ARP Poisoning
(2 votes, average: 4.00 out of 5)
Loading ...ARP poisoning is a layer-2 attack, where the attacker sends spoofed ARP packets to the network, with a purpose of advertising its own MAC address as a layer-2 address for some IP address that does not belong to the attacker’s host. In this way the attacker can get the devices in the LAN to send the ethernet frames to the attacker instead of the intented destination. Typically the ARP poisoning is used to capture all traffic intented for the default gateway or other important IP address, such as a server.
StoneGate IPS does not provide any direct protection against this. Technically, the way to detect this we would need to monitor for any changes in the IP/MAC associations. This, however, may sometime change with good reasons, such as with the dynamic routing (external IP address appears behind a different gateway than before).
The best defense against the ARP poisoning is to define the static ARP entries, at least for the critical (affected) devices. Stonesoft engines, both firewall and IPS, support the use of the static ARP for all traffic where one of the end-points is the engine itself. However, to protect the traffic between a server and the default gateway (not StoneGate), there is not much we can do in the IPS.
The only IPS protection that comes to my mind is to define the legal MAC addresses and to block all else MACs with the IPS TAC module. This requires the TAC license.
More information about the ARP poisoning can be found from the wiki.
Leave a Reply
You must be logged in to post a comment.
Recent Comments