We are launching a new wireless network, with the Mikrotik at the headend (internet connection) set as a HotSpot.
Users obviously have to authenticate first before gaining access to the internet. So my question is, is there a realistic threat of this model for having problems with Arp Poisoning? If so, how can I be pro-active and implement settings, permissions, etc. to thwart this from happening on my network?
I ultimately don't want any 2 people on my network to scan the network and see other computers, resources, etc. as well.
Can you provide any insight into "arp poisoning" and using Mikrotik for my HotSpot?
-
-
bhamhotspots
newbie
- Posts: 45
- Joined:
- Location: United States
- Contact:
-
-
killersoft
Member Candidate
- Posts: 268
- Joined:
- Location: Victoria, Australia
Re: arp poison question
Hotspot default setup, has ARP poising turned on in the first instance. You have to manually turn it off!!.
-
-
bhamhotspots
newbie
- Posts: 45
- Joined:
- Location: United States
- Contact:
Re: arp poison question
OK, this will stop users from being able to ArpPoison my network to sniff traffic?
thanks for your help.
thanks for your help.
-
-
killersoft
Member Candidate
- Posts: 268
- Joined:
- Location: Victoria, Australia
Re: arp poison question
As I said ARP poisining is in effect by default when hotspot is enabled(going by the book).
A 3rd party cannot arp poison an already arp poisoned network(whats the point!), not to say they cannot cause denial of service!.
Like any open to the public network, enable firewall's on pc's & routers(where practible), turn off unused serices(ports) on PC's and keep an eye of the traffic.
If you want to limit wifi users capabilities then filter/firewall the traffic on each Access Point, eg only allow them port 80/443 outbound, and or deny TCP ports 0-1024 inbound on the AP. You can even filter allowable IP's though the AP so they dont cause denial of serice by having the same IP as your default gateway ETC.. All easy to do on a mikrotik.
The hotspot network I operate goes as far as firewalling allowable outbound traffic (e.g out to the internet) ports, e.g Ports 21,23,80 and 443 only. Good to stop virusus and unusual traffic (and handy of you also add a log entry into the firewall page- so you can see who's/what is trying to un-allowed traffic out..
A 3rd party cannot arp poison an already arp poisoned network(whats the point!), not to say they cannot cause denial of service!.
Like any open to the public network, enable firewall's on pc's & routers(where practible), turn off unused serices(ports) on PC's and keep an eye of the traffic.
If you want to limit wifi users capabilities then filter/firewall the traffic on each Access Point, eg only allow them port 80/443 outbound, and or deny TCP ports 0-1024 inbound on the AP. You can even filter allowable IP's though the AP so they dont cause denial of serice by having the same IP as your default gateway ETC.. All easy to do on a mikrotik.
The hotspot network I operate goes as far as firewalling allowable outbound traffic (e.g out to the internet) ports, e.g Ports 21,23,80 and 443 only. Good to stop virusus and unusual traffic (and handy of you also add a log entry into the firewall page- so you can see who's/what is trying to un-allowed traffic out..
-
-
bhamhotspots
newbie
- Posts: 45
- Joined:
- Location: United States
- Contact:
Re: arp poison question
Do any consulting on the side? Would you entertain being a paid help to show me what your talking about and help me setup one of my Mikrotik as you suggest?
Thanks for your replies and help.
Thanks for your replies and help.