a program that could filter ARP packets - that powerful ?

[frinkofox]

Do you know of a program or firewall that could filter ARP packets ?
for Win2k or Linux RedHat


I went through a lot of today's firewalls but neither of them turned out
to be capable of filtering ARP packets.
help ..... please ......
thanks

 

[n0cmonkey]

I dont know, just curious, why do you want to filter arp requests?

 

[frinkofox]

to prevent ARP-spoofing,

 

[Ime]

I'm still learning about networking, but won't filtering ARP requests disable functions like DHCP?

 

[frinkofox]

DHCP uses UDP
but the arp-packets will be filtered not entirely blocked

 

[alrox]

Originally posted by: frinkofox
Do you know of a program or firewall that could filter ARP packets ?
for Win2k or Linux RedHat


I went through a lot of today's firewalls but neither of them turned out
to be capable of filtering ARP packets.
help ..... please ......
thanks

Arp who has/is at's are not 'packets'. IP data=packets. To prevent arp spoofing, set static mac addresses on your switches for each port and/or enable port security and lock each host port down to 1 source MAC. If your switch don't support either, then you're out of luck.

 

[frinkofox]

-----------------------------------------------------------------------------------

Arp who has/is at's are not 'packets'. IP data=packets. To prevent arp spoofing, set static mac addresses on your switches for each port and/or enable port security and lock each host port down to 1 source MAC. If your switch don't support either, then you're out of luck.

-----------------------------------------------------------------------------------


This could not be the only thing that one could do to prevent arp- spoofing

 

[alrox]

ARP traffic occurs at layer2 on an ethernet network. Firewalls are only concerned with layers 3/4, they are not meant to 'filter' arp. I noticed that in your other post about sniffers you say your network is just a bunch of hubs. You won't be able to prevent sniffing/mac address flooding/whatever with that equipment. Find the machines that you think are malicious and lock them down.

 

[n0cmonkey]

static arp entries

 

[alrox]

Even with static arp entries on the boxes someone can still cause trouble. An attacker could unplug the targeted machine, spoof the mac/ip of the downed machine to his PC and run the same services, capture passwords, etc. The hub should be put out of its misery.

 

[n0cmonkey]

Originally posted by: alrox
Even with static arp entries on the boxes someone can still cause trouble. An attacker could unplug the targeted machine, spoof the mac/ip of the downed machine to his PC and run the same services, capture passwords, etc. The hub should be put out of its misery.

Physical security comes into play there. Someone should not be able to walk up to the server.

 

[Santa]

Unless your devices go through a seperate filter device (somewhat a specifically made customizable bridge) before talking to any other computer or other networking devices on your network there is no way to eliminate or filter arp the way you are trying to.

Even then as you mentioned then someone could still take down the PC of a legitimate PC and use their port to act as them.

You are trying to do the impossible and are going to end up wasting time.

Lock down your security and use Intrusion Detection type devices to detect not prevent these types of attacks.

Thats the best you can do besides encrypting every single bit of data going across the network.

 

[frinkofox]

Right now i am very low on financial resources so i will be changing the hubs
some other times.
I think to run an arp-filtering program on every station on the
network as demon (spel ?) to prevent arp spoofing.
I think that should do the trick.

What do you think?


BUT have anyone heard of an arp-filtering program ? this is the question

 

[alrox]

Because of the nature of arp, there is no guarantee that when a machine issues an arp 'who has' for an IP that the machine you want will reply with an 'is-at'. Whichever machine responds to the query first will have that answer placed in the machines arp cache. A filter can not help you. Switches are supposed to fix some of the problems with this, but hubs are open to all kinds of attacks. If you had a really malicious user on your network, for instance, he could flood the lan with thousands of arp is-at's and since they would be repeated to every port, it would cripple your network until they stopped or you disconnected him.

 

[n0cmonkey]

arpwatch has some interresting features, but it isnt quite what you are looking for.

 

[frinkofox]

. A filter can not help you.

Hey alrox i think you are wrong.
An arp filter should help !

 

[spidey07]

Frinkofox,

I think its time you moved to a switched network. The kinds of questions you're asking are all answered by a switch with some kind of intelligence and security features.

 

[n0cmonkey]

Originally posted by: frinkofox

. A filter can not help you.

Hey alrox i think you are wrong.
An arp filter should help !

Static arp entries on each machine, limit the MAC addressesat the switch, keep all machines in locked rooms with very limited access. arpwatch to keep an eye out for unrecognized MAC addresses. authpf to further restrict network usage and authenticate users. No need for an "arp filter" even if there was such a thing.

 

[frinkofox]

static arp entries yes this should help a bit .....

 

[n0cmonkey]

Originally posted by: frinkofox
static arp entries yes this should help a bit .....

And the rest. Dont use half assed security. Go all the way. 🙂

 

[frinkofox]

🙂 🙂 🙂

 

[Garion]

Originally posted by: alrox
ARP traffic occurs at layer2 on an ethernet network. Firewalls are only concerned with layers 3/4, they are not meant to 'filter' arp. I noticed that in your other post about sniffers you say your network is just a bunch of hubs. You won't be able to prevent sniffing/mac address flooding/whatever with that equipment. Find the machines that you think are malicious and lock them down.

Just for clarification sake, not all firewals are limited to L3+ - There are a variety that can operate in "stealth mode"and act as a bridge, but filter at L3+. I believe Checkpoint can do this, as does Sun's SunScreen product. Very cool feature - If your firewall doesn't have an IP, it's pretty hard to break into!

- G

 

[alrox]

Wow, never knew a program like authpf existed. I suppose I should keep up to date on openbsd, might be time to ditch the home freebsd router with openbsd+pf.

Garion-freebsd/openbsd have support for this as well, they call it a filtering bridge. openbsd even supports spanning tree and dot1q, very economical solution for a bigtime router.