Laurent, Thanks for your note. In reality IP Smartspoofing is no different than ARP cache poisoning so I'm not entirely sure why a new name was "invented". In this particular case one is able to prevent the following: - key ports and corresponding MAC entries are hardcoded and secured (ie gateways). If there is a MAC violation, this is logged and the port is shut down. 9 times out of 10 if someone is performing ARP spoofing they will go for a device that is best connected so consider this a fly trap. - host ports are protected by only allowing one MAC address on a port at any given time with a lag of 5 minutes for timeout. Yes a station can change its hardcoded MAC. This will allow them to see at most the traffic of one other host on the switch. Not perfect, but the odds are greatly reduced. A couple of ways that come to mind for having complete protection are: - have a method of detecting duplicate MAC addresses on a switch - enable "sticky" ARP. This will keep end stations from being able to change their MAC address, but at a potentially high administrative burden. I'll make a note of this option in the doc. Cheers, -- steve -----Original Message----- From: Laurent Licour [mailto:llicour@althes.fr] Sent: Thursday, November 14, 2002 3:56 AM To: bugtraq@securityfocus.com Cc: 'Stephen Gill' Subject: RE: Exploit code for IP Smart Spoofing Your document is quite usefull, but there is no way to protect against IP smartspoofing with a switch. Smartspoofing use ARP cache poisonning of hosts. Using a switch, you can only protect against MAC spoofing as describe in your document. You can also detect and refuse the plug of a new host on your network. But as it is possible to change the MAC address of hosts (at least linux and windows 2000), this protection is not very strong. You just have to replace a host by another. One way to protect with switchs could be the use of switchs that are able to create their CAM entry with the PORT, the MAC and the IP. (against PORT and MAC only for now) I think that only layer 3 switch are able to do such work. I have however no specific information about which switch support this feature. Nortel Passeport 8600 is supposed to do this with the IP filter feature (something like an ACL associated with each PORT) In any case, this could protect only a LAN. If you put a source IP filtering rule IP that allows an external IP, you have no way to detect a spoofing connexion. Only cryptography can help you (IPSec...) Regards Laurent Licour llicour@althes.fr -----Message d'origine----- De : Stephen Gill [mailto:gillsr@yahoo.com] Envoyé : mercredi 13 novembre 2002 20:33 À : 'Laurent Licour'; bugtraq@securityfocus.com Objet : RE: Exploit code for IP Smart Spoofing In order to mitigate this on edge switches it may behoove the network administrator to review his or her security policy and adhere to stricter guidelines. The following document suggests one method for protecting Cisco switches along with additional guidelines for secure configuration in a template format. http://www.qorbit.net/documents/catalyst-secure-template.pdf http://www.qorbit.net/documents/catalyst-secure-template.htm Comments or suggestions welcome. -- steve *---------------------------------------------------------------* * Cet e-mail et toutes les pièces jointes sont destinés aux * * seules personnes auxquelles ils sont spécifiquement adressés * * et n'engagent que le signataire de ces documents et non la * * structure dont il dépend. * * Leur existence et leur contenu ont un caractère confidentiel. * * Toute utilisation ou diffusion non autorisée est interdite. * * Si vous avez reçu cet e-mail ou si vous détenez sans en être * * le destinataire, nous vous demandons de bien vouloir nous en * * informer immédiatement. * * Cette note assure que ce message a été contrôlé et ne * * comprenait aucun virus connu à ce jour, néanmoins tout * * message électronique est susceptible d'altération. * * Nous déclinons toute responsabilité au titre de ce message * * s'il a été altéré, déformé ou falsifié. * *---------------------------------------------------------------*
