Network security – how safe is your network? Looking at ARP
A while back I did a network security series and one of the points that I mentioned was that it’s important to know what is normal for your network. In other words, what machines are NORMALLY connected, what services are normally running, etc. Well, I’m about to start a serious look at something that makes this knowledge essential and that may have some rethinking whether or not it’s wise to run an open wireless access point on the same network as their traditional LAN.
Let’s start out by trying to clarify some terms and get a background on the info we need to understand the upcoming articles. I’ve mentioned ARP before… Arp is short for Address Resolution Protocol. It might best be thought of the “glue” that connects the hardware layer of a network interface, to the software layer of TCP/IP…. On most TCP IP networks, we have addresses such as this…. 192.168.0.1 192.168.0.2 etc…. these two addresses are considered to be within the same subnet. Typically, 192.168.1.1 and 192.168.1.2 would be in a different subnet than the addresses above.
These addresses are just that, an address or an abstraction of how to find a machine on a network. We need a way to find out what physical hardware address is connected to 192.168.0.1 or 192.168.0.2… that’s where ARP comes in… it maps the IP address to the MAC address which is a unique identifier given to each piece of network hardware. (Media Access Control is what MAC stands for.) So, you might find that 192.168.0.1 maps to 00:40:F4:14:07:20
ARP requests and lookups can only work within a subnet, they cannot route from one network to another.