I just got back from a course on Intrusion Prevention which was pretty enlightening but quite scary. I thought I had at least a rudimentary understanding of network security issues, but was blown away by the current techniques and hacking methods and tools that are currently in use.
One of the issues dealt with is in fact the topic of this post - ARP cache poisoning. I had heard about this before but had never really understood what it meant. The technique was explained and then demonstrated by means of a "Man in the middle" attack using a popular hacking tool. Of course the effectiveness of this technique is mitigated by the fact that it can only be performed at Layer 2 and so cannot get through routers (Layer 3).
Finally to my question. Does anyone know if any solutions have been implemented in switches to counter this kind of attack? I don't mean VLANs or any such network segmentation methods. I mean if you have three PCS connected to a switch which need to speak to each other, have any clever solutions been devised at the switching level to counter ARP cache poisoning.
Re: ARP cache poisoning
13 years 1 month ago #9524
You could use port security to allow only one mac address on that port. Just imagine if you had to do this for hundreds or thousands of ports, though? I think 802.1x would be a partial answer, but it still wouldn't stop a bored user from downloading a fun security program and testing it on the network. This would mainly prevent someone from sneaking into your facility, plugging into a wall jack, and off they go. Arpwatch is a program that lets you monitor mac address to ip address mappings, so I think monitoring arpwatch along with the use of 802.1x would be sufficient to minimize the attack.
Re: ARP cache poisoning
13 years 1 month ago #9527
ARP poisoning works by 'tricking' the switch and making it think that all MAC addresses are on the port the attacker is plugged into, therefore passing all packets through him and making him the 'man in the middle'.
With port security you can surely limit this effect by allowing one only MAC address to every port. Of course, if another switch happens to uplink to such a port, your in trouble as it will most probably be disabled once more than 1 host is seen through it!
My personal opinion is that port security is a simple but yet effective way of dealing with such attacks.