Agenda • Why IP address and MAC address • How packets are delivered through the network • The address resolution mechanism (ARP) and how it works • Vulnerabilities and cyberattacks to ARP • Defense by network security Dynamic ARP Inspection • Korenix products with advanced cybersecurity features

1. Essential Protection for
The Fundamental of IP
Networking
JJ Sun
PSM

2. Agenda
• Why IP address and MAC address
• How packets are delivered through the network
• The address resolution mechanism (ARP) and how it works
• Vulnerabilities and cyberattacks to ARP
• Defense by network security – Dynamic ARP Inspection
• Korenix products with advanced cybersecurity features

3. Fundamental But Insecure
MAC
IP
TCP / UDP
Applications

4. IP Address vs. MAC Address
MAC Address
(Media Access Control Address)
• Unique hardware identifier
• Unchangeable
• Used for communication
on a specific type of
network media and within
a network segment
IP Address
(Internet Protocol Address)
• Logical network address
• Configurable by user
• Used for inter-network
communication, to find the
route through the network
from sender to receiver

5. How It Works
Sender IP: IPsupport
Receiver IP: IPPLC
Sender IP: IPsupport
Receiver IP: IPPLC
Sender IP: IPsupport
Receiver IP: IPPLC
Sender IP: IPsupport
Receiver IP: IPPLC
Sender MAC: MACSupport
Receiver MAC: MACA
Sender MAC: MACA
Receiver MAC: MACB
Sender MAC: MACB
Receiver MAC: MACC
Sender MAC: MACC
Receiver MAC: MACPLC
Router A Router B Router C
Support
IPsupport
MACsupport
PLC
IPPLC
MACPLC
Network segment A
Ethernet
B
FDDI
C
Token Ring
D
Wifi

6. Address Resolution
• ARP (Address Resolution Protocol), a
critical mechanism in IP networking to
find out the mapping between a MAC
address and an IP address
…
IPIP Address →
MAC Address →

7. ARP REQUEST (broadcast)
To everyone,
I am MAC1, IP1. What is the MAC of IP3 ?
How ARP Works
I/O
IP2
MAC2
HMI
IP1
MAC1
PLC
IP3
MAC3
Gateway
IP4
MAC4
Switch
IP5
MAC5
IP MACIP MACIP MAC IP MAC
Port MAC
IP MAC
IP1 MAC1
IP MAC
IP1 MAC1
IP MAC
IP1 MAC1
Port MAC
1 MAC1
Sender IP: IP1
Receiver IP: IP3
Sender MAC: MAC1
Receiver MAC: ?
MAC address table
ARP table

8. How ARP Works
ARP RESPONSE (unicast)
To IP1:
I am IP3, and my MAC is MAC3
IP MACIP MACIP MAC IP MAC
Port MAC
IP MAC
IP1 MAC1
IP MAC
IP1 MAC1
IP MAC
IP3 MAC3
IP MAC
IP1 MAC1
Port MAC
1 MAC1
Port MAC
1 MAC1
3 MAC3
I/O
IP2
MAC2
HMI
IP1
MAC1
PLC
IP3
MAC3
Gateway
IP4
MAC4
Switch
IP5
MAC5
Sender IP: IP1
Receiver IP: IP3
Sender MAC: MAC1
Receiver MAC: ?

9. How ARP Works
IP MACIP MACIP MAC IP MAC
Port MAC
IP MAC
IP1 MAC1
IP MAC
IP1 MAC1
IP MAC
IP3 MAC3
IP MAC
IP1 MAC1
Port MAC
1 MAC1
Port MAC
1 MAC1
3 MAC3
I/O
IP2
MAC2
HMI
IP1
MAC1
PLC
IP3
MAC3
Gateway
IP4
MAC4
Switch
IP5
MAC5
Sender IP: IP1
Receiver IP: IP3
Sender MAC: MAC1
Receiver MAC: MAC3

