topic Re: ARP spoofing solution in Panorama Discussions

ARP spoofing solution

ParkerFoster — Tue, 07 Mar 2023 01:03:43 GMT

Looking for a solution for ARP spoofing within a network to protect against MiM attacks. Our security team has asked us to implement such a solution after performing successful MiM ARP spoofing within a segment, simulating a compromised host.

All network segments in the data center use the PA as the gateway. The switch VLAN's are L2 only. If the switches were L3 VLANs I could look at Dynamic ARP inspection and DHCP snooping.

I've started looking at PA zone protection but uncertain if it would work and specifically what I need to configure.

Any ideas / links / experience?

Re: ARP spoofing solution

TomYoung — Mon, 10 Apr 2023 19:46:41 GMT

Hi @ParkerFoster ,

You don't need L3 switches to do DAI and DHCP Snooping. They can be configured on L2 switches. It works like this:

Configure DHCP Snooping and Dynamic ARP Inspection (DAI) on your VLANs.
Configure your trusted port to the DHCP server.
Configure static entries for your static IP addresses or change them to DHCP.

The switch will build the DHCP Snooping binding table. Any ARP response that does not match the IP-MAC pair in the table is dropped.

Thanks,

Tom

Re: ARP spoofing solution

ParkerFoster — Mon, 10 Apr 2023 18:02:53 GMT

Thanks Tom, sorry for the delayed response and thanks for your response. Two factors affecting this as a workable / scalable solution are 1) we don't use DHCP in our data centers and 2) using static MAC tables simply isn't scalable for the data center. I'm hoping Palo Zome Protection, and specifically strict IP check in Packet Protection will help.

Re: ARP spoofing solution

TomYoung — Mon, 10 Apr 2023 20:04:41 GMT

Hi @ParkerFoster ,

Strict IP Address Check under the Zone Protection Profile is a more strict version of Spoofed IP Address. Click on the ? in the upper right to see the details. Those options correspond to uRPF and Strict uRPF in the general sense.

The NGFW does not mitigate ARP spoofing. That should be done on a switch so that it can protect all devices connected to the switch.

With regard to scalability, someone manually configures the IP address of every device. You could add an extra step to configure the MAC table, or consider moving everything to DHCP.

Thanks,

Tom

Re: ARP spoofing solution

ParkerFoster — Mon, 10 Apr 2023 21:35:19 GMT

Hey Tom, thanks so much for your input. One concern I have is the switch doesn't have a L3 SVI, it is L2 only. I know you said it works on L2 switch VLAN interfaces but I don't understand how a switch can enforce ARP restrictions when it sees no ARP for the VLAN.

I was thinking more about this, and if it does work, my primary concern is to protect the gateway itself, so perhaps this is do-able without worrying about scaling. Example:

arp access-list Vlan84-Gateway-Protect
permit ip host 10.100.84.1 mac host xxx.xxx.xxx.xxx !! assign static entry for Palo FW gateway only !!
deny ip host 10.100.84.1 mac any !! deny anyone else from gateway MAC !!
permit ip any mac any !! permit all others !!