arp spoofing protection on LAN

Question

I am a network administrator in company. I read this article eject any wifi device from network with android

Some of employers are using mobile phones and company`s wireless network. Theses employers are not related with IT. So, they use WIFI for browsing web. (i can not to give them WIFI password, but some employee need WIFI for work) Of course, they can plug laptop in any available wired socket (yes, i can unplug unused sockets in server room).

How i can protect my local network from arp spoofing? I don't want to make static arp table. I read wikipedia article ARP_spoofing

Is there a way, that i can setup some software on our linux server and protect whole network or need to made some configuration on each computer? Also we are using VPN (openvpn), if that matters.

Can i drop arp requests in WIFI routers? Or they are required for DHCP to work? DHCP requests from WIFI routers are forwarded to linux server.

One think with wifi is that maybe i need to isolate public wifi in VLAN? For that i need wifi router that support VLAN and also switch that support VLAN, and our linux firewall`s network card too must support VLAN, right?

And if i prevent ARP spoofing, then MITM attack is possible ?

Answer 1

Suggest you research the latest Cisco APs. I believe these devices are able to isolate each wireless client from each other and from the network. All client traffic is routed instead of switched.

You can then setup ACLs to keep WiFi attached clients from reaching anything they should not have access to.

Also most enterprise-grade switches support anti-ARP-spoofing. Ports can be configured to allow no more than one MAC address. Alternately MAC addresses can be limited to DHCP assigned values (dynamic ARP). Virtual server ports and ports for cross- connects to other network devices would not get the restrictive policy.

If you're feeling seriously paranoid, you might look into configuring IPSEC between all the critical systems on the LAN using X509 certificate authentication. This prevents all forms of traffic sniffing and MITM attacks. Be sure to setup a CRL (certificate revocation list) so that if any one system is compromised or simply goes end-of-life and is discarded, that it's certificate can be revoked and never used to communicate on the LAN again.

One caveat: If one of the critical systems becomes compromised by a hacker, the hacker will be on the "inside" and can still do all the bad things that hackers do.

Answer 2

You can't protect a layer-2 network from ARP spoofing. And a single wireless AP consists of a single wireless layer-2 network.

I do not know if your wireless AP acts as a bridge (which would propogate the "original" MAC address used by the client wireless card) or a router (which would retransmit using the AP's MAC address). If it's in router mode, then your wired clients are already protected against ARP spoofing by wireless clients. If it's in bridge mode, and an attacker knows the MAC address of a wired LAN user, then they can knock it off the network.

You can't drop ARP requests without breaking your network. It wouldn't help, anyway, because any packet transmitted with a duplicated MAC address is enough to cause problems.

As for isolating your WIFI, that's easy. Stick a router in between the AP and the rest of the wired network. You could plug it into a physical LAN or a VLAN, you don't need to muck with VLAN tagging and card support, it's just plain old layer 3 networking.

Answer 3

ARP spoofing is layer 2 attack so using the security measure to harden the layer 2 will bet the better options to protect against arp spoofing attack.

I would recommend you to use iptables and use following command to bind the mac address with the ip address of the devices:

iptables -t nat -A PREROUTING -p tcp -m mac --mac-source XX:XX:XX:XX:XX:X -s 192.168.112.115/32 -j ACCEPT

iptables -t nat -A POSTROUTING -p tcp -m mac --mac-source XX:XX:XX:XX:XX:X -s 192.168.112.115/32 -d 0.0.0.0/0.0.0.0 -j MASQUERADE

iptables -t nat -A PREROUTING -j DROP