10. Gratuitous ARP
IP MAC
IP1 MAC1
IP MAC
IP1 MAC1
IP MAC
IP3 MAC3
IP MAC
IP1 MAC1
Port MAC
1 MAC1
3 MAC3
IP MAC
IP3 MAC3
IP4 MAC4
IP MAC
IP1 MAC1
IP4 MAC4
IP MAC
IP1 MAC1
IP4 MAC4
ARP RESPONSE (broadcast)
This is IP4, MAC4
Port MAC
1 MAC1
3 MAC3
4 MAC4
I/O
IP2
MAC2
HMI
IP1
MAC1
PLC
IP3
MAC3
Gateway
IP4
MAC4
Switch
IP5
MAC5

11. Vulnerabilities and Cyberattacks
• ARP spoofing
• Hijacking attack
• DoS attack
• Man-In-The-Middle attack
• Broadcasting
• No encryption
• No validation
• No authentication

12. Host X
IPx
MACx
ARP Spoofing
IP MAC
IP3 MAC3
IP MAC
IP3 MAC3
IP4 MAC4
ARP RESPONSE (broadcast)
This is IP1, MACx
Port MAC
1 MAC1
3 MAC3
4 MAC4
IP MAC
IP1 MAC1
IP MAC
IP1 MACx
Port MAC
1 MAC1
3 MAC3
4 MAC4
5 MACx
IP MAC
IP1 MAC1
IP4 MAC4
IP MAC
IP1 MAC1
IP4 MAC4
IP MAC
IP1 MACx
IP4 MAC4
IP MAC
IP1 MACx
IP4 MAC4
I/O
IP2
MAC2
HMI
IP1
MAC1
PLC
IP3
MAC3
Gateway
IP4
MAC4
Switch
IP5
MAC5

13. Hijacking Attack
IP MAC
IP3 MAC3
IP MAC
IP3 MAC3
IP4 MAC4
Port MAC
1 MAC1
3 MAC3
4 MAC4
IP MAC
IP1 MAC1
IP MAC
IP1 MACx
Port MAC
1 MAC1
3 MAC3
4 MAC4
5 MACx
IP MAC
IP1 MAC1
IP4 MAC4
IP MAC
IP1 MAC1
IP4 MAC4
IP MAC
IP1 MACx
IP4 MAC4
IP MAC
IP1 MACx
IP4 MAC4
Host X
MACx
IPx
I/O
IP2
MAC2
HMI
IP1
MAC1
PLC
IP3
MAC3
Gateway
IP4
MAC4
Switch
IP5
MAC5
Sender IP: IP3
Receiver IP: IP1
Sender MAC: MAC3
Receiver MAC: MACx

14. Denial-of-Service Attack
IP MAC
IP3 MAC3
IP MAC
IP3 MAC3
IP4 MAC4
Port MAC
1 MAC1
3 MAC3
4 MAC4
IP MAC
IP1 MAC1
IP MAC
IP1 MAC1
IP4 MAC4
IP MAC
IP1 MAC1
IP4 MAC4
Host X
IPx
MACx
I/O
IP2
MAC2
HMI
IP1
MAC1
PLC
IP3
MAC3
Gateway
IP4
MAC4
Switch
IP5
MAC5
ARP RESPONSE (broadcast)
This is IP2, MAC1
This is IP3, MAC1
This is IP4, MAC1
…
IP MAC
IP1 MAC1
IP2 MAC1
IP3 MAC1
IP4 MAC1
… MAC1
IP MAC
IP1 MAC1
IP2 MAC1
IP3 MAC1
IP4 MAC1
… MAC1
IP MAC
IP1 MAC1
IP2 MAC1
IP3 MAC1
IP4 MAC1
… MAC1
IP MAC
IP1 MAC1
IP2 MAC1
IP3 MAC1
IP4 MAC1
… MAC1
Port MAC
5 MAC1
3 MAC3
4 MAC4

