ARP spoofing solution

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

ARP spoofing solution

L1 Bithead

Looking for a solution for ARP spoofing within a network to protect against MiM attacks. Our security team has asked us to implement such a solution after performing successful MiM ARP spoofing within a segment, simulating a compromised host. 

All network segments in the data center use the PA as the gateway. The switch VLAN's are L2 only. If the switches were L3 VLANs I could look at Dynamic ARP inspection and DHCP snooping.

 

I've started looking at PA zone protection but uncertain if it would work and specifically what I need to configure. 

 

Any ideas / links / experience?

4 REPLIES 4

Cyber Elite
Cyber Elite

Hi @ParkerFoster ,

 

You don't need L3 switches to do DAI and DHCP Snooping.  They can be configured on L2 switches.  It works like this:

 

  1. Configure DHCP Snooping and Dynamic ARP Inspection (DAI) on your VLANs.
  2. Configure your trusted port to the DHCP server.
  3. Configure static entries for your static IP addresses or change them to DHCP.

The switch will build the DHCP Snooping binding table.  Any ARP response that does not match the IP-MAC pair in the table is dropped.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Thanks Tom, sorry for the delayed response and thanks for your response. Two factors affecting this as a workable / scalable solution are 1) we don't use DHCP in our data centers and 2) using static MAC tables simply isn't scalable for the data center. I'm hoping Palo Zome Protection, and specifically strict IP check in Packet Protection will help.

Cyber Elite
Cyber Elite

Hi @ParkerFoster ,

 

Strict IP Address Check under the Zone Protection Profile is a more strict version of Spoofed IP Address.  Click on the ? in the upper right to see the details.  Those options correspond to uRPF and Strict uRPF in the general sense.

 

The NGFW does not mitigate ARP spoofing.  That should be done on a switch so that it can protect all devices connected to the switch.

 

With regard to scalability, someone manually configures the IP address of every device.  You could add an extra step to configure the MAC table, or consider moving everything to DHCP.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hey Tom, thanks so much for your input. One concern I have is the switch doesn't have a L3 SVI, it is L2 only. I know you said it works on L2 switch VLAN interfaces but I don't understand how a switch can enforce ARP restrictions when it sees no ARP for the VLAN.

 

I was thinking more about this, and if it does work, my primary concern is to protect the gateway itself, so perhaps this is do-able without worrying about scaling. Example:

 

arp access-list Vlan84-Gateway-Protect
permit ip host 10.100.84.1 mac host xxx.xxx.xxx.xxx     !! assign static entry for Palo FW gateway only !!
deny ip host 10.100.84.1 mac any                                  !! deny anyone else from gateway MAC !!
permit ip any mac any                                                     !! permit all others !!

  • 3351 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!