RE: Exploit code for IP Smart Spoofing

["Stephen Gill" <gillsr () yahoo com>]

Laurent,
Thanks for your note.  In reality IP Smartspoofing is no different than
ARP cache poisoning so I'm not entirely sure why a new name was
"invented".  In this particular case one is able to prevent the
following:
 - key ports and corresponding MAC entries are hardcoded and secured (ie
gateways).  If there is a MAC violation, this is logged and the port is
shut down.  9 times out of 10 if someone is performing ARP spoofing they
will go for a device that is best connected so consider this a fly trap.
 - host ports are protected by only allowing one MAC address on a port
at any given time with a lag of 5 minutes for timeout.  Yes a station
can change its hardcoded MAC.  This will allow them to see at most the
traffic of one other host on the switch.  Not perfect, but the odds are
greatly reduced.


A couple of ways that come to mind for having complete protection are:
 - have a method of detecting duplicate MAC addresses on a switch
 - enable "sticky" ARP.  This will keep end stations from being able to
change their MAC address, but at a potentially high administrative
burden.  I'll make a note of this option in the doc.

Cheers,
-- steve

-----Original Message-----
From: Laurent Licour [mailto:llicour () althes fr] 
Sent: Thursday, November 14, 2002 3:56 AM
To: bugtraq () securityfocus com
Cc: 'Stephen Gill'
Subject: RE: Exploit code for IP Smart Spoofing

Your document is quite usefull, but there is no way to protect against 
IP smartspoofing with a switch.
Smartspoofing use ARP cache poisonning of hosts.
Using a switch, you can only protect against MAC spoofing as describe in
your document.
You can also detect and refuse the plug of a new host on your network.
But
as it is possible
to change the MAC address of hosts (at least linux and windows 2000),
this
protection is not very strong.
You just have to replace a host by another.

One way to protect with switchs could be the use of switchs that are
able to
create 
their CAM entry with the PORT, the MAC and the IP. (against PORT and MAC
only for now)
I think that only layer 3 switch are able to do such work. I have
however no
specific information
about which switch support this feature.
Nortel Passeport 8600 is supposed to do this with the IP filter feature
(something like an ACL
associated with each PORT)

In any case, this could protect only a LAN. If you put a source IP
filtering
rule IP that allows
an external IP, you have no way to detect a spoofing connexion. Only
cryptography can help you
(IPSec...)


Regards

Laurent Licour
llicour () althes fr



-----Message d'origine-----
De : Stephen Gill [mailto:gillsr () yahoo com]
Envoyé : mercredi 13 novembre 2002 20:33
À : 'Laurent Licour'; bugtraq () securityfocus com
Objet : RE: Exploit code for IP Smart Spoofing


In order to mitigate this on edge switches it may behoove the network
administrator to review his or her security policy and adhere to
stricter guidelines.  The following document suggests one method for
protecting Cisco switches along with additional guidelines for secure
configuration in a template format.

http://www.qorbit.net/documents/catalyst-secure-template.pdf
http://www.qorbit.net/documents/catalyst-secure-template.htm

Comments or suggestions welcome.
-- steve



*---------------------------------------------------------------*
* Cet e-mail et toutes les pièces jointes sont destinés aux     *
* seules personnes auxquelles ils sont spécifiquement adressés  *
* et n'engagent que le signataire de ces documents et non la    *
* structure dont il dépend.                                     *
* Leur existence et leur contenu ont un caractère confidentiel. *
* Toute utilisation ou diffusion non autorisée est interdite.   *
* Si vous avez reçu cet  e-mail ou si vous détenez sans en être *
* le destinataire, nous vous demandons de bien vouloir nous en  *
* informer immédiatement.                                       *
* Cette note assure que ce message a été contrôlé et ne         *
* comprenait aucun virus connu à ce jour, néanmoins tout        *
* message électronique est susceptible d'altération.            *
* Nous déclinons toute responsabilité au titre de ce message    *
* s'il a été altéré, déformé ou falsifié.                        *
*---------------------------------------------------------------*