Controller-less WLANs

How to protect an Instant WLAN from ARP attacks? What are the methods supported?

Aruba Employee

This article will have a focus on understanding and preventing the ARP attacks on the Aruba Instant™ Access Points running Aruba Instant™ 6.2.1.0-3.3.0.0 Software.

ARP attacks (also known as the Man-In-The-Middle [MITM]) come in many forms and essentially allow an attacker to act as a proxy between the victim and any host the victim has established connections with.  It is a form of active eavesdropping in which the attacker is controlling the conversation without the knowledge of the victim.

 

The configuration and verification steps mentioned in this article are tested on IAP 105 running 6.2.1.0-3.3.0.0

 

 

Environment : This article applies to all the IAPs running a minimum OS version of 6.2.1.0-3.3.0.0.

 

Aruba Instant™ 6.2.1.0-3.3.0.0 Software protects WLAN against ARP attacks
 
You can configure firewall settings to protect the network against attacks using Instant using Instant UI or CLI.
 
In the Instant UI
 
To configure firewall settings:
 
1. Click the Security link at the top right corner of Instant main window.
 
2. Click the Firewall Settings tab. The Firewall Setting tab contents are displayed.
 
3. To configure protection against security attacks, select the following check boxes:
     - Select Drop bad ARP to enable the IAP to drop the fake ARP packets.
     - Select Fix malformed DHCP to the IAP to fix the malformed DHCP packets.
     - Select ARP poison check to enable the IAP to trigger an alert notifying the user about the ARP poisoning that may have been caused by the rogue APs.
 
4. Click OK.
 
rtaImage.png
 
In the CLI
 
To configure firewall settings to prevent attacks
 
(Instant Access Point)(config)# attack
(Instant Access Point)(ATTACK)# drop-bad-arp-enable
(Instant Access Point)(ATTACK)# fix-dhcp-enable
(Instant Access Point)(ATTACK)# poison-check-enable
(Instant Access Point)(ATTACK)# end
(Instant Access Point)# commit apply
 
Drop bad ARP - For the ARP packet from WIFI, if  the ARP sender mac address and the Ethernet source mac address are different, we will drop the ARP packet and update the dropped ARP counters. 
 
ARP Poison check - ARP Poisoning, Man-In-The-Middle, is a very effective attack. As the Man-In-The-Middle attack requires the attacker to be on the same network as the intended victims, an attack would need to be initiated from the inside of the network. AP will check and alarm.
 
Fix malformed DHCP - If the DHCP mac address and Ethernet  destination mac address don’t match and the client is not in the AP’s association table, AP will fix the DHCP frame.
 
To view the configuration status:
 
(Instant Access Point)# show attack config
 
Current Attack
   --------------
Attack      Status
 ------       ------
drop-bad-arp Enabled
fix-dhcp Enabled
poison-check Enabled

 
To view the attack statistics
 
(Instant Access Point)# show attack stats
 
attack counters
--------------------------------------
Counter                                             Value
-------                                               -------
arp packet counter                                10
drop bad arp packet counter                  3
dhcp response packet counter                0
fixed bad dhcp packet counter                0
send arp attack alert counter                  3
send dhcp attack alert counter                0
arp poison check counter                        0
garp send check counter                         0
Version history
Revision #:
1 of 1
Last update:
‎07-03-2014 08:47 PM
Updated by:
 
Labels (2)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.