and solve the issues

 

Router:

Make
Model
G or N or both
100mbps or GIG

 

Cheap D-link 635, both G/N 100Mbps

 

When you understand a possible compromised base is not one to make checks from, then we can work.