0

If I had 2 networks, one with a router and clients connected to it, and other with clients connected to switch and this switch connected to router, which one would be more secure in terms of ARP Spoofing?

I believe that since switch is a layer 2 device and doesn't understand IP addresses, it won't maintain an ARP table and hence an ARP poisoning attack isn't possible on it.

But I wonder if the router would maintain an ARP table or not. And if not, how would the "router-switch" combo decide which machine should a packet, arriving from Internet, be delivered to?

7_R3X
  • 606
  • 3
  • 12
  • 25

3 Answers3

2

1.) A router needs to maintain an ARP table.

Every device that wants to transmit to another directly connected device based on the network layer address needs to translate it into the link layer address. A router would either have to route the packet to another router (in this case it needs to look up the link layer address of the other router) or to a device in a network directly connected to itself (in this case it has to look up the link layer address of the device). Since the router receives a packet with a network layer address of a device in a network directly connected to it, it would look up the link layer address in the ARP table and forward the packet accordingly (in your scenarios either directly or via the switch).

2.) A switch may maintain an ARP table.

This depends on whether the switch operates on the link layer or on the network layer. If it operates solely on the link layer it only knows about link layer addresses. It would just remember which link layer address is connected to which of its ports and forward the packets accordingly.

3.) Routing of packets arriving from the Internet via a router-switch combo

Packets arriving from the Internet via your router-switch combo would first arrive at the router, which would know that the packet is destined for a device connected to your switch (or more precisely for a device located somewhere in the network segment connected to the port of the router to which your switch is connected). It knows this since the network layer address of the destination is listed in its ARP table. When the packet arrives at the switch, it would know on which of its ports the device for which the packet is destined is connected. It does so by looking up to which port the device with the link layer address of the destination is connected.

4.) ARP spoofing

Finally, ARP spoofing is done by impersonating someone by making others believe that the network address of your target should be mapped to your link layer address instead of the targets link layer address, i.e. manipulating the ARP tables of other devices. In both of your scenarios ARP spoofing on the local network is possible. This is due to the fact that one can manipulate the ARP tables on the devices connected to the switch / router. The switch / router would then received the packets already with the wrong link layer address set and only forward them to you instead of the intended destination.

Hacktiker
  • 914
  • 7
  • 14
1

A simple and very adaptive method for securing the network from unauthorized access is to switch port security. To disable or shutdown the unused switch ports navigate to each unused port and issue the shutdown command. If the port is to be reactivated it can be enabled with the no shutdown command. t is simple to make configuration changes to multiple ports on a switch. If a range of ports must be configured, use the interface range command. You can check how it works here. Switch(config)# interface range type module/first-number – last-number

Although the process of enabling and disabling is time consuming but it enhances the security of the network.

hamza arif
  • 11
  • 1
0

There are some security mechanisms against arp spoofing. At device level, you have software for windows/linux/android. For example "arp guard" for android or "arptables" for linux, etc. At switch level, there are some advanced switches (CISCO) which have a feature called "port security", but this kind of switches are more expensive. You can check how it works here.

If your switch is a layer 2 of the OSI model (data-link) standard switch, it doesn't understand about ips, true, and it's not going to have an own ip because it is not a configurable switch and can't be arp poisoned as a direct victim. But all the switches have a cache memory to store arp macs. They memorize which ports have which arp addresses... so a victim can be arp-poisoned through it because it doesn't care.

It only take the packages, look what is the arp destiny address and the launch it only through that port to avoid the "old hub behaviour" on which all packets travel through all ports causing a lot of collissions and letting the hackers to sniff on any port all the network.

Anyway, there are more kind of attacks that can be done to the switches. If your switch is CISCO and has a fixed size dynamic Content Addressable Memory (CAM) table, can be attacked in other way, MAC flooding. The CAM table stores information such as MAC addresses available on physical ports with their associated VLAN parameters. The hackers can use some tools (like macof) create requests with random generated macs to fill all the table because what happens when CAM table is full? it enters in fail open mode. On this state, the switch change its behavior and starts to broadcast every packet to every port acting as an old hub. Nice for sniffing.

Of course, you can also try to detect this configuring snmp traps on switches to have alerts and that kind of stuff.

OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48