Network_MACIP
This chapter describes how to plan, design, and implement MAC-IP Anti-Spoof protection in SonicOS. This chapter contains the following sections:
• MAC-IP Anti-Spoof Protection Overview
• Configuring MAC-IP Anti-Spoof Protection
MAC-IP Anti-Spoof Protection Overview
MAC and IP address-based attacks are increasingly common in today’s network security environment. These types of attacks often target a Local Area Network (LAN) and can originate from either outside or inside a network. In fact, anywhere internal LANs are somewhat exposed, such as in office conference rooms, schools, or libraries, could provide an opening to these types of attacks. These attacks also go by various names: man-in-the-middle attacks, ARP poisoning, SPITS. The MAC-IP Anti-Spoof feature lowers the risk of these attacks by providing administrators with different ways to control access to a network, and by eliminating spoofing attacks at OSI Layer 2/3.
The effectiveness of the MAC-IP Anti-Spoof feature focuses on two areas. The first is admission control which allows administrators the ability to select which devices gain access to the network. The second area is the elimination of spoofing attacks, such as denial-of-service attacks, at Layer 2. To achieve these goals, two caches of information must be built: the MAC-IP Anti-Spoof Cache, and the ARP Cache.
The MAC-IP Anti-Spoof cache validates incoming packets and determines whether they are to be allowed inside the network. An incoming packet’s source MAC and IP addresses are looked up in this cache. If they are found, the packet is allowed through. The MAC-IP Anti-Spoof cache is built through one or more of the following sub-systems:
• DHCP Server-based leases (SonicWALL’s - DHCP Server)
• DHCP relay-based leases (SonicWALL’s - IP Helper)
• Static ARP entries
• User created static entries
The ARP Cache is built through the following subsystems:
• ARP packets; both ARP requests and responses
• Static ARP entries from user-created entries
• MAC-IP Anti-Spoof Cache
The MAC-IP Anti-Spoof subsystem achieves egress control by locking the ARP cache, so egress packets (packets exiting the network) are not spoofed by a bad device or by unwanted ARP packets. This prevents a firewall from routing a packet to the unintended device, based on mapping. This also prevents man-in-the-middle attacks by refreshing a client’s own MAC address inside its ARP cache.
Configuring MAC-IP Anti-Spoof Protection
This section contains the following subsections:
To edit MAC-IP Anti-Spoof settings within the Network Security Appliance management interface, go to the Network > MAC-IP Anti-spoof page.
To configure settings for a particular interface, click Configure icon for the desired interface.
The Settings window is now displayed for the selected interface. In this window, the following settings can be enabled or disabled by clicking on the corresponding checkbox. Once your setting selections for this interface are complete, click OK. The following options are available:
• Enable: To enable the MAC-IP Anti-Spoof subsystem on traffic through this interface
• Static ARP: Allows the Anti-Spoof cache to be built from static ARP entries
• DHCP Server: Allows the Anti-Spoof cache to be built from active DHCP leases from the SonicWALL DHCP server
• DHCP Relay: Allows the Anti-Spoof cache to be built from active DHCP leases, from the DHCP relay, based on IP Helper. To learn about changes to IP Helper, see Extension to IP Helper.
• ARP Lock: Locks ARP entries for devices listed in the MAC-IP Anti-Spoof cache. This applies egress control for an interface through the MAC-IP Anti-Spoof configuration, and adds MAC-IP cache entries as permanent entries in the ARP cache. This controls ARP poisoning attacks, as the ARP cache is not altered by illegitimate ARP packets.
• ARP Watch: Enables generation of unsolicited unicast ARP responses towards the client’s machine for every MAC-IP cache entry on the interface. This process helps prevent man-in-the-middle attacks.
• Enforce Anti-Spoof: Enables ingress control on the interface, blocking traffic from devices not listed in the MAC-IP Anti-Spoof cache.
• Spoof Detection List: Logs all devices that fail to pass Anti-spoof cache and lists them in the Spoof Detected List.
• Allow Management: Allows through all packets destined for the appliance’s IP address, even if coming from devices currently not listed in the Anti-Spoof cache.
Once the settings have been adjusted, the interface’s listing will be updated on the MAC-IP Anti-Spoof panel. The green circle with white check mark icons denote which settings have been enabled.
Note The following interfaces are excluded from the MAC-IP Anti-Spoof list: Non-ethernet interfaces, port-shield member interfaces, Layer 2 bridge pair interfaces, high availability interfaces, and high availability data interfaces.
The MAC-IP Anti-Spoof Cache lists all the devices presently listed as “authorized” to access the network, and all devices marked as “blacklisted” (denied access) from the network. To add a device to the list, click the Add button.
A window is now displayed that allows for manual entry of the IP and MAC addresses for the device. Enter the information in the provided fields. You may also select to approve or blacklist the routing device. Checking the router setting allows all traffic coming from behind this device. Blacklisting the device will cause packets to be blocked from this device, irrespective of its IP address. Once your entries have been made, click OK to return to the main panel.
If you need to edit a static Anti-Spoof cache entry, select the checkbox to the left of the IP address, then click the pencil icon, under the “Configure” column, on the same line.
Single, or multiple, static anti-spoof cache entries can be deleted. To do this, select the “delete checkbox” next to each entry, then click the “Delete” button.
To clear cache statistics, select the desired devices, then click “Clear Stats.”
If you wish to see the most recent available cache information, click the “Refresh” button.
Note Some packet types are bypassed even though the MAC-IP Anti-Spoof feature is enabled: 1) Non-IP packets, 2) DHCP packets with source IP as 0, 3) Packets from a VPN tunnel, 4) Packets with invalid unicast IPs as their source IPs, and 5) Packets from interfaces where the Management status is not enabled under anti-spoof settings.
The Spoof Detect List displays devices that failed to pass the ingress anti-spoof cache check. Entries on this list can be added as a static anti-spoof entry. To do this, click the pencil icon, under the “Add” column, for the desired device. An alert message window will open, asking if you wish to add this static entry. Click “OK” to proceed, on “Cancel” to return to the Spoof Detected List.
Entries can be flushed from the list by clicking the “Flush” button. The name of each device can also be resolved using NetBios, by clicking the “Resolve” button.
Users can identify a specific device(s) by using the table “Filter” function.
To identify a device, users must fill in the available field, specifying either the device’s IP address, interface, MAC address, or name. The field must be filled using the appropriate syntax for operators:
|
In order to support leases from the DHCP relay subsystem of IP Helper, the following changes have been made in the IP Helper panel, located at Network > IP Helper:
• As part of the DHCP relay logic, IP Helper learns leases exchanged between clients and the DHCP server, then saves them into flash memory.
• These learned leases are synched to the idle firewall, as part of the IP Helper state sync messages.
MAC and IP address bindings from the leases are transferred into the MAC-IP Anti-Spoof cache.
