On Thu, Dec 4, 2008 at 12:08 PM, James <jimbob.coffey at gmail.com> wrote:
> On Thu, Nov 27, 2008 at 3:51 AM, Mike O'Connor <mjo at dojo.mi.org>
wrote:
>> :Does anyone know a way to turn OFF dynamic ARP on Windows? I'd like to
>> :set up a network where static ARP entries are the only way to
>> :communicate.
>
> More IDS than IPS but Xarp will at least report any changes.
> If you control the environment you could static map any unused ip
> space on each host and then use the Xarp Static preserve filter but a
> pretty horrible cludge when al you want is a layer 2 packet filter to
> prevent an arp request or reply leaving your hosts.
> Actually an easier way would be to use the requestedresponse filter in
> Xarp. This only allows a response if your host generated a request.
> If you are static mapping ip to mac you should never generate a
> request.
Unfortunately XArp can't really 'filter' (drop) the packets, but alert
you. I am currently working on a Linux port where writing a network
driver for filtering is easier than on Windows. Still, XArp is the best
solution as firewalls seldom do ARP filtering and those that do perform
ARP filtering have very primitive filters.
If you want to get an overview of mechanisms available for ARP attack
detection, you can have a look at a (yet incomplete) presentation I once
started: http://www.chrismc.de/development/xarp/arp_security_tools.html
(http://www.chrismc.de/development/xarp/Securing_ARP_0_2_0.pdf)
Best regards,
Chris
--
Dipl.-Inform. Christoph P. Mayer
Institute of Telematics, University of Karlsruhe (TH)
Zirkel 2, 76128 Karlsruhe, Germany
Phone: +49 721 608 6415, Email: mayer_at_tm.uka.de
Web: http://www.tm.uka.de/~mayer/
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Dec 29 2008
Intro
