need Switch offering ARP based attacks detection

Posted on 2006-04-06
Last Modified: 2010-04-11
I need Switch that offer ARP proxy services and that use its database to detect ARP based attack and drop physical port

Reading cisco and 3COM documentation, i didnt found appliance that detect IP collision (same IP used by 2 physical port / MAC address). Switches with ARP proxy services already have all information to do that.

Will increase points if good answer is received
Question by:Danny_Larouche
    LVL 13

    Expert Comment

    This is a very interesting topic and one that was raised in detail at a recent course I attended.  From some time spent scouring the internet the answer is sort of no.

    Everything I have read points towards using a mixture of physical and network security to mitigate the effects of someone performing an ARP based attack on your network

    These include:

    1) Placing your core infrastructure on a seperate subnet so that clients have to use IP rather than ARP to communicate.  This would protect against sniffing attacks between clients and servers

    2) Implementing an IPS to alert for suspicious MAC address activity on the network.  However, this method appears to generate many flase positives in a DHCP environment.  If you opt to disable a port whenever this happens, you could find yourself with an administrative nightmare.

    LVL 8

    Author Comment

    Hi Hstiles,

    It`s fine to know that i am not alone in this security requirement and that there is other people looking for similar solution.  Effectively i also did a lot of search on the WEB to find such solution. The network segmentation is interesting but is against the 80/20 rules.  The IPS solution is already used by some firewall linked on the switch array`s mirror port. Secudos offer interesting appliance with such protection and much more. But IMHO the logical solution is that managed switches should take care of it.

    I will attend to a security course in few days and will discuss about that.

    LVL 13

    Accepted Solution

    Until someone develops a more robust mechanism and security conscious mechanism than ARP, the only thing that will render MITM attacks largely useless is encryption.  If you encrypt packets on the network, they can't be sniffed, or rather they can, but they can't be easily interpreted.

    That Arp-Guard product looks interesting.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now