Firewall Modes Part 5 – ARP Inspection

VN:F [1.9.6_1107]
Rating: 5.0/5 (2 votes cast)
By Anthony Sequeira on June 7th, 2011

We may have enjoyed the American television show, Malcolm in the Middle, but we sure wince when we here the phrase “Man in the Middle”. A classic method of this computer security attack is where the attacker engages in ARP spoofing. This is the use of ARP to receive traffic from hosts that is destined to the default gateway of the host device.

You might recall from the last post in this series that the Transparent firewall permits all ARP traffic through the device by default. We use ARP Inspection in order to control this behavior.

ARP Inspection causes the ASA to compare the MAC address, IP address, and source interface to static entries in the ARP table. If there is a match of information, the packet is passed. If there is a mismatch of any of the information corresponding to an entry, then the packet is dropped. If there is no corresponding entry in the ARP table, then you can either have the traffic flooded out all interfaces (except the Management interface), or you can have the packet dropped.

The configuration of ARP Inspection is indeed a two step process. The appropriate static entries must be added to the ARP table, and then the feature must be enabled. Keep in mind that the ASA will still use dynamic ARP entries as well. These are used for management traffic to and from the device.

In order to add a static ARP entry to the device, use the following syntax:

arp interface_name ip_address mac_address

To enable the ARP inspection feature, use the following syntax:

arp-inspection interface_name enable [flood | no-flood]

The default behavior on the device is to flood traffic for which there is no ARP table entry. We can change this, of course, using the no-flood keyword in our command.

In order to verify the ARP Inspection settings for all interfaces on our device, use the following:

show arp-inspection

Thanks for reading, and in the next part of this series, we will examine your potential controls over the MAC address table itself on the Transparent firewall.

Anthony Sequeira CCIE, CCSI
Twitter: @compsolv
Facebook: http://www.facebook.com/compsolv

Firewall Modes Part 5 - ARP Inspection, 5.0 out of 5 based on 2 ratings
Share and Enjoy:
  • RSS
  • Twitter
  • Facebook
  • Google Bookmarks
  • Digg
  • Print
  • Technorati
  • Slashdot
  • LinkedIn
  • del.icio.us
  • Reddit
  • Sphinn
  • Mixx
  • Blogplay
  • Netvibes
  • NewsVine
  • Live
  • Ping.fm
  • MySpace
  • Yahoo! Bookmarks
  • Yahoo! Buzz

Tags: , , , , , , ,

This entry was posted on Tuesday, June 7th, 2011 at 9:00 am and is filed under Ask the Expert, CCIE, Security, Strategy, Techtorials. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply