Arp Security Supported By The S3700 - Huawei Quidway S3700 Series Configuration Manual

Quidway S3700 Series Ethernet Switches
Configuration Guide - Security
ARP Attack Defense Policy
An attack defense policy should be deployed on the node nearest to the attack source to minimize
attack impact and improve attack defense efficiency.
l
l
l
The ARP attack defense techniques such as bidirectional binding prevent unauthorized users
from going online. These preventive measures are taken before an attack is initiated. If an attacker
thieves data of an authorized user, a lot of authorized users will be logged out. Such attacks can
be detected only after the authorized users are logged out. On most networks, ARP packet rate
is limited or CAR is configured to prevent such attacks. If such an attack still occurs, the measures
such as isolation and object-specific rate limit can be used.
The S3700 switch can prevent ARP attacks.
Positioning of ARP Attack Defense on the S3700
Hierarchical network security includes service-level security, network-level security, and
device-level security. Service-level security depends on the service security mechanisms and
non-blocking network construction. Network-level security depends on network traffic
classification and separation, association with clients and security control servers, and refined
control. Device-level security depends on the reliability design of the device. ARP attack defense
on the S3700 is a device-level security measure.

4.2 ARP Security Supported by the S3700

The ARP security features supported by the S3700 includes limitation on ARP entry learning,
ARP anti-spoofing, defense against ARP gateway attacks, suppression of ARP packets based
on the source address, suppression of ARP Miss packets based on the source address, defense
against ARP man-in-the-middle attacks, limitation on the transmission rate of ARP packets, and
ARP proxy on a VPLS network.
Limitation on ARP Entry Learning
You can configure the strict ARP entry learning so that the S3700 can learn only the response
messages of the ARP requests sent locally.
You can set the maximum number of ARP entries that can be dynamically learned by an
interface. This prevents malicious use of ARP entries and ensures that the S3700 can learn the
ARP entries of authorized users.
Issue 01 (2011-07-15)
The attacks aiming at user hosts have less impact. The user hosts can be installed with
antivirus software. When the software detects a fake gateway address, it clears the local
ARP cache, and sends ARP request packets.
To prevent the attacks aiming at routers, the techniques such as bidirectional binding and
active defense can be used on the routers. A router is the egress of the entire LAN, so the
ARP attacks aiming at the router actually attempt to attack the entire LAN. When the router
undergoes an ARP attack, the entire LAN is affected. Therefore, deploying ARP attack
defense policies on a router cannot completely prevent attacks.
All ARP packets are forwarded by switches; therefore, if a switch does not accept ARP
attack packets, the network will not be attacked.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4 ARP Security Configuration
136