ARP-GUARD Fingerprinting

The importance of access control to corporate networks - primarily to ensure their security - is growing by the day. Various access control methods have established themselves in recent years. Access control per MAC (Media Access Control) address is a simple type of control.

If the requirements for fail-safe operation are not particularly stringent, a reactive variant of this method can be integrated into the network using SNMP (Simple Network Management Protocol). RADIUS, on the other hand, is a proactive alternative requiring fail-safe operation and state-of-the-art routers and switches. The IEEE's 802.1X is an international standard based on protocols such as RADIUS.

The benefit of 802.1X is that it allows the use of cryptographic protocols for authentication and possibly for encryption as well, which makes it very secure in WLAN environments. It is generally known that MAC addresses can be easily tampered with. As a consequence, they provide a rather low level of access protection. Less well-known is that 802.1X is equally insecure in the LAN as the lack of encryption makes it vulnerable to session hijacking. Moreover, many end devices and switches are still not 802.1X compliant. The effort required to implement access control in modern, 802.1X compliant end devices is very high though as certificates have to be generated and rolled out often on a device-by-device basis.

At this point, at the latest, the question must present itself, whether this effort is really necessary: Why not instead use the cryptographic certificates or keys already on most end devices? The experts at ISL GmbH have already developed a fingerprinting tool for ARP-GUARD which searches for keys/certificates on end devices and downloads them to its database, where they are stored as reference values. Afterwards, when an end device is actively connected to the network, one of its public keys or certificates is fetched and compared with the reference value in the database. If the values differ, the device is removed from the network. In principle, fingerprinting, like 802.1X, is susceptible to session hijacking. The difference here, though, is that it's possible to check for compliance with other conditions (based on IP addresses, for example). For end devices with no cryptographic methods, simple fingerprints with specific device properties can provide a level of security far exceeding that offered by MAC address checking.

Fingerprinting is implemented in ARP-GUARD itself and has been activated in many corporate networks, including the networks of 80 Sparkassen (savings banks) in Germany for whom high levels of security is of paramount importance.

Network Access Control

  • RADIUS / 802.1X /EAP with and without certificate
  • MAC authentication
  • Central port security system
  • Ticket system for guests with self-registration

VLAN management

  • Segregation of production areas
  • Dynamic and static allocation
  • Guest and quarantine area
  • User-defined rules

Layer 2 IPS

Protection from the dangers posed by:

  • Man-in-the-middle attacks
  • ARP poisoning
  • MAC flooding
  • MAC spoofing
  • IP spoofing

Network Manager

  • Current inventory lists of all end devices (IP, MAC, port)
  • Topology diagram
  • Changes to addresses or allocations logged
  • User-defined reporting
  • DHCP server queries

Endpoint Security

  • Monitoring of the individual end devices for operating system and AV update status
  • Quarantine management
  • No client software on the end devices!