First up we
got PC1 and its pointing to a Default Gateway, may be a learned via DHCP of
10.1.1.1
And it has also learned via ARP the (Address Resolution Protocol). That 10.1.1.1 has a
Mac-address of all DDDD.DDDD.DDDD for make us
easier to visualize, and when this PC is sending out of frame to the internet,
that frame is destined Layer2 for the default gateway mac-address. And normally
here how it works. The PC will send the traffic to the default gateway.
The default
gateway knows how to forward the traffic out to the destination on the
internet.
However,
let’s say that an attacker gains access to this network to this subnet. Where
PC1 is located and will say that the attacker PC has a Mac-address of all AAAA.AAAA.
AAAA
When the Attacker is
going to do with a Gratuitous ARP Man-in-Middle Attack is, it going to send a “Gratuitous ARP reply” another words an “Unsolicited ARP reply”. Telling PC1 “Hey, the mac-address for 10.1.1.1, the default gateway
is actually all AAAA.AAAA. AAAA”. it sends the “Unsolicited
ARP or Gratuitous ARP Reply” saying that “the
mac-address for your default gateway is really my mac-address”.
And the PC1 might see that and say “I need to update my ARP cache to have this new mac-address
for my default gateway”. Now when it forward the frame destined for the
internet with a Layer2 destination of a default gateway, that Layer2
destination mac-address is gonna be Attacker mac-address. The traffic is gonna
flow to the Attackers PC and attacker can then capture that traffic and then
send the traffic out on the internet. That’s the way The PC doesn’t know
anything is going on because the traffic did make it out to the internet. There
session is working.
Meanwhile the attacker has
injected themselves in this path. That’s why is called Man-in-Middle Attack.
Cisco gives us feature called “Dynamic ARP Inspection
(DAI)” that we can enable on cisco catalyst switches to prevent this
type of attack
Configuration:
-
Dynamic ARP Inspection is
going to be enable on some of the port on our switch. We can either “Trusted or Untrusted” Ports, much like DHCP Snooping
and, if the port is Untrusted, it gonna intercept and ARP message coming into
that Port and it’s gonna make sure that the context of that ARP message are
consistent with the IP to Mac-address bindings. These binding were build using DHCP Snooping.
ü So we
enable DHCP Snooping and then
ü We enable Dynamic
ARP Inspection (DAI)
Here on
Switch Sw1, I have already enabled that DHCP snooping.
We did that in Prior Topic.
If
you Don’t Know About Click on DHCP Snooping
Now let’s
add on that Configuration
Ø Sw1(config)#ip arp inspection vlan 1
ü Specify the
vlan, which we want to do ARP Inspection. Right now everybody the member of
VLAN 1.
When we do
that, that makes all of the Port on the Switch “Untrusted
Ports”. But in our design we gonna say that “fastethernet1/0/1”
is a “Trusted Port”.
Here
how we do that: -
Ø Sw1(config)#interface
fastEthernet 1/0/1
Ø Sw1(config-if)#ip
arp inspection trust
Ø Sw1(config-if)#end
That’s
gonna make that a “Trusted” Port which will
bypass the DAI if an ARP message comes into the fast Ethernet 1/0/1.
That’s look that how we
can use that DAI in addition to DHCP Snooping to mitigate a Gratuitous ARP
Man-in-Middle Attack.
If You Like
the Post. Don’t forget to “Subscribe/Share/Comment”. Thank You.
0 comments:
Post a Comment