Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Dai

    Hochgeladen von

    Son Tran Hong Nam
    58 Ansichten6 Seiten
    dai

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    DOCX, PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    dai

    Copyright:

    © All Rights Reserved
    Als DOCX, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    58 Ansichten6 Seiten

    Dai

    Hochgeladen von

    Son Tran Hong Nam
    dai

    Copyright:

    © All Rights Reserved
    Als DOCX, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 6

    DAI (Dynamic ARP Inspection)

    Dynamic ARP Inspection (DAI) is a security feature that protects ARP (Address Resolution
    Protocol) which is vulnerable to an attack ike ARP poisoning.
    DAI checks all ARP packets on untrusted interfaces, it will compare the information in the ARP
    packet with the DHCP snooping database and/or an ARP access-list. If the information in the
    ARP packet doesnt matter, it will be dropped. In this lesson Ill show you how to configure
    DAI. Heres the topology we will use:

    Above we have four devices, the router on the left side called host will be a DHCP client, the
    router on the right side is our DHCP server and on top we have a router that will be used as an
    attacker. The switch in the middle will be configured for dynamic ARP inspection.

    Configuration

    Well start with the switch, first we need to make sure that all interfaces are in the same VLAN:
    SW1(config)#interface range fa0/1 - 3
    SW1(config-if-range)#switchport mode access
    SW1(config-if-range)#switchport access vlan 123
    SW1(config-if-range)#spanning-tree portfast

    Now we can configure DHCP snooping:


    SW1(config)#ip dhcp snooping
    SW1(config)#ip dhcp snooping vlan 123
    SW1(config)#no ip dhcp snooping information option

    The commands above will enable DHCP snooping globally, for VLAN 123 and disables the
    insertion of option 82 in DHCP packets. Dont forget to make the interface that connects to the
    DHCP server trusted:
    SW1(config)#interface FastEthernet 0/3
    SW1(config-if)#ip dhcp snooping trust

    The switch will now keep track of DHCP messages. Lets configure a DHCP server on the router
    on the right side:
    DHCP(config)#ip dhcp pool MY_POOL
    DHCP(dhcp-config)#network 192.168.1.0 255.255.255.0

    Thats all we need, lets see if the host is able to get an IP address:
    HOST(config)#interface FastEthernet 0/0
    HOST(config-if)#ip address dhcp

    A few seconds later we see this message:


    %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address
    192.168.1.1, mask 255.255.255.0, hostname HOST

    Lets check if our switch has stored something in the DHCP snooping database:
    SW1#show ip dhcp snooping binding
    MacAddress
    IpAddress
    Interface
    ------------------ ---------------------------------00:1D:A1:8B:36:D0
    192.168.1.1
    FastEthernet0/1
    Total number of bindings: 1

    Lease(sec)

    Type

    VLAN

    ----------

    -------------

    ----

    86330

    dhcp-snooping

    123

    There it is, an entry with the MAC address and IP address of our host. Now we can continue with
    the configuration of DAI. Theres only one command required to activate it:
    SW1(config)#ip arp inspection vlan 123

    The switch will now check all ARP packets on untrusted interfaces, all interfaces are untrusted
    by default. Lets see if this will work or notIll configure the IP address of our host on our
    attacker:
    ATTACK(config)#interface FastEthernet 0/0
    ATTACK(config-if)#ip address 192.168.1.1 255.255.255.0

    Now lets see what happens when we try to send a ping from the attacker to our DHCP router:
    ATTACK#ping 192.168.1.254
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
    .....
    Success rate is 0 percent (0/5)

    The ping is failingwhat does our switch think of this?


    SW1#
    %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan 123.
    ([0017.5aed.7af0/192.168.1.1/0000.0000.0000/192.168.1.254/01:20:08 UTC
    2 1993])
    %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan 123.
    ([0017.5aed.7af0/192.168.1.1/0000.0000.0000/192.168.1.254/01:20:10 UTC
    2 1993])
    %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan 123.
    ([0017.5aed.7af0/192.168.1.1/0000.0000.0000/192.168.1.254/01:20:10 UTC
    2 1993])
    %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan 123.
    ([0017.5aed.7af0/192.168.1.1/0000.0000.0000/192.168.1.254/01:20:10 UTC
    2 1993])

    Tue Mar
    Tue Mar
    Tue Mar
    Tue Mar

    Above you can see that all ARP requests from our attacker are dropped. The switch checks the
    information found in the ARP request and compares it with the information in the DHCP
    snooping database. Since it doesnt match, these packets are discarded. You can find the number
    of dropped ARP packets with the following command:
    SW1#show ip arp inspection
    Source Mac Validation
    : Disabled
    Destination Mac Validation : Disabled
    IP Address Validation
    : Disabled
    Vlan
    ---123

    Configuration
    ------------Enabled

    Operation
    --------Active

    ACL Match
    ---------

    Static ACL
    ----------

    Vlan
    ---123

    ACL Logging
    ----------Deny

    DHCP Logging
    -----------Deny

    Vlan
    ---123

    Forwarded
    --------0

    Dropped
    ------5

    DHCP Drops
    ---------5

    Vlan
    ---123

    DHCP Permits
    -----------0

    ACL Permits
    ----------0

    Probe Permits
    ------------0

    Vlan
    ----

    Dest MAC Failures


    -----------------

    IP Validation Failures
    ----------------------

    Invalid Protocol Data


    ---------------------

    Vlan
    ----

    Dest MAC Failures


    -----------------

    IP Validation Failures
    ----------------------

    Invalid Protocol Data


    ---------------------

    Probe Logging
    ------------Off
    ACL Drops
    --------0
    Source MAC Failures
    ------------------0

