Managing ARP packets

Discussion in 'other firewalls' started by Mrkvonic, May 30, 2008.

Thread Status:
Not open for further replies.
  1. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,701
    Hi,

    A few questions, mainly for Stem:

    In order to secure and monitor DHCP server / clients on a network mainly against hostname/MAC spoofing, I'm familiar with the following methods:

    DHCP snooping, on a switch level (Cisco etc); expensive but good.
    ebtables, a firewall a la iptables capable of inspecting layer 2 (ethernet frames); not easy to setup.
    arpwatch, for monitoring ip/mac pairs; requires human touch.

    I know that iptables or any layer 3 firewall won't work in managing ARP packets, as they run on a layer below.

    So, my question is:
    Do you know of any other method save the above?
    Static ARP assignments work, but only for known clients; what about rogues?
    What other way can ARP packets be logged / processed?

    Cheers,
    Mrk
     
  2. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Hello Mrk, there's also arptables.
    I don't know much about ARP, and what can arptables do and not do against all attacks, but it does filter ARP on the host, same rules logic as iptables.
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,701
    Hello,

    I was talking about tools for the server. How to detect presence of a rogue server / client on the network. Of course, if you use iptables to allow only udp 67/68 for clients to their specific dhcp server, then the presence of rogue server is not a threat.

    But the rogue dhcp server can still go up and be used to steal all those clients without firewall rules or mobile clients (like laptops).

    Furthermore, it does not prevent packet sniffing.

    The same thing regarding rogue clients. It is possible to use host and pool declarations, combined with the allow, deny statements to limit access, but what if a rogue client manages to successfuly flasify both the host name and the mac address? The server would be none the wiser.

    Therefore, I'm asking for entry-level, server-side tool / strategy that would identify these rogues the moment they start broadcasting and isolate them.

    It is a difficult question I don't have a smart answer yet. Except the ones I already listed, but they don't feel right ... :)

    I know there's dhcp authentication, but it's still not fully implemented, but that sounds like a nice idea.

    Anything else?

    Mrk
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,701
    Hello,
    No takers :( ?
    Me alone piloting SSN Mrkvonizator??
    Mrk
     
  5. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I'll just bump it once. This is a thread mainly for a host, but perhaps it will serve you some good.
    There's one poster that brings some light into the matter, Ertugrul Soeylemez, but doesn't elaborate more on what you really want Mrk.
    I fear you already know what they're saying.
     
Loading...
Similar Threads
  1. IvoShoen
    Replies:
    12
    Views:
    1,359
Thread Status:
Not open for further replies.