Usually administrators focus more on threats that may come on WAN interface than LAN, what is understandable, cause we trust people that we work with. But sometimes it may be deceptive, especially if we administrate the network in rapidly changing environment (flow of people) with features like BYOD (Bring Your Own device) with no entire control of installed software by the end users.
How can we prevent attacks conducted, by considered as “trusted” users in our network ? There are many tools that administrator is fitted out, which are easy to implement and provide sufficient security for inquisitive and irresponsible users.
Before I go over explaination how DHCP Snooping works, we need to understand how DHCP works. DHCP works in 4 stages when a Host is looking for DHCP address in LAN. According to the DORA :
1. Host sends DHCP DISCOVER packets in order to find DHCP server
2. DHCP Server after getting Discover packet, sends DHCP OFFER with an IP address
3. Host sends DHCP REQUESTS in order to confirm .
4. DHCP Server sends DHCP ACKNOWLEDGMENT in order to finish ganting and IP address is being granted to the Host
What happens if we have more than one DHCP server accessible ? Host is going to accept the offer from the first server which replied to its Discover packet. Now, the part of the DHCP OFFER packet is a GATEWAY address (router interface that host is connected to) and this is a weak point. Someone can set up a DHCP Rogue server in our network and traffic may be freely redirected by attacker whenever he wants to! This is Man in the Middle attack. DHCP Snooping prevents that situation. Switch works alike firewall between host and untrusted DHCP server. Switch snoops DHCP conversation between devices and makes decision which conversation are between trusted devices and which are not. DHCP Snooping classifies switch interfaces as TRUSTED and UNTRUSTED. This job is made manually by administrator. DHCP OFFER packets will be accepted on TRUSTED ports and rejected on UNTRUSTED ports. The Untrusted ports which Switch got DHCP OFFER packets will be put into error disable mode in plain words will be switched off.
ip dhcp snopping
ip dhcp snooping vlan 1
on the port
ip dhcp snooping trust
DYNAMIC ARP INSPECTION
Now, again in order to understand how Dynamic ARP Inspection works we need to remind each other how ARP (Address Resolution Protocol) works. When we connect “fresh” host into our LAN, its MAC address table will be empty (type arp -a in Windows) or you’ll see only MAC addresses of Gateway and Broadcast. In order to send any packet to another host in LAN, host has to learn MAC addresses of the other hosts in the network. To do that it sends ARP Request message “Who’s got an IP address 192.168.1.100 ?” via Broadcast (this message will be sent to each port on the switch) and attaches its own MAC address to this request. Then the host which has got that IP address sends ARP Reply message “I got 192.168.1.100 and here is my MAC address” and both hosts got theirs MAC addresses. But, it is not a rocket science to change MAC address of a host, then Rogue Host which did it may redirect traffic again and freely intercept communication between hosts and it is called ARP Spoofing. Moreover the Rogue host may send as the first GARP packet (gratuitous ARP) not waiting for ARP question, with information that he is an 192.168.1.100 host and this way will poison ARP table of unaware host. This is another Man in the Middle attack which is called ARP Poisoning.
Dynamic ARP Inspection prevents this behavior by building a database of trusted IP-MAC addresses mappings. This database is the same one built by DHCP Snooping process, but static ARP configuration can also be used by DAI. Once the IP-MAC address database is built, every ARP Request and ARP Reply received by switch is examined . If the ARP message has an approved MAC-IP address mapping, the message is forwarded, if no ARP message is dropped. Similarly to DHCP Snooping we have trusted and untrusted ports, on trusted ports DAI doesn’t check ARP messages. DAI requires DHCP Snooping and its binding table, also uses its own ARP access list.
IP Source Guard
IP Source Guard feature goes one step further and checks if an IP address of any hosts in our network has changed. It compares source MAC address and source IP address thanks to its own IP source Binding table which is built based on DHCP Snooping table, so IP Source Guard requires enabled DHCP Snooping feature. IP Source may prevent TCP Syn-Flood attack which consists in sending thousands of TCP SYN packets towards the victim, with different IP address (or addresses) so we have actually two victims which are subjected DoS attack (Denial of Service)
All above features may be implemented at the same time on the switch and significantly increase security in LAN network.