Configuring MAC-IP Anti-Spoof

MAC and IP address-based attacks are increasingly common in today’s network security environment. These types of attacks often target a Local Area Network (LAN) and can originate from either outside or inside a network. In fact, anywhere internal LANs are somewhat exposed, such as in office conference rooms, schools, or libraries, could provide an opening to these types of attacks. These attacks also go by various names: man-in-the-middle attacks, ARP poisoning, SPITS. The MAC-IP Anti-Spoof feature lowers the risk of these attacks by providing administrators with different ways to control access to a network, and by eliminating spoofing attacks at OSI Layer 2/3.

The effectiveness of the MAC-IP Anti-Spoof feature focuses on two areas. The first is admission control which allows administrators the ability to select which devices gain access to the network. The second area is the elimination of spoofing attacks, such as denial-of-service attacks, at Layer 2. To achieve these goals, two caches of information must be built: the MAC-IP Anti-Spoof Cache, and the ARP Cache.

The MAC-IP Anti-Spoof cache validates incoming packets and determines whether they are to be allowed inside the network. An incoming packet’s source MAC and IP addresses are looked up in this cache. If they are found, the packet is allowed through. The MAC-IP Anti-Spoof cache is built through one or more of the following sub-systems:

•	DHCP Server-based leases (SonicWALL’s - DHCP Server)

•	DHCP relay-based leases (SonicWALL’s - IP Helper)

•	Static ARP entries

•	User created static entries

The ARP Cache is built through the following subsystems:

•	ARP packets; both ARP requests and responses

•	Static ARP entries from user-created entries

•	MAC-IP Anti-Spoof Cache

The MAC-IP Anti-Spoof subsystem achieves egress control by locking the ARP cache, so egress packets (packets exiting the network) are not spoofed by a bad device or by unwanted ARP packets. This prevents a firewall from routing a packet to the unintended device, based on mapping. This also prevents man-in-the-middle attacks by refreshing a client’s own MAC address inside its ARP cache.

The following sections describe how to configure MAC-IP Anti-Spoof:

•	Interface Settings

•	Anti-Spoof Cache

•	Spoof Detect List

Interface Settings

To edit MAC-IP Anti-Spoof settings within the Network Security Appliance management interface, go to the Network > MAC-IP Anti-spoof page.

To configure settings for a particular interface, click the pencil icon in the Configure column for the desired interface. The Settings window is displayed for the selected interface.

In this window, the following settings can be enabled or disabled by clicking on the corresponding check box. After your setting selections for this interface are complete, click OK. The following options are available:

•	Enable: To enable the MAC-IP Anti-Spoof subsystem on traffic through this interface

•	Static ARP: Allows the Anti-Spoof cache to be built from static ARP entries

•	DHCP Server: Allows the Anti-Spoof cache to be built from active DHCP leases from the SonicWALL DHCP server

•	DHCP Relay: Allows the Anti-Spoof cache to be built from active DHCP leases, from the DHCP relay, based on IP Helper

•

ARP Lock: Locks ARP entries for devices listed in the MAC-IP Anti-Spoof cache. This applies egress control for an interface through the MAC-IP Anti-Spoof configuration, and adds MAC-IP cache entries as permanent entries in the ARP cache. This controls ARP poisoning attacks, as the ARP cache is not altered by illegitimate ARP packets.

•	ARP Watch: Enables generation of unsolicited unicast ARP responses towards the client’s machine for every MAC-IP cache entry on the interface. This process helps prevent man-in-the-middle attacks.

•	Enforce: Enables ingress control on the interface, blocking traffic from devices not listed in the MAC-IP Anti-Spoof cache.

•	Spoof Detection: Logs all devices that fail to pass Anti-spoof cache and lists them in the Spoof Detected List.

•	Allow Management: Allows through all packets destined for the appliance’s IP address, even if coming from devices currently not listed in the Anti-Spoof cache.

After the settings have been adjusted, the interface’s listing is updated on the MAC-IP Anti-Spoof panel. The green circle with white check mark icons denote which settings have been enabled.

NOTE: The following interfaces are excluded from the MAC-IP Anti-Spoof list: Non-ethernet interfaces, port-shield member interfaces, Layer 2 bridge pair interfaces, high availability interfaces, and high availability data interfaces.

Anti-Spoof Cache

The MAC-IP Anti-Spoof Cache lists all the devices presently listed as “authorized” to access the network, and all devices marked as “blacklisted” (denied access) from the network. To add a device to the list, complete the following tasks:

1	Click Add Anti-Spoof Cache.

 

2	Enter the IP address for the device.

3	Enter the MAC addresses for the device. Enter the information in the provided fields.

4	Check the a router setting to allow traffic coming from behind this device.

5	Check the a blacklisted device setting to block packets from this device, irrespective of its IP address.

6

Click OK.

If you need to edit a static Anti-Spoof cache entry, click the pencil icon, under the Configure column, on the same line.

Single, or multiple, static anti-spoof cache entries can be deleted. To do this, select the “delete check box” next to each entry, then click Delete Anti-Spoof Cache(s).

To clear cache statistics, select the desired devices, then click Clear Stats.

Some packet types are bypassed even though the MAC-IP Anti-Spoof feature is enabled: 1) Non-IP packets, 2) DHCP packets with source IP as 0, 3) Packets from a VPN tunnel, 4) Packets with invalid unicast IPs as their source IPs, and 5) Packets from interfaces where the Management status is not enabled under anti-spoof settings.

The Anti-Spoof Cache Search section provides the ability to search the entries in the cache.

To search the MAC-IP Anti-Spoof Cache, complete the following steps:

7	In the search pull-down menu, select whether you want to search by IP address or Interface.

8	Select what type of search: Equals, Starts with, Ends with, or Contains.

9	Enter a search string in the text box.

10	Click Search. Matching entries in the MAC-IP Anti-Spoof cache are displayed.

Spoof Detect List

NOTE: Spoof Detected List display is available only at the Unit level.

The Spoof Detect List displays devices that failed to pass the ingress anti-spoof cache check. Entries on this list can be added as a static anti-spoof entry. To view the Spoof Detect List, click the Request Spoof Detected List from Firewall link.

To add an entry to the static anti-spoof list, click on the pencil icon under the “Add” column for the desired device. An alert message window opens, asking if you wish to add this static entry. Click OK to proceed.

Entries can be flushed from the list by clicking Flush. The name of each device can also be resolved using NetBios, by clicking Resolve.