H3C WX Series AC + Fit AP ARP Attack Defense Configuration Example

Keywords: ARP attack !efense Abstract: "#is !ocument intro!uces t#e ARP attack !efense configuration on H3C AC an! AP series$ Acronyms: Acronym AC AP ESS W&A' SS)D ARP Access Control Access Point Exten!e! Ser%ice Set Wireless &ocal Area 'et(ork Ser%ice Set )!entifier A!!ress Resolution Protocol Full spelling

Table of Contents
Feature Overview )ntro!uction A!%antages Application Scenarios Configuration Guidelines A!" Attac# $efense Configuration %&ample 'et(ork Re+uirements Configuration Consi!erations Soft(are -ersion .se! Configuration proce!ures !eferences Protocols an! Stan!ar!s Relate! Documentation , , , 3 ' / / 1 * * 1

ii

Feature Overview
(ntroduction
A!" Active Ac#nowledgement
Wit# t#e ARP acti%e ackno(le!gement feature configure! on a !e%ice upon recei%ing an ARP packet (it# a sen!er 0AC a!!ress !ifferent from t#at in t#e correspon!ing ARP entr1 t#e !e%ice c#ecks (#et#er t#e ARP entr1 #as 2een up!ate! (it#in t#e last minute$ )f 1es t#e !e%ice !oes not up!ate t#e ARP entr13 if not t#e !e%ice unicasts an ARP re+uest to t#e 0AC a!!ress in t#e ARP entr1$ "#en if an ARP repl1 is recei%e! (it#in fi%e secon!s t#e ARP packet is ignore!3 if not t#e !e%ice unicasts an ARP re+uest to t#e sen!er 0AC a!!ress of t#e ARP packet$ "#en if an ARP repl1 is recei%e! (it#in fi%e secon!s t#e !e%ice up!ates t#e ARP entr13 if not t#e !e%ice keeps t#e ARP entr1 unc#ange!$

Source )AC Address *ased A!" Attac# $etection

"#is function allo(s t#e !e%ice to c#eck t#e source 0AC a!!ress of ARP packets$ )f t#e num2er of ARP packets sent from a 0AC a!!ress (it#in fi%e secon!s excee!s t#e specifie! t#res#ol! t#e !e%ice consi!ers t#is an attack generates an alarm an! filters out ARP packets source! from t#at 0AC a!!ress$ 4nl1 t#e ARP packets !eli%ere! to t#e CP. are !etecte!$

A!" "ac#et Source )AC Address Consistency C+ec#

"#is function is usuall1 configure! on a gate(a1 to !efen! against ARP attack packets (it# t#e source 0AC a!!ress in t#e Et#ernet #ea!er !ifferent from t#e sen!er 0AC a!!ress in t#e ARP message$ "#e ARP !etection function also c#ecks t#e source 0AC a!!ress consistenc1$ 'ote t#e !ifferences 2et(een t#e t(o functions5 "#e ARP !etection function is ena2le! on an access !e%ice to c#eck t#e source 0AC a!!ress consistenc1 in t#e ARP packets !eli%ere! to t#e CP.$ "#e ARP packet source 0AC a!!ress consistenc1 c#eck function is ena2le! on a gate(a1 to c#eck t#e ARP packets to 2e learne! ensuring t#e gate(a1 to learn correct ARP entries$

Advantages
ARP attack !efense can 2e use! for single point !efense an! (#ole net(ork !efense$ )t can effecti%el1 !efen! against t#e gate(a1 spoofing attacks user spoofing attacks as (ell as floo!ing attacks$ .se! for single point !efense t#e ARP attack !efense functions suc# as source a!!ress 2ase! attack !etection source 0AC a!!ress consistenc1 c#eck an! acti%e ackno(le!gement toget#er (it# t#e existing ARP functions suc# as ARP packet rate limit an! ARP entries learning limit can (ell protect a gate(a1$ .se! for net(ork !efense t#e ARP !etection function 2ase! on DHCP snooping entries an! static )P6 to60AC 2in!ings can (ell pre%ent t#e gate(a1 spoofing an! user spoofing attacks$ "#e ARP attack !efense feature is (i!el1 applica2le$ )t can 2e applie! to net(orks (it# DHCP !eplo1e!$

Application Scenarios
"#e ARP acti%e ackno(le!gement feature is mainl1 configure! on gate(a1s to pre%ent user spoofing
*

attacks$ "#e source 0AC a!!ress 2ase! attack !etection source 0AC a!!ress consistenc1 c#eck an! acti%e ackno(le!gement features can 2e configure! solel1 on a !e%ice$ "#e1 are not !epen!ent (it# an1 ot#er feature$ "#e ARP !etection function 2ase! on DHCP snooping entries is configure! on access !e%ices an! is relie! on DHCP net(orking an! re+uires t#e access !e%ices to 2e ena2le! (it# DHCP snooping$

Configuration Guidelines
'one

A!" Attac# $efense Configuration %&ample

,etwor# !e-uirements

As s#o(n in Figure *$* S(itc# A acts as t#e gate(a1$ Configure t#e source 0AC a!!ress 2ase! ARP attack !etection ARP source 0AC a!!ress consistenc1 c#eck an! ARP acti%e ackno(le!gement on S(itc# A to protect t#e gate(a1$

S(itc# 7 8uses access controller WX39,: in t#is example; acts as t#e access !e%ice$ Configure t#e ARP !etection function on S(itc# 7 an! t#en configure DHCP snooping or 2in! t#e )P a!!resses an! 0AC a!!resses of important ser%ers on S(itc# 7 to c#eck t#e ARP packets to 2e for(ar!e! an! !rop t#e in%ali! ARP packets$

Figure 1.1 'et(ork !iagram for ARP attack !efense configuration

Configuration Considerations
.se t#e attack !efense feature toget#er (it# t#e ARP !etection function$

Software /ersion 0sed

<WX3024> display version H3C Comware Platform Software Comware Software, Version !20, "eta 3#0 P02

Copyri$%t &'( 2004)200* Han$+%o, H3C -e'%! Co!, .td! /ll ri$%ts reserved! H3C WX3024 ,ptime is 0 wee0, 0 day, # %o,r, 22 min,tes

H3C WX3024 wit% # 123 X.S 404 4 02H+ Pro'essor 2 52 6ytes 7712 52 6ytes 8las% 2emory Confi$ 1e$ister points to 8./SH

Hardware Version is Ver!/ CP.7 Version is 002 "asi' "ootrom Version is #!05 9:tend "ootrom Version is #!05 ;Slot 0<WX3024.SW Hardware Version is =/ ;Slot #<WX30241P> Hardware Version is Ver!/

Configuration procedures
Configuration information
Configuration on S(itc# 7 8WX39,:;5
? version ? sysname H3C ? domain defa,lt ena6le system ? telnet server ena6le ? port)se',rity ena6le ? oap mana$ement)ip #@2!#5*!0!#0# slot 0 ? vlan # ? vlan #0 arp dete'tion ena6le ? domain system a''ess)limit disa6le state a'tive idle)',t disa6le self)servi'e),rl disa6le ? ,ser)$ro,p system ? lo'al),ser admin password simple admin a,t%ori+ation)attri6,te level 3 servi'e)type telnet !20, 1elease 3#05

? wlan rrm dot##a mandatory)rate 5 #2 24 dot##a s,pported)rate @ #* 35 4* dot##6 mandatory)rate # 2 dot##6 s,pported)rate ! ## ! ## 4 4

dot##$ mandatory)rate # 2

dot##$ s,pported)rate 5 @ #2 #* 24 35 4* ? wlan servi'e)template # 'lear ssid a6' 6ind W./=)9SS # servi'e)template ena6le ? interfa'e =>..0 ? interfa'e Vlan)interfa'e# ip address #@2!#5*!0!#00 2 ? interfa'e Ai$a6it9t%ernet#B0B# arp dete'tion tr,st ? interfa'e W./=)9SS# port a''ess vlan #0 arp rate)limit rate # ? wlan ap ap# model W/2#00 serial)id 2#023 /2@A004C000020 radio # servi'e)template # radio ena6le ? wlan ap ap2 model W/2#00 serial)id 2#023 /2@A004C000022 radio # servi'e)template # radio ena6le ? arp dete'tion mode stati')6ind drop !2 !2 !0

arp dete'tion stati')6ind #0!#!#!# 000f)e2#2)0#0# ? load :ml)'onfi$,ration ? ,ser)interfa'e a,: 0 ,ser)interfa'e vty 0 4 a,t%enti'ation)mode s'%eme ,ser privile$e level 3 ?

ret,rn

"rimary configuration steps

;* ;, A!! all relate! ports in t#e net(ork !iagram to -&A' *9$ Configure t#e )P a!!ress of t#e -&A'6 interface *9 of S(itc# A$ 84mitte!; Configure source 0AC a!!ress 2ase! attack !etection on S(itc# A$ < Enter s1stem %ie($
<swit'% /> system)view

< Ena2le source 0AC a!!ress 2ase! attack !etection an! specif1 t#e !etection mo!e as filter$
;swit'% /< arp anti)atta'0 so,r'e)ma' filter

< Specif1 t#e 0AC a!!ress of t#e interface of S(itc# 7 t#at is connecte! (it# S(itc# A as a protecte! 0AC a!!ress (#ic# (ill 2e free from ARP attack !etection$
;swit'% /< arp anti)atta'0 so,r'e)ma' e:'l,de)ma' 0000) 5#@)0000

< Configure t#e aging time for source 0AC a!!ress 2ase! ARP attack !etection entries$
;swit'% /< arp anti)atta'0 so,r'e)ma' a$in$)time 500

< Configure t#e t#res#ol!$

;swit'% /< arp anti)atta'0 so,r'e)ma' t%res%old 30

;3

Configure t#e ARP acti%e ackno(le!gement function on S(itc# A$

< Ena2le t#e ARP acti%e ackno(le!gement function$

;swit'% /< arp anti)atta'0 a'tive)a'0 ena6le

;:

