Hi guys,
how can I block Man in the Middle attack like arp spoofing?
I want to block also any possibility to bypass firewall and proxy and for this I’ve blocked all VPN Services and the access to proxy sites.
What are you worried about? If you want to manage clients in the network, just run them through the proxy, you could also have a public network and private. Not sure I understand what you are trying to do.
Thanks a lot!
It’s the firts time that I use this technical… can you explain me what they do and how I can configure it?
It’s a network of 200 computers… what I can use? Static Arp or Arptables/arprules?
Static ARP will make the ARP table have fixed entries used.
Arptables/arprules act on a low level like firewall rules and only allow defined MAC addresses.
With 200 clients ARP entries may be much work… What is the goal of your students when doing their ARP spoofing? Are you sure it’s not a faulty network device?
OK so blocking arp when someone is on the network is basically impossible without advanced hardware or if you have time set up static ip addresses along with static arp. If it’s through a router set a static arp for the router and it makes it harder but it’s still possible to poison manually. Trust me as someone who’s done this it’s quite hard to block arp or a lot of things. Once you let someone on the network you just need to force ssl and monitor constantly. There are switches you can get, arp stuff would be on the switch so a good switch should have options to prevent arp, private vlans etc. I know Cisco makes them I’m sure others do as well. Expensive but you pay for security.
I don’t use these preventing methods in my networks so I only know the theory, I just found them by doing some research.
For static ARP table you’ll need to enter all your client MAC addresses in the ARP table as described in the link I posted.
But as @Jclendineng pointed out it’s much work with static IP MAC mapping and you’re still not save. As long as the students are just playing and there are no problems it’s maybe not worth the effort
Arpon won’t work most likely, most people find it doesn’t do to much but it doesn’t hurt to try. Best bet is a switch, but I’ll think of some other ideas when I get home today.
For schools, and other similiar “public” institutions vLAN can be your friend.
I’ve been entrusted with the job of “protecting” public higher level schools from “wise guy” students, also other students who think copy pasting from Google makes them a “guru”. Better (or worse) script kiddies…
But as mentionned before: You NEED good switches (pricey), but combining vLAN, restrictive Proxys and Firewalls (Even between your subnets!) can help solve the problem.
The BIG difference in a “public” instition like a school / university is you can’t just fire / reprimand someone who’s misusing the infrastructure, you have to make it break-proof and basically bullet-proof and tamper-proof everything. This also means basic access: Locked IT rooms!
I’ve had such institutions dish out thousands for security, only to leave doors and server racks open. Not really practical…
Off-Topic:
A “wise guy” even stole the schools WLan AP in the cafeteria - ending the free WLan for all for quite some time (Till the new budget almost a year later). The AP was actually hidden in the cealing, not that easily acciessible…
I can attest to this being a student at one point I try to always think how I would break something if I were wanting to…and protect against that. Its hard though, without a good bit of money, best bet is monitor the heck out of the network and feel free to kick (think of it as a temp-ban) but monitoring takes time, not a lot of options. When giant corporations cant keep secure, with all that money there’s always a way through. Always a good principal to remember.