Re: ARP Poisoning

["Chris McNab" <chris.mcnab () trustmatta com>]

OK,

Static ARP entries are not a viable solution in a dynamic environment. Sure
if you have maybe 3 servers in a DMZ, but not if you are looking to protect
workstations and servers on an internal network space. Anyway, its known
that a few operating systems (Windows, Solaris, et al) flush the ARP cache
(including static entries) periodically, and under Windows the static
entries can be overwritten using spoofed ARP replies!!

ARP has no authentication or security built into it. Due to the nature of
the protocol it is not routable, and so at least these attacks are limited
to internal network space.

Arpwatch is the only decent way to protect against this threat:

http://www.securityfocus.com/tools/142

Arpwatch is a tool that monitors ethernet activity and keeps a database of
ethernet/ip address pairings. It also reports certain changes via email.

Chris


Chris McNab
Technical Director

Matta Security Limited
18 Noel Street
London W1F 8GN

Tel: 0870 077 1100
Web: www.trustmatta.com


---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case 
studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------