Saturday, February 22, 2020

DAI (Dynamic ARP Inspection)

Dynamic ARP Inspection (DAI) is a security feature that protects ARP (Address Resolution Protocol) which is vulnerable to an attack like ARP poisoning.
DAI checks all ARP packets on untrusted interfaces, it will compare the information in the ARP packet with the DHCP snooping database and/or an ARP access-list. If the information in the ARP packet doesn’t matter, it will be dropped. In this lesson I’ll show you how to configure DAI. Here’s the topology we will use:
dynamic arp inspection topology
Above we have four devices, the router on the left side called “host” will be a DHCP client, the router on the right side is our DHCP server and on top we have a router that will be used as an attacker. The switch in the middle will be configured for dynamic ARP inspection.

Configuration



We’ll start with the switch, first we need to make sure that all interfaces are in the same VLAN:
SW1(config)#interface range fa0/1 - 3
SW1(config-if-range)#switchport mode access
SW1(config-if-range)#switchport access vlan 123
SW1(config-if-range)#spanning-tree portfast
Now we can configure DHCP snooping:
SW1(config)#ip dhcp snooping 
SW1(config)#ip dhcp snooping vlan 123
SW1(config)#no ip dhcp snooping information option
The commands above will enable DHCP snooping globally, for VLAN 123 and disables the insertion of option 82 in DHCP packets. Don’t forget to make the interface that connects to the DHCP server trusted:
SW1(config)#interface FastEthernet 0/3
SW1(config-if)#ip dhcp snooping trust
The switch will now keep track of DHCP messages. Let’s configure a DHCP server on the router on the right side:
DHCP(config)#ip dhcp pool MY_POOL
DHCP(dhcp-config)#network 192.168.1.0 255.255.255.0
That’s all we need, let’s see if the host is able to get an IP address:
HOST(config)#interface FastEthernet 0/0
HOST(config-if)#ip address dhcp
A few seconds later we see this message:
%DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 192.168.1.1, mask 255.255.255.0, hostname HOST
Let’s check if our switch has stored something in the DHCP snooping database:
SW1#show ip dhcp snooping binding 
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:1D:A1:8B:36:D0   192.168.1.1      86330       dhcp-snooping   123   FastEthernet0/1
Total number of bindings: 1
There it is, an entry with the MAC address and IP address of our host. Now we can continue with the configuration of DAI. There’s only one command required to activate it:
SW1(config)#ip arp inspection vlan 123
The switch will now check all ARP packets on untrusted interfaces, all interfaces are untrusted by default. Let’s see if this will work or not…I’ll configure the IP address of our host on our attacker:
ATTACK(config)#interface FastEthernet 0/0
ATTACK(config-if)#ip address 192.168.1.1 255.255.255.0
Now let’s see what happens when we try to send a ping from the attacker to our DHCP router:
ATTACK#ping 192.168.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
The ping is failing…what does our switch think of this?
SW1#
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan 123.([0017.5aed.7af0/192.168.1.1/0000.0000.0000/192.168.1.254/01:20:08 UTC Tue Mar 2 1993])
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan 123.([0017.5aed.7af0/192.168.1.1/0000.0000.0000/192.168.1.254/01:20:10 UTC Tue Mar 2 1993])
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan 123.([0017.5aed.7af0/192.168.1.1/0000.0000.0000/192.168.1.254/01:20:10 UTC Tue Mar 2 1993])
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan 123.([0017.5aed.7af0/192.168.1.1/0000.0000.0000/192.168.1.254/01:20:10 UTC Tue Mar 2 1993])
Above you can see that all ARP requests from our attacker are dropped. The switch checks the information found in the ARP request and compares it with the information in the DHCP snooping database. Since it doesn’t match, these packets are discarded. You can find the number of dropped ARP packets with the following command:
SW1#show ip arp inspection 

Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Disabled

 Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
  123     Enabled          Active                         

 Vlan     ACL Logging      DHCP Logging      Probe Logging
 ----     -----------      ------------      -------------
  123     Deny             Deny              Off          

 Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      ---------
  123              0              5              5              0

 Vlan   DHCP Permits    ACL Permits  Probe Permits   Source MAC Failures
 ----   ------------    -----------  -------------   -------------------
  123              0              0              0                     0

 Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
 ----   -----------------   ----------------------   ---------------------
          
 Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
 ----   -----------------   ----------------------   ---------------------
  123                   0                        0                       0
Above you see the number of drops increase. So far so good, our attacker has been stopped. We still have one problem though, let me first shut the interface on our attacker before we continue:
ATTACK(config)#interface FastEthernet 0/0
ATTACK(config-if)#shutdown
Let me show you what happens when we try to send a ping from the host to our DHCP router:
HOST#ping 192.168.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
This ping is failing but why? We are not spoofing anything…here’s what the switch tells us:
SW1#
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/3, vlan 123.([0016.c7be.0ec8/192.168.1.254/001d.a18b.36d0/192.168.1.1/01:24:48 UTC Tue Mar 2 1993])
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/3, vlan 123.([0016.c7be.0ec8/192.168.1.254/001d.a18b.36d0/192.168.1.1/01:24:50 UTC Tue Mar 2 1993])
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/3, vlan 123.([0016.c7be.0ec8/192.168.1.254/001d.a18b.36d0/192.168.1.1/01:24:52 UTC Tue Mar 2 1993])
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/3, vlan 123.([0016.c7be.0ec8/192.168.1.254/001d.a18b.36d0/192.168.1.1/01:24:54 UTC Tue Mar 2 1993])
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/3, vlan 123.([0016.c7be.0ec8/192.168.1.254/001d.a18b.36d0/192.168.1.1/01:24:56 UTC Tue Mar 2 1993])
Our switch is dropping ARP replies from the DHCP router to our host. Since the DHCP router has no idea how to reach the host, the ping is failing:
HOST#show ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.1.1             -   001d.a18b.36d0  ARPA   FastEthernet0/0
Internet  192.168.1.254           0   Incomplete      ARPA
DHCP#show ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.1.1             0   001d.a18b.36d0  ARPA   FastEthernet0/0
Internet  192.168.1.254           -   0016.c7be.0ec8  ARPA   FastEthernet0/0
Why is the switch dropping the ARP reply? The problem is that the DHCP router is using a static IP addresses. DAI checks the DHCP snooping database for all packets that arrive on untrusted interfaces, when it doesn’t find a match…the ARP packet is dropped. To fix this, we need to create a static entry for our DHCP router:
SW1(config)#arp access-list DHCP_ROUTER
SW1(config-arp-nacl)#permit ip host 192.168.1.254 mac host 0016.c7be.0ec8
First we create an ARP access-list with a permit statement for the IP address and MAC address of the DHCP router. Now we need to apply this to DAI:
SW1(config)#ip arp inspection filter DHCP_ROUTER vlan 123 ?     
  static  Apply the ACL statically
We use the ip arp inspection filter command for this but you have to be careful…if you use the “static” parameter then we tell the switch not to check the DHCP snooping database. It will only check our ARP access-list and when it doesn’t find an entry, the ARP packet will be dropped. Make sure you add the filter without the static parameter:
SW1(config)#ip arp inspection filter DHCP_ROUTER vlan 123
There we go. The switch will now check the ARP access-list first and when it doesn’t find a match, it will check the DHCP snooping database. Let’s try that ping again:
HOST#ping 192.168.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
Excellent our ping is now working because of the static entry for the DHCP router. Another way to deal with this issue is to configure the interface as trusted. DAI will allow all ARP packets on trusted interfaces:
SW1(config)#interface FastEthernet 0/3
SW1(config-if)#ip arp inspection trust
Anything else we can do with DAI? There are some additional security checks you can enable if you want:
SW1(config)#ip arp inspection validate ?
  dst-mac  Validate destination MAC address
  ip       Validate IP addresses
  src-mac  Validate source MAC address
Here’s what these options mean:
  • dst-mac: checks the destination MAC address in the Ethernet header against the target MAC address in the ARP packet. This check is performed for ARP replies. ARP replies with different MAC addresses will be dropped.
  • ip: checks for invalid and unexpected IP addresses. For example 0.0.0.0, 255.255.255.255 and multicast addresses.
  • src-mac: checks the source MAC address in the Ethernet header against the sender’s MAC address in the ARP packet. This check is performed for both ARP requests and replies. ARP packets with different MAC addresses will be dropped.
You can only enable one of these options at the same time. Here’s an example how to enable the dst-mac check:
SW1(config)#ip arp inspection validate dst-mac
Last but not least, we can also configure ARP rate-limiting. By default there is a limit of 15 pps for ARP traffic on untrusted interfaces. Here’s how you can change it:
SW1(config)#interface FastEthernet 0/1
SW1(config-if)#ip arp inspection limit rate 10
This interface now only allows 10 ARP packets per second.

Conclusion

That’s all we have for DAI (Dynamic ARP Inspection). It’s a nice security feature but make sure that you have ARP access-lists in place for all devices with static IP addresses before you enable this. You don’t want to block most of your traffic after enabling this.
hostname SW1
!
ip dhcp snooping vlan 123
no ip dhcp snooping information option
ip dhcp snooping
ip arp inspection vlan 123
ip arp inspection validate src-mac 
!
interface FastEthernet0/1
 switchport access vlan 123
 switchport mode access
 ip arp inspection limit rate 10
 spanning-tree portfast
!
interface FastEthernet0/2
 switchport access vlan 123
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/3
 switchport access vlan 123
 switchport mode access
 ip arp inspection trust
 spanning-tree portfast
 ip dhcp snooping trust       
!
arp access-list DHCP_ROUTER
 permit ip host 192.168.1.254 mac host 0016.c7be.0ec8 
! end
hostname HOST
!
interface FastEthernet0/0
 ip address dhcp
 duplex auto
 speed auto
!end
hostname ATTACK
!
interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.0
 shutdown
 duplex auto
 speed auto
!
end
hostname DHCP
!
ip dhcp pool MY_POOL
 network 192.168.1.0 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 duplex auto
 speed auto
!
end
I hope you enjoyed this lesson, if you have any questions feel free to leave a comment below.
at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)