What firewall is good at defending ARP Spoofing

Discussion in 'other firewalls' started by bonedriven, Jun 20, 2007.

Thread Status:
Not open for further replies.
  1. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    I really need a wall which is good at defending this kind of attack.There is a net tool called "Netcut" which is an ARP attack tool.And itself can defend this kind of attack too.My question is:Is there a firewall in this world can beat this kind of attack??I tried LnS and I think it worked a little but it block all communication with other pc in my lan at the meantime.
    And Stem told me in another thread that jetico can't do it either.So is there any??
     
  2. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    I think CHX-I can, but I don't know where you can get it these days. The old web site seems to have expired(?) Not sure, sorry... maybe someone else knows where to download it..
     
  3. rx2pc

    rx2pc Registered Member

    Joined:
    Aug 14, 2004
    Posts:
    34
  4. wantsprotection

    wantsprotection Registered Member

    Joined:
    Jun 12, 2007
    Posts:
    35
    ARP attacks aren't new, and only someone with access to your LAN can launch one--home networks are generally safe. If you administer a network, you can write up and threaten to fire the offender.

    If neither of these apply, look to your switch. A Catalyst with security features enabled is much harder to defeat than a bargain switch. On such an untrusted network, also consider your physical locks.
     
  5. wantsprotection

    wantsprotection Registered Member

    Joined:
    Jun 12, 2007
    Posts:
    35
    Firewalls (hardware or software) can't effectively defeat ARP-based attacks. You're gonna need good users, a good policy, or a secure switch.

    Edit: One more idea--if you're a user, and you don't trust your local LAN, you should definitely consider using VPN, SSL, IPSEC, etc so you can send/receive data securely across your local network. Someone sniffing your passwords is much worse than NetCut!
     
    Last edited: Jun 20, 2007
  6. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    Stamford, CT
  7. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    Thanks for opinions.
    So the answer is there is not any!
    I find it kind of ridiculous.
     
  8. wantsprotection

    wantsprotection Registered Member

    Joined:
    Jun 12, 2007
    Posts:
    35
  9. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    There is an automatic ARP protection in ZAPRO, but I am not sure if it does what is says....

    Cheers,
    Fax

    Capture.JPG
     
  10. wantsprotection

    wantsprotection Registered Member

    Joined:
    Jun 12, 2007
    Posts:
    35
    This feature won't stop most ARP spoofing or DoS attacks. If you read their instruction manual, they don't claim to.

    I'll say it again:

    A personal firewall can't defeat most ARP spoofing or ARP DoS attacks. If they claim to, they're lying or misinformed.

    A key problem is that the attacker can choose from three targets: your computer, your switch, and your router. If he succeeds in tricking any one of these targets he'll be able to listen in on all your traffic or knock you off the Internet. So a personal firewall can never be enough--it doesn't matter who built it, or how much it costs. Several strategies that really work are listed in likuidkewl's link above.
     
    Last edited: Jun 21, 2007
  11. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    Product?

    Fax
     
  12. wantsprotection

    wantsprotection Registered Member

    Joined:
    Jun 12, 2007
    Posts:
    35
    That's the description for "Enable ARP Protection" in the Zone Alarm PRO user guide.

    I should note the feature is not completely useless if your system's on a shared Ethernet LAN. It might prevent your computer from crashing during an ARP DoS attack. However, an attacker would still be able to eavesdrop on you and disconnect you at will.
     
    Last edited: Jun 21, 2007
  13. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    OK, sorry... it was not mentioned in your post....

    Cheers,
    Fax
     
  14. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    Thanks,wantsprotection!
    Very clear explaination!
     
  15. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi bonedriven,

    Yes, ARP spoofing can be a problem. But you can only protect what you can control (as mentioned, on a shared LAN you probably may not have access to or control of the router)
    The last setup I made for a user on a shared untrusted LAN was with CHX3.
    To limit possible problems with ARP:-
    First found the mac address of the gateway(router). This I placed in a rule in chx to allow out ARP only to the gateway mac. (CHX set to stop unsolicited inbound ARP). I then set the gateway IP/MAC as static in the ARP cache. The ARP cache is then monitored by xarp.
    From this setup, there are no ARP broadcasts made from the PC. The PC can only make direct ARP to the gateway mac, the gateway mac is bound to its IP.
     
