What firewall is good at defending ARP Spoofing

Discussion in 'other firewalls' started by bonedriven, Jun 20, 2007.

Thread Status:
Not open for further replies.
Page 2 of 2
  1. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello bonedriven,
    I have been taking a longer look at this.

    I have at this time only taken time with CHX,JPF2 and Outpost pro. Really just to see reactions from the firewalls with default and user settings. (@Woody777, thanks for the info, I think I already have that build of Sygate, and will find time to take a look)

    OK, I will not go through the bypass methods, but most are basic (certainly info is available freely on the internet for these) such as "ARP Announcements (Gratuitous)" through to "force ARP broadcast (with wait/reply)".
    Now, my findings on these 3 firewalls (basics)

    CHX: unpredictable, this does have an option to discard "unsolicited replies", but simple methods can be used to cause problems. (mainly due to the inability to bind IP to MAC)

    Outpost pro: I did manage to bypass, but very difficult, as Outpost not only blocks unsolicited replies, but will also block ALL other inbound ARP attempts (even requests/Announcement)

    JPF2: again, unpredictable with default settings. Creating rules can help, but there is no binding (within the rules) for IP-MAC.

    So for "out of the box" protection for ARP (currently only between these 3 firewalls) is Outpost Pro.

    Now, something interesting I found, was when adding a static ARP entry for the gateway(router). Doing this will normally just stop ARP broadcasts checking for the gateway MAC, I see this in both OP and CHX, but in JPF2 I see no ARP at all. I do need to check more on this, as this, for a setup where the LAN is fully untrusted (no want/need to connect to other PC`s on the LAN) is, for me, very good, as the user can simply enter a static ARP (for gateway), then block ALL ARP. (JPF2 must be using the ARP cache in some way, certainly nothing mentioned of this, so I will have to check with Jetico)

    So, between the 3, for out of the box protection for ARP certainly Outpost Pro. With a little work/knowledge needed, JPF2

    __________________________________________

    Hello Paranoid2000
    Yes, this is true, the reason (I believe) apart from the fact that they can better track/log users, is the fact that they also "nest" other private LAN`s onto the LAN (such as 10.*.*.*), this is used for TV feed.
     
    Stem, Jun 25, 2007
    #26
  2. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    566
    Hi Stem,
    I haven't tried Outpost.I don't know if I'm clear with your idea.Do you mean the firewall can defend the attack well at the cost of losing connection with other computers in the Lan?If this is the best Outpost can manage to do,LnS can as well(With addtional rules allowing only Gate=>Me and My pc's broadcast ARP packets).
    So I think a really successful defence is like those ARP attack tools,dropping the poisoned packets only.
    Hope I have made my point clear for I'm no firewall expert.
     
    Last edited: Jun 26, 2007
    bonedriven, Jun 26, 2007
    #27
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi bonedriven,
    The hightlighted part of the quote you made, that was with ref to my checks on using a static ARP cache entry. The "block all ARP" I mentioned was after I set a static ARP entry, then blocked all ARP on LAN (on Jetico2 firewall), to see if the firewall checked/used the static ARP.

    OutPost does not shut off the LAN, just the direct (ARP) attacks I made (for this check). OutPost does reply to ARP "Broadcasts" made on LAN, so any inbound connection from LAN would give a "inbound connection attempt" popup (if an application is (able) to listen on port for the inbound).
    So your game server should work OK on LAN with OutPost (setup correctly).
     
    Stem, Jun 29, 2007
    #28
  4. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    98031
    dan_maran, Jul 9, 2007
    #29
  5. beads

    beads Registered Member

    Joined:
    Jun 1, 2005
    Posts:
    49
    We're really getting past the ability of most firewalls and into the grayer areas of IDS and more likely into what is really IPS. By definition a firewall really only needs to check the source and destination of a packet not the truthfulness of the same packet.

    Most commercial firewalls have limited ability to check for the validity of ARP packets as well: Cisco, Firebox, 3Com (without TippingPoint) all have very limited abilities to check this validity without the aid of their built in IDSes.

    - beads
     
    beads, Jul 10, 2007
    #30
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello beads,

    Just due to fact that most firewalls (software, or with ref to the appliances you mention) do not give direct protection/ filtering of ARP does not mean this is an area not to be protected.
    Remapping with ARP is quite simple on LAN, and as we will see, we will all be on a LAN very soon (if not already)
     
    Stem, Jul 13, 2007
    #31
Page 2 of 2
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...