How to secure a network using ARP: Difference between revisions
mNo edit summary |
m (Protected "How to secure a network using ARP": will be in manual [edit=sysop:move=sysop]) |
||
| (8 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
Although hosts in IP network are addressed using IP addresses, hardware addresses must be used to actually transport data from one host to another. Address | Although hosts in IP network are addressed using IP addresses, hardware addresses must be used to actually transport data from one host to another at Layer-2 (EG: Ethernet). Address Resolution Protocol (ARP) provides a mapping between the two different forms of addresses. A router has an ARP table that contains ARP entries. ARP entries consist of IP addresses and corresponding hardware addresses (such as a MAC address). Normally ARP provides a dynamic mapping from an IP address to corresponding hardware address by adding ARP entries automatically as they are discovered, but to increase network security static ARP entries can be created manually. By allowing a router to reply only to those static ARP entries found in the ARP table we restrict access to the router and to the network behind the router to only those IP/Hardware address combinations found in the ARP table. To make a router use only static ARP entries follow the steps listed below: | ||
1. Add ARP entries of hosts you want to accept | 1. Add ARP entries of hosts you want to accept in WinBox | ||
[admin@ | |||
\... :21:00:56:00:12 | [[Image:arp_add_hosts.jpg]] | ||
2. Make ether2 interface only reply to ARP requests using your specified ARP entries | |||
[admin@ | or in Console | ||
[admin@RB230] ip arp> add address=10.10.10.10 interface=ether2 mac-address=06 \ | |||
\... 00:21:00:56:00:12 | |||
2. Make ether2 interface only reply to ARP requests using your specified ARP entries in WinBox | |||
[[Image:arp_replay_only.jpg]] | |||
or in Console | |||
[admin@RB230] > interface ethernet set ether2 arp=reply-only | |||
[[Category:Firewall]] | |||
Latest revision as of 08:02, 19 February 2008
Although hosts in IP network are addressed using IP addresses, hardware addresses must be used to actually transport data from one host to another at Layer-2 (EG: Ethernet). Address Resolution Protocol (ARP) provides a mapping between the two different forms of addresses. A router has an ARP table that contains ARP entries. ARP entries consist of IP addresses and corresponding hardware addresses (such as a MAC address). Normally ARP provides a dynamic mapping from an IP address to corresponding hardware address by adding ARP entries automatically as they are discovered, but to increase network security static ARP entries can be created manually. By allowing a router to reply only to those static ARP entries found in the ARP table we restrict access to the router and to the network behind the router to only those IP/Hardware address combinations found in the ARP table. To make a router use only static ARP entries follow the steps listed below:
1. Add ARP entries of hosts you want to accept in WinBox
or in Console
[admin@RB230] ip arp> add address=10.10.10.10 interface=ether2 mac-address=06 \ \... 00:21:00:56:00:12
2. Make ether2 interface only reply to ARP requests using your specified ARP entries in WinBox
or in Console
[admin@RB230] > interface ethernet set ether2 arp=reply-only