In an Ethernet LAN, everything works by the network switches knowing where to find end stations; PCs, servers, printers, routers and so on. If they get it wrong, they’ll send your data to the wrong place, which will either impact performance or lead to security issues, neither of which are good news.

If someone can break into your network and fool your switches into sending things to the wrong place, they can cause havoc. So what do you need to watch out for and how do you stop them?

Arp spoofing
If a PC needs to talk to another IP device, it will send an arp (address resolution protocol) request on to the network looking for the MAC address that relates to the IP address it’s interested in. In an ideal world, the device that owns that IP address will reply, giving its MAC address, and the two will begin to communicate.

However, it is possible that a third station will reply to the arp request, giving its MAC address instead, even though it’s not the legal owner of the IP address being queried. It will therefore be sent all the data that should have gone to the destination device. In a Man in the Middle Attack, an attacker will do just that, forwarding on the traffic afterwards to the correct device so that nobody knows anything untoward is happening, but your confidential data is being read by someone who shouldn’t be seeing it.

Of course the best way to stop this from happening is keeping unauthorised people off your network, but since this type of attack can equally well be carried out by an authorised internal user, you need to cater for this particular type of attack.

You could create static arp entries on your hosts so you don’t need to rely on arp - this can be very time consuming, and isn’t at all feasible if you have a dynamic network of any size. However for hosts that don’t change much, such as servers and routers, it can add an extra level of security, as long as you remember to update everything if you swap out a NIC or upgrade a server!

What you need is something that lets you monitor the mapping of IP to MAC address pairings, and notifies you of changes - arpwatch (available for free download from multiple sites) is the most popular for this. For arpwatch to work, however, it needs to be on a server that sees all network traffic, so you’ll need to set up your switches to mirror traffic on to a monitor port.

Some high-end switches do now offer an arp inspection functionality that reads all arp requests and replies, and validates them based on information on the ‘real’ IP/MAC mappings (taken from DHCP servers, by DHCP snooping, or by manual configuration, depending on the implementation), so it’s worth asking if your vendor supports this sort of mechanism.

Note that even if you have port security on your switches, so that, for instance only certain MAC addresses can be connected to switch ports, or users need to authenticate to get a network connection using the likes of 802.1x, this won’t necessarily stop arp spoofing. It could still be possible to take an already-authenticated PC and change its behaviour so that it claims to have the spoofed IP address - since its MAC address stays the same, these checks wouldn’t do any good.

Arp flooding
Another area where someone playing around with arp caches can cause problems is where they affect your LAN switches directly. Switches have finite amounts of memory dedicated to storing port to MAC address mappings, so that they can forward traffic out of just the port that it’s directed to. If a switch doesn’t know where a MAC address is to be found, then, by design, it has to flood the frame out of all ports to make sure it gets to its destination. An attack that fills up a switch’s memory with erroneous addresses, so that there’s no room for the valid addresses to be stored (such as the macof application) causes the switch to flood all network traffic out of every port. Instead of being switched directly between source and destination, the traffic is now visible everywhere on the network and can easily be picked up by a network sniffer.

Protecting yourself…
The simplest way to prevent this type of attack (again remembering that it could come from within as well as an outside attacker, so don’t rely on your perimeter security) is to have some sort of port security on the switch so that if it sees multiple MAC addresses appearing to be associated with that port, it takes action, ideally by disabling the port.

This is pretty standard although different manufacturers offer different security measures and it may well be too restrictive to have to specify which MAC addresses are allowed on a port (although this is a useful feature for router/server ports), so youre more likely to just specify the maximum number of MAC addresses that can be allowed on a port. This also stops anyone plugging a hub in to give themselves a couple extra connections for free.

Arpwatch can also help here, and if you have network intrusion detection systems, it’s worth seeing if they can spot anything.

It’s difficult to imagine running a network without arp’s help, but it’s worth remembering that it was developed in a time where security - or lack of it - wasn’t a problem. Arp itself can’t guarantee your network will work the way you want it to, so it’s up to you to put other defences in place.