Some NAC vendors use a vulnerability exploit known as ARP poisoning (also called ARP spoofing) to prevent endpoints from gaining network access. While this works in theory, it’s a bad idea for a number of reasons. To explain why, we’ll need to dive into what ARP is, and how ARP poisoning can be used to limit endpoint access to your network.
What’s ARP?Address Resolution Protocol (ARP) is a network protocol designed to associate network layer 2 (MAC addresses) with layer 3 (IP addresses). When an endpoint needs to know where to physically send a packet on the local network, it makes an ARP broadcast request on the network to find out.
Because ARP is designed to facilitate communications between two devices on the same physical network, ARP packets cannot leave the local physical network (A.K.A. layer 2 subnet). That means they cannot cross a router to another network.
Endpoints broadcast, to all devices in the same layer 2 subnet, the question:
“Who has IP www.xxx.yyy.zzz?”
Devices on that subnet are required to respond to that request if they have that MAC address, saying:
“MAC address AA:BB:CC:DD:EE:FF has IP www.xxx.yyy.zzz”
This allows the endpoint to populate outgoing IP packets (packets sent at layer 3 or higher) with a destination MAC address, and it allows hardware that doesn’t understand IP addresses, such as switches and hubs, to get the packet where it needs to go.
There you go, that’s ARP: simple. So the next time you hear someone talking about ARP’ing a host, you’ll know what they’re saying.
ARP is all well and good, but when you’re sending thousands or millions of packets on a network, you don’t want to have to ask that same question for every packet you create. It would really slow network communication if every host had to do that for every outbound packet. To solve this issue, endpoints keep what’s called an ARP table (ARP cache). It allows them to remember the answers to those requests, so they can be reused.
An ARP table simply looks like:
- (10.1.2.1) at 00:26:b9:87:43:aa (ether) on eth2
- (10.1.1.1) at 00:19:b9:ef:21:dc (ether) on eth2
It links an IP address (10.1.2.1) with a MAC address (00:26:b9:87:43:aa) on a physical network adapter (eth2). ARP tables can be very small on some networks, or they can be very large, in the thousands of entries. The next time the host needs to send a packet to IP 10.1.2.1, it looks up the MAC address in its ARP table, and uses that.
Why is ARP Poisoning Inherently Bad?
ARP poisoning is a network attack that exploits a vulnerability in the ARP protocol to redirect traffic from one location (say a network gateway) to an attacker’s host. Some NAC products use this type of vulnerability exploit to funnel traffic through them for purposes of access control.
At a very basic level, when an endpoint requests the MAC address of say, your network gateway, the NAC appliance responds with its own MAC address first. This causes (most) endpoints to send their traffic to the NAC appliance rather than to your gateway, which allows the NAC appliance to determine whether to give the endpoint access to other resources, or not.
While it can work, most security experts frown on the use of vulnerabilities to achieve functional goals. It’s little different than saying: I need to access your laptop, so I’m going to exploit a vulnerability to get to it, so I can provide you some level of value without you having to spend your time installing an agent, or giving me a login. You wouldn’t tolerate that behavior on your laptop, so why tolerate it on your network?