15. Attacks vs Defenses
ATTACKS
Arpspoof
Arpoison
ArpSpyX
ArpToXin
arpmitm
cSploit
Subterfuge
Seringe
zANTI
….
DEFENSES
AntiARP
Antidote
Arpalert
ArpON
ArpGuard
ArpStart
Panda Security
remarp
Winarpwatch
….PLC I/O Drive Sensor
HMI IPCWorkstation
Camera Reader
Laptop
Switch

16. Dynamic ARP Inspection
• DAI (Dynamic ARP Inspection)
A network security feature
inspects ARP, validates its
contain, rejects invalid and
malicious ones to prevent
ARP spoofing.

17. How DAI Works
I/O
IP2
MAC2
HMI
IP1
MAC1
PLC
IP3
MAC3
Gateway
IP4
MAC4
IP MACIP MACIP MAC IP MAC
!
!
!
Port IP MAC
1 IP1 MAC1
2 IP2 MAC2
3 IP3 MAC3
4 IP4 MAC4
Port MAC
!
Untrusted ports
Trusted database

18. How DAI Works
I/O
IP2
MAC2
HMI
IP1
MAC1
PLC
IP3
MAC3
Gateway
IP4
MAC4
IP MACIP MACIP MAC IP MAC
Port MAC
IP MAC
IP1 MAC1
IP MAC
IP1 MAC1
IP MAC
IP1 MAC1
!
!
!
Port IP MAC
1 IP1 MAC1
2 IP2 MAC2
3 IP3 MAC3
4 IP4 MAC4
!
ARP
I am MAC1, IP1
Port MAC
1 MAC1

19. Host X
IPx
MACx
!
!
!
How DAI Works
ARP
I am MACx, IP1
I/O
IP2
MAC2
HMI
IP1
MAC1
PLC
IP3
MAC3
Gateway
IP4
MAC4
IP MACIP MACIP MAC IP MAC
Port MAC
!
Port IP MAC
1 IP1 MAC1
2 IP2 MAC2
3 IP3 MAC3
4 IP4 MAC4

20. JetNet with Dynamic ARP Inspection
Din-Rail switches
Layer 2
• JetNet 5612G
• JetNet 5620G
Rackmount switches
Layer 2
• JetNet 5428G
• JetNet 6528G
• JetNet 6628G
• JetNet 6628X
Layer 3
• JetNet 7014G
• JetNet 7020G
Layer 3
• JetNet 6828G
• JetNet 7628X

21. JetPoE with Dynamic ARP Inspection
Din-Rail switches
Layer 2
• JetNet 5612GP
• JetNet 5620GP
Rackmount switches
Layer 2
• JetNet 5728G-16P
• JetNet 5728G-24P
• JetNet 6628XP
Layer 3
• JetNet 7310G
• JetNet 7714G
Layer 3
• JetNet 6728G-16P
• JetNet 6728G-24P
• JetNet 7628XP

22. Configuration
Web
Entry
Enable
Dynamic ARP Inspection
Assign
Trusted/Untrusted Ports

23. ARP Filters (DHCP Snooping)
Web
Configuration
Enable
DHCP Snooping
Address
Binding Table

24. ARP Filters (Manually)
ARP Filter
Add/Remote
ARP Filter
Rule Setting
Web Entry

25. Statistics
Web Entry Statistics Table

26. Event Warning
Enable
Event Warning
Web Entry

27. Summary
• ARP is one of the most fundamental mechanism of IP networking, but is
insecure by nature. Malicious user can simply hack a network without
advanced skills.
• Defense by network security is a more practical approach to protect ARP.
Network switches with Dynamic ARP Inspection help protect the system
against ARP spoofing, reduce hijacking, DoS, man-in-the-middle attacks.
• Addressing IEC62443 the security standard, Korenix has implemented
Dynamic ARP Inspection which helps to secure the most fundamental
network operation