    123

    Above you see the number of drops increase. So far so good, our attacker has been stopped. We
    still have one problem though, let me first shut the interface on our attacker before we continue:
    ATTACK(config)#interface FastEthernet 0/0
    ATTACK(config-if)#shutdown

    Let me show you what happens when we try to send a ping from the host to our DHCP router:
    HOST#ping 192.168.1.254
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
    .....
    Success rate is 0 percent (0/5)

    This ping is failing but why? We are not spoofing anythingheres what the switch tells us:
    SW1#
    %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/3, vlan 123.
    ([0016.c7be.0ec8/192.168.1.254/001d.a18b.36d0/192.168.1.1/01:24:48 UTC
    2 1993])
    %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/3, vlan 123.
    ([0016.c7be.0ec8/192.168.1.254/001d.a18b.36d0/192.168.1.1/01:24:50 UTC
    2 1993])
    %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/3, vlan 123.
    ([0016.c7be.0ec8/192.168.1.254/001d.a18b.36d0/192.168.1.1/01:24:52 UTC
    2 1993])
    %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/3, vlan 123.
    ([0016.c7be.0ec8/192.168.1.254/001d.a18b.36d0/192.168.1.1/01:24:54 UTC
    2 1993])
    %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/3, vlan 123.
    ([0016.c7be.0ec8/192.168.1.254/001d.a18b.36d0/192.168.1.1/01:24:56 UTC
    2 1993])

    Tue Mar
    Tue Mar
    Tue Mar
    Tue Mar
    Tue Mar

    Our switch is dropping ARP replies from the DHCP router to our host. Since the DHCP router
    has no idea how to reach the host, the ping is failing:
    HOST#show
    Protocol
    Internet
    Internet
    DHCP#show
    Protocol
    Internet
    Internet

    ip arp
    Address
    192.168.1.1
    192.168.1.254
    ip arp
    Address
    192.168.1.1
    192.168.1.254

    Age (min)
    0

    Hardware Addr
    001d.a18b.36d0
    Incomplete

    Type
    ARPA
    ARPA

    Interface
    FastEthernet0/0

    Age (min)
    0
    -

    Hardware Addr
    001d.a18b.36d0
    0016.c7be.0ec8

    Type
    ARPA
    ARPA

    Interface
    FastEthernet0/0
    FastEthernet0/0

    Why is the switch dropping the ARP reply? The problem is that the DHCP router is using a static
    IP addresses. DAI checks the DHCP snooping database for all packets that arrive on untrusted
    interfaces, when it doesnt find a matchthe ARP packet is dropped. To fix this, we need to
    create a static entry for our DHCP router:
    SW1(config)#arp access-list DHCP_ROUTER
    SW1(config-arp-nacl)#permit ip host 192.168.1.254 mac host 0016.c7be.0ec8

    First we create an ARP access-list with a permit statement for the IP address and MAC address of
    the DHCP router. Now we need to apply this to DAI:

    SW1(config)#ip arp inspection filter DHCP_ROUTER vlan 123 ?


    static Apply the ACL statically

    We use the ip arp inspection filter command for this but you have to be carefulif you use the
    static parameter then we tell the switch not to check the DHCP snooping database. It will only
    check our ARP access-list and when it doesnt find an entry, the ARP packet will be dropped.
    Make sure you add the filter without the static parameter:
    SW1(config)#ip arp inspection filter DHCP_ROUTER vlan 123

    There we go. The switch will now check the ARP access-list first and when it doesnt find a
    match, it will check the DHCP snooping database. Lets try that ping again:
    HOST#ping 192.168.1.254
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
    .!!!!
    Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

    Excellent our ping is now working because of the static entry for the DHCP router. Another way
    to deal with this issue is to configure the interface as trusted. DAI will allow all ARP packets on
    trusted interfaces:
    SW1(config)#interface FastEthernet 0/3
    SW1(config-if)#ip arp inspection trust

    Anything else we can do with DAI? There are some additional security checks you can enable if
    you want:
    SW1(config)#ip arp inspection validate ?
    dst-mac Validate destination MAC address
    ip
    Validate IP addresses
    src-mac Validate source MAC address

    Heres what these options mean:

    dst-mac: checks the destination MAC address in the Ethernet header against
    the target MAC address in the ARP packet. This check is performed for ARP
    replies. ARP replies with different MAC addresses will be dropped.

    ip: checks for invalid and unexpected IP addresses. For example 0.0.0.0,
    255.255.255.255 and multicast addresses.

    src-mac: checks the source MAC address in the Ethernet header against the
    senders MAC address in the ARP packet. This check is performed for both
    ARP requests and replies. ARP packets with different MAC addresses will be
    dropped.

    You can only enable one of these options at the same time. Heres an example how to enable the
    dst-mac check:
    SW1(config)#ip arp inspection validate dst-mac

    Last but not least, we can also configure ARP rate-limiting. By default there is a limit of 15 pps
    for ARP traffic on untrusted interfaces. Heres how you can change it:

    SW1(config)#interface FastEthernet 0/1


    SW1(config-if)#ip arp inspection limit rate 10

    This interface now only allows 10 ARP packets per second.

    Conclusion
    Thats all we have for DAI (Dynamic ARP Inspection). Its a nice security feature but make sure
    that you have ARP access-lists in place for all devices with static IP addresses before you enable
    this. You dont want to block most of your traffic after enabling this.

    Das könnte Ihnen auch gefallen