  16. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    Hi,Stem!
    So you use the combo of CHX,Xarp and binding of gateway mac/ip.Now I'm using Winarpattacker as a defending tool most of the time.:mad:

    By the way,I made two rules in LnS to defend.1.Allow Gateway=>Me(inbound)
    2.Allow my pc's broadcast.Me=>FF:FF:FF:FF:FF:FF.Finally,set ban to the rule that authorizes all ARP packets.
    After I added the rules,it seems I rarely get disconnected any more(There are 1 or 2 times but I'm not sure it's the arp problem.)But the problem is that you can not communicate with PCs in your lan any more.When I host a game,nobody can get in but the ones not in my lan.
    So,eventually,I'm with Winarpattacker!When there's a mess in my lan,I may make it worse!(Well,just joking)
    Another question,why don't those brand firewalls add part of the feature of these Arpattack tools which can defend?Strange.o_O
     
  17. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    The setup I made was for another user. She wanted something simple, with minimal resourse usage.
    "Winarpattacker" is/can be used for more than just protection against spoofing, and (for me) the easiest way to prevent ARP spoofing is to set a static ARP table (then monitor the ARP table for any attempted change)

    To connect internally (to other PC`s on the LAN), you would need to at least allow outbound ARP to these (for you to connect out to these). For them to connect in, then they would need to receive ARP replies from you (so you would need to allow inbound ARP from them).
    ARP tools, such as you mention, constantly scan the LAN, looking for any changes to IP/MAC bindings, so be cautious when using such on very large LAN`s. Personally, on a shared(untrusted) LAN, I prefer to just make the PC as secure as possible from spoofing/ any attack.

    Personally, I think the firewall vendors believe this is not wanted/needed (certainly by the replies I have had from vendors), and about the best offered (in firewalls/filters) is to block unsolicited replies.

    Simple control of the ARP cache can save a lot of problems on that PC (for this problem).

    info
    To enter a static ARP entry (XP):-

    start menu-> run, "CMD"
    type:- arp -s {IP} {mac}
    So a command would look like:
    arp -s 192.168.1.1 00-11-22-33-44-55

    To clear the ARP cache:-
    start menu-> run, "CMD"
    Type: netsh interface ip delete arpcache

    To view the arp cache
    start menu-> run, "CMD"
    Type: arp -a
     
  18. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    Thanks a lot for the explanation,Stem!

    Have a nice day!:)
     
  19. Woody777

    Woody777 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    484
    I noticed the other day that Sygate said it had blocked an ARP spoofing event.
     
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Woody777,
    Have you any more info on this? (such as what the actual event was?)

    Which version of "Sygate", I would be interested to look at what it is checking.
     
  21. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi bonedriven,
    As this is a subject of concern, I have just been back (to the user I set up with chx/static ARP) and placed a tap (basically, a laptop to intercept/monitor all comms,.. of course, with full permission). Just from the first few minutes, I did see who is monitoring/checking the LAN for ARP bindings (ARP broadcasts made 40-50 times a second from the same IP to all IP`s/ hardware on LAN)

    I will also have a play with ARP spoofing/middle again to refresh my memory, and to re-check the new releases of the "ARP tools"
     
  22. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Outpost's Attack Detection plugin includes options to block ARP spoofing from version 3.0 onwards (see Outpost 3.0 - What to Expect: ARP Filtering FAQ for details).

    ARP attacks can only be mounted from the local network so for most home users (whose "local network" is just their PC and modem/router) it is very much a non-issue. Users sharing a network with untrusted users (e.g. college or workplace LANs) and those with some cable-based ISPs (which tend to arrange their network as a large LAN, allowing subscribers to see each others traffic) do have more cause for concern.

    In this case though, a bigger worry should be that their network packets can be seen by others (ARP attacks typically are only useful as a Denial of Service, blocking network access) so considering an anonymising proxy like Tor or JAP should be a higher priority (see the Wilders' Privacy Software forum for more information on these, and other methods).
     
  23. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    As I have already mentioned:-
    Outpost default:
    Capture31-08-2006-11.44.1823-06-2007-14.58.51.jpg
    Even with all options enabled on this page, I can still re-map a LAN with ARP (and spoof replies through outpost and update the PC`s ARP cache) with no warning/popup from OP
     
  24. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    That shouldn't happen unless the reply was for an IP address previously requested by your PC. If this isn't the case and you've not already done so, please report it as a bug.
     
  25. Woody777

    Woody777 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    484
    The last Version that they released 5.5.2710. Try FileForum & look for Sygate PSPF 5.5.2710. It should protect your lan.
     
Loading...
Thread Status:
Not open for further replies.