User manual SONICWALL SONICOS ENHANCED MAC-IP ANTI-SPOOF

[. . . ] MAC-IP Anti-Spoof Document Scope This document describes the MAC-IP Anti-Spoof feature available in SonicOS 5. 6, and its functionality in helping to prevent various attacks against a network. This document contains the following sections: · · · "Feature Overview" section on page 1 "Using MAC-IP Anti-Spoof " section on page 3 "Glossary" section on page 9 Feature Overview This section provides an introduction to the MAC-IP Anti-Spoof feature and contains the following subsections: · · · · "What Is MAC-IP Anti-Spoof ?" section on page 1 "Benefits" section on page 2 "How Does MAC-IP Anti-Spoof Work?" section on page 2 "Platforms" section on page 2 What Is MAC-IP Anti-Spoof? MAC and IP address-based attacks are increasingly common in today's network security environment. These types of attacks often target a Local Area Network (LAN) and can originate from either outside or inside a network. [. . . ] An incoming packet's source MAC and IP addresses are looked up in this cache. The MAC-IP Anti-Spoof cache is built through one or more of the following sub-systems: · · · · DHCP Server-based leases (SonicWALL's - DHCP Server) DHCP relay-based leases (SonicWALL's - IP Helper) Static ARP entries User created static entries The ARP Cache is built through the following subsystems: · · · ARP packets; both ARP requests and responses Static ARP entries from user-created entries MAC-IP Anti-Spoof Cache The MAC-IP Anti-Spoof subsystem achieves egress control by locking the ARP cache, so egress packets (packets exiting the network) are not spoofed by a bad device or by unwanted ARP packets. This prevents a firewall from routing a packet to the unintended device, based on mapping. This also prevents man-in-the-middle attacks by refreshing a client's own MAC address inside its ARP cache. Platforms The MAC-IP Anti-Spoof feature is available in SonicOS Enhanced 5. 6. 2 SonicOS 5. 6 - MAC-IP Anti-Spoof Using MAC-IP Anti-Spoof Using MAC-IP Anti-Spoof This section contains the following subsections: · · · · "Interface Settings" section on page 3 "Anti-Spoof Cache" section on page 5 "Spoof Detect List" section on page 7 "Extension to IP Helper" section on page 9 Interface Settings To edit MAC-IP Anti-Spoof settings within the Network Security Appliance management interface, go to Network > MAC-IP Anti-spoof. SonicOS 5. 6 - MAC-IP Anti-Spoof 3 Using MAC-IP Anti-Spoof To configure settings for a particular interface, click the pencil icon, in the "Configure" column, for the desired interface. The "Settings" window is now displayed for the selected interface. In this window, the following settings can be enabled or disabled by clicking on the corresponding checkbox. Once your setting selections for this interface are complete, click "OK. " Enable: To enable the MAC-IP Anti-Spoof subsystem on traffic through this interface Static ARP: Allows the Anti-Spoof cache to be built from static ARP entries DHCP Server: Allows the Anti-Spoof cache to be built from active DHCP leases from the SonicWALL DHCP server DHCP Relay: Allows the Anti-Spoof cache to be built from active DHCP leases, from the DHCP relay, based on IP Helper. To learn about changes to IP Helper, see "Extension to IP Helper" section on page 9 ARP Lock: Locks ARP entries for devices listed in the MAC-IP Anti-Spoof cache. This applies egress control for an interface through the MAC-IP Anti-Spoof configuration, and adds MAC-IP cache entries as permanent entries in the ARP cache. This controls ARP poisoning attacks, as the ARP cache is not altered by illegitimate ARP packets. ARP Watch: Enables generation of unsolicited unicast ARP responses towards the client's machine for every MAC-IP cache entry on the interface. Enforce Anti-Spoof: Enables ingress control on the interface, blocking traffic from devices not listed in the MAC-IP Anti-Spoof cache. 4 SonicOS 5. 6 - MAC-IP Anti-Spoof Using MAC-IP Anti-Spoof Spoof Detection List: Logs all devices that fail to pass Anti-spoof cache and lists them in the Spoof Detected List. Allow Management: Allows through all packets destined for the appliance's IP address, even if coming from devices currently not listed in the Anti-Spoof cache. Once the settings have been adjusted, the interface's listing will be updated on the MAC-IP Anti-Spoof panel. The green circle with white check mark icons denote which settings have been enabled. Note The following interfaces are excluded from the MAC-IP Anti-Spoof list: Non-ethernet interfaces, port-shield member interfaces, Layer 2 bridge pair interfaces, high availability interfaces, and high availability data interfaces. Anti-Spoof Cache The MAC-IP Anti-Spoof Cache lists all the devices presently listed as "authorized" to access the network, and all devices marked as "blacklisted" (denied access) from the network. To add a device to the list, click the "Add" button. SonicOS 5. 6 - MAC-IP Anti-Spoof 5 Using MAC-IP Anti-Spoof A window is now displayed that allows for manual entry of the IP and MAC addresses for the device. Checking the router setting allows all traffic coming from behind this device. [. . . ] The field must be filled using the appropriate syntax for operators: Operator Value with a type Syntax Options · · · Ip=1. 1. 1. 1 or ip=1. 1. 1. 0/24 Mac=00:01:02:03:04:05 Iface=x1 X1 00:01 Tst-mc 1. 1. Ip=1. 1. 1. 1;iface=x1 Ip=1. 1. 1. 0/24;iface=x1;just-string Ip=1. 1. 1. 1, 2. 2. 2. 2, 3. 3. 3. 0/24 Iface=x1, x2, x3 !ip=1. 1. 1. 1;!just-string !iface=x1, x2 Ip=1. 1. 1. 1, 2. 2. 2. 2;mac=00:01:02:03:04:05; just-string;!iface=x1, x2 String · · · · AND OR Negative Mixed · · · · · · · 8 SonicOS 5. 6 - MAC-IP Anti-Spoof Glossary Extension to IP Helper In order to support leases from the DHCP relay subsystem of IP Helper, the following changes have been made in the IP Helper panel, located at Network > IP Helper: · · As part of the DHCP relay logic, IP Helper learns leases exchanged between clients and the DHCP server, then saves them into flash memory. These learned leases are synched to the idle firewall, as part of the IP Helper state sync messages. MAC and IP address bindings from the leases are transferred into the MAC-IP Anti-Spoof cache. Glossary Media Access Control (MAC) Address: The unique adapter serial number that identifies a network card from all others Internet Protocol (IP) Address: Address of a device attached to an IP (TCP/IP) network that serves as either a source or destination address in every IP packet Address Resolution Protocol (ARP): A low-level TCP/IP protocol that maps a MAC address to an IP address ARP Cache: A store of information containing address translations that relate IP addresses to their corresponding MAC addresses PN#: 232-001830-00 Solution Document Version History Version Number 1 Date 12/18/2009 Notes This document was created. SonicOS 5. 6 - MAC-IP Anti-Spoof 9 [. . . ]