Re: Windows dynamic ARP

[Christoph Mayer <mayer () tm uka de>]

On Thu, Dec 4, 2008 at 12:08 PM, James <jimbob.coffey at gmail.com> wrote:
> On Thu, Nov 27, 2008 at 3:51 AM, Mike O'Connor <mjo at dojo.mi.org> 
wrote:
>> :Does anyone know a way to turn OFF dynamic ARP on Windows?  I'd like to
>> :set up a network where static ARP entries are the only way to
>> :communicate.
>
> More IDS than IPS but Xarp will at least report any changes.
> If you control the environment you could static map any unused ip
> space on each host and then use the Xarp Static preserve filter but a
> pretty horrible cludge when al you want is a layer 2 packet filter to
> prevent an arp request or reply leaving your hosts.

> Actually an easier way would be to use the requestedresponse filter in
> Xarp.  This only allows a response if your host generated a request.
> If you are static mapping ip to mac you should never generate a
> request.


Unfortunately XArp can't really 'filter' (drop) the packets, but alert 
you. I am currently working on a Linux port where writing a network 
driver for filtering is easier than on Windows. Still, XArp is the best 
solution as firewalls seldom do ARP filtering and those that do perform 
ARP filtering have very primitive filters.

If you want to get an overview of mechanisms available for ARP attack 
detection, you can have a look at a (yet incomplete) presentation I once 
started: http://www.chrismc.de/development/xarp/arp_security_tools.html 
(http://www.chrismc.de/development/xarp/Securing_ARP_0_2_0.pdf)

Best regards,
Chris
--
Dipl.-Inform. Christoph P. Mayer
Institute of Telematics, University of Karlsruhe (TH)
Zirkel 2, 76128 Karlsruhe, Germany
Phone: +49 721 608 6415, Email: mayer () tm uka de
Web: http://www.tm.uka.de/~mayer/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards