1

I´m trying to protect my LAN (University campus) against ARP attacks using netcut.

I have 100 APs connected to my CISCO 2680. I used 8 VLANs and all of VLAN ports are connected to one gateway provided from a loadbalancer.

Even with this, I can detect some attackers.

Is there any solution to protect my LAN apart using VLANs in my L2?

Soon I'll use WatchGuard as a firewall. Can this one deal with this kind of attacks?

schroeder
  • 123,438
  • 55
  • 284
  • 319
user220636
  • 11
  • 1

2 Answers2

1

Layer2 attacks are difficult but the fix for them has existed for some years now: 802.1X. In a nutshell, it's asymmetric (certificate-based) authentication for all of your devices.

So even if an attacker plugs in to your network, each device is authenticated from the certificate that's been pre-applied to it. So if an attacker on the network plugs in a rogue device but does not have a certificate, the port will never become active to allow the rogue connection to start performing any Layer2+ attacks on your University network.

The limiting factors are the need for a PKI architecture and devices that accept x509 certificates and understand (and can use) 802.1X. If you don't already have a secure PKI architecture, this will be a rather monumental undertaking to do correctly.

Edit: To specifically address netcut, apparently there is a free tool that will work against it: https://arcai.com/netcut-defender/ -- I'm not making any claims on its effectiveness but if you don't want to fix the problem properly (802.1x), you're going to have to resort to something like this.

thepip3r
  • 633
  • 3
  • 8
  • 802.1X can be very difficult in a uni setting where you have no control over the devices that connect. – schroeder Oct 28 '19 at 17:03
  • @schroeder -- I don't disagree but this is a risk decision either controlled-by or accepted-by the organization. If you run an ad-hoc network with lax security controls, you can't account for every type of attack. ARP has no built-in security--just like TCP/IP. They're meant to facilitate communication, not prevent it. IMO, if that's his university's stance, that's analogous to wanting to only let people with green shirts on through the revolving door. Edit: what's stopping them from having a process during enrollment to 'enroll' their laptop device? – thepip3r Oct 28 '19 at 18:21
  • As someone who secures uni networks for a living: this isn't a "choice" per se. It's a reality. Imagine trying to enroll 5,000 personal devices of varying functionality, every new term, for 18 yr-olds .... And add to that visiting lecturers, researchers, etc. You end up trying to set up a hybrid of an open public wifi with the added responsibility of establishing *some* sort of security to protect your "customers". – schroeder Oct 28 '19 at 19:48
  • If I were to answer (and I don't have answers to my clarifying questions, so I'm not), I'd just say that *preventing* ARP spoofing on the student wifi is not reasonable. Given the scale of the situation and the lack of control over the devices, there is a "best effort" approach and you hunt down the worst offenders after you detect the attacks. – schroeder Oct 28 '19 at 19:51
  • Most enterprise 802.1X solutions have an enrollment portal for BYOD users. And there's vendor-agnostic portals like Aruba, so there's likely a solution available even if the university is using lesser-known gear. – DoubleD Oct 28 '19 at 21:54
-1

Software used to protect against ARP spoofing like XArp can help detect if you are being attacked by ARP spoofing. Nonetheless, that’s just the first step to ARP spoofing protection. In addition to using the right software, you should take into account a strong monitoring tool or service. Usually software that detects ARP spoofing usually trusts on some system of certification or cross-checking of ARP responses. Uncertified ARP responses are then restricted.

zucc0nit
  • 203
  • 1
  • 10