Configure ARP packet source mac a!!ress consistenc1 c#eck$

< Ena2le ARP packet source 0AC a!!ress consistenc1 c#eck

;swit'% /< arp anti)atta'0 valid)'%e'0 ena6le

;=

Configure t#e (ireless attri2utes of S(itc# 7 8WX39,:;$

<swit'% "> system)view

< Create (ireless interface W&A'6ESS *$

;swit'% "< interfa'e W./=)9SS #

< A!! interface W&A'6ESS * to -&A' *9$

;swit'% ")W./=)9SS#< port a''ess vlan #0 ;swit'% ")W./=)9SS#< C,it

< Create ser%ice template * of clear t1pe$

;swit'% "< wlan servi'e)template # 'lear

< Specif1 t#e SS)D of t#e ser%ice template as abc$

;swit'% ")wlan)st)#< ssid a6'

< 7in! ser%ice template * (it# interface W&A'6ESS*$

;swit'% ")wlan)st)#< 6ind wlan)ess #

< Configure t#e aut#entication met#o! for (ireless clients to access t#e (ireless ser%ice as open s1stem$
;swit'% ")wlan)st)#< a,t%enti'ation)met%od open)system

< Ena2le t#e ser%ice template$

=

;swit'% ")wlan)st)#< servi'e)template ena6le ;swit'% ")wlan)st)#< C,it

< Configure AP * to pro%i!e t#e W&A' ser%ice$ < Create an AP management template name! ap1 (it# t#e AP mo!el 2eing WA,*99$
;swit'% "< wlan ap ap# model W/2#00

< Specif1 t#e serial num2er of t#e AP$

;swit'% ")wlan)ap)ap#< serial)id 2#023 /2@A004C000020

< Specif1 t#e ra!io t1pe of ra!io * as >9,$**g$

;swit'% ")wlan)ap)ap#< radio # type dot##$

< 7in! ra!io * (it# ser%ice template *$

;swit'% ")wlan)ap)ap#)radio)#< servi'e)template #

< Ena2le ra!io * of AP *$

;swit'% ")wlan)ap)ap#)radio)#< radio ena6le

< Configure AP , to pro%i!e t#e W&A' ser%ice$ < Create an AP management template name! ap
;swit'% "< wlan ap ap2 model W/2#00

(it# t#e AP mo!el 2eing WA,*99$

< Specif1 t#e serial num2er of t#e AP$

;swit'% ")wlan)ap)ap2< serial)id 2#023 /2@A004C000022

< Specif1 t#e ra!io t1pe of ra!io * as >9,$**g$

;swit'% ")wlan)ap)ap2< radio # type dot##$

< 7in! ra!io * (it# ser%ice template *$

;swit'% ")wlan)ap)ap2)radio)#< servi'e)template #

< Ena2le ra!io * of AP ,$

;swit'% ")wlan)ap)ap2)radio)#< radio ena6le ;swit'% ")wlan)ap)ap2)radio)#< ret,rn

;?

Configure t#e ARP !etection function on S(itc# 7$

< Enter s1stem %ie($

<swit'% "> system)view

< Specif1 an ARP attack !etection mo!e as static 2in!ing 2ase!$ 8@ou can specif1 t#e ARP !etection mo!e accor!ing to 1our net(orking en%ironment$;
;swit'% "< arp dete'tion mode stati')6ind

< Configure a static )P6to60AC 2in!ing for ARP !etection5 2in!ing t#e )P a!!ress an! 0AC a!!ress of t#e interface on S(itc# A t#at is connecte! (it# S(itc# 7$
;swit'% "< arp dete'tion stati')6ind #0!#!#!# 000f)e2#2)0#0#

< Enter -&A' %ie($

;swit'% "< vlan #0

< Ena2le ARP !etection for t#e -&A'$

;swit'% ")vlan#0< arp dete'tion ena6le

< Displa1 t#e -&A's ena2le! (it# ARP !etection$

?

;swit'% ")vlan#0< display arp dete'tion /1P 7ete'tion is ena6led in t%e followin$ V./=sD #0

< Configure t#e uplink port as a truste! port$ 71 !efault a port is in t#e untruste! state of t#e ARP !etection$ &ea%e t#e !o(nlink port t#e !efault configuration$
;swit'% "< interfa'e Ai$a6it9t%ernet #B0B# ;swit'% ")Ai$a6it9t%ernet#B0B#< arp dete'tion tr,st ;swit'% ")Ai$a6it9t%ernet#B0B#< C,it

;/

Configure ARP packet rate limit on S(itc# 7$

< Enter interface %ie( of W&A'6ESS *$

;swit'% "< interfa'e W./=)9SS #

< Configure an ARP packet rate limit for t#e interface$

;swit'% ")W./=)9SS#< arp rate)limit rate # ;swit'% ")W./=)9SS#< C,it drop

!eferences
"rotocols and Standards
'one

!elated $ocumentation

WLAN Service Configuration an! WLAN Service Commands in t#e WLAN Volume of H3C WX Series Access Controllers User Manual$ ARP Configuration an! ARP Commands in t#e P Services Volume of H3C WX Series Access Controllers User Manual$ VLAN Configuration an! VLAN Commands in t#e Access Volume of H3C WX Series Access Controllers User Manual$