Re: ARP Poisoning

From: Chris McNab <chris.mcnab(at)trustmatta.com>
Date: Thu May 08 2003 - 08:26:17 EDT

OK,

Static ARP entries are not a viable solution in a dynamic environment. Sure if you have maybe 3 servers in a DMZ, but not if you are looking to protect workstations and servers on an internal network space. Anyway, its known that a few operating systems (Windows, Solaris, et al) flush the ARP cache (including static entries) periodically, and under Windows the static entries can be overwritten using spoofed ARP replies!!

ARP has no authentication or security built into it. Due to the nature of the protocol it is not routable, and so at least these attacks are limited to internal network space.

Arpwatch is the only decent way to protect against this threat:

http://www.securityfocus.com/tools/142

Arpwatch is a tool that monitors ethernet activity and keeps a database of ethernet/ip address pairings. It also reports certain changes via email.

Chris

Chris McNab
Technical Director

Matta Security Limited
18 Noel Street
London W1F 8GN

Tel: 0870 077 1100
Web: www.trustmatta.com

---

FastTrain has your solution for a great CISSP Boot Camp. The industry's most recognized corporate security certification track, provides a comprehensive prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization of pertinent security tools. For a limited time you can enter for a chance to win one of the latest technological innovations, the SEGWAY HT. Log onto http://www.securityfocus.com/FastTrain-security-basics

---

Received on Thu May 8 12:53:26 2003