Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: Windows dynamic ARP
From: Christoph Mayer <mayer () tm uka de>
Date: Thu, 25 Dec 2008 19:34:36 +0100

On Thu, Dec 4, 2008 at 12:08 PM, James <jimbob.coffey at gmail.com> wrote:
> On Thu, Nov 27, 2008 at 3:51 AM, Mike O'Connor <mjo at dojo.mi.org> wrote:
>> :Does anyone know a way to turn OFF dynamic ARP on Windows?  I'd like to
>> :set up a network where static ARP entries are the only way to
>> :communicate.
> More IDS than IPS but Xarp will at least report any changes.
> If you control the environment you could static map any unused ip
> space on each host and then use the Xarp Static preserve filter but a
> pretty horrible cludge when al you want is a layer 2 packet filter to
> prevent an arp request or reply leaving your hosts.

> Actually an easier way would be to use the requestedresponse filter in
> Xarp.  This only allows a response if your host generated a request.
> If you are static mapping ip to mac you should never generate a
> request.

Unfortunately XArp can't really 'filter' (drop) the packets, but alert you. I am currently working on a Linux port where writing a network driver for filtering is easier than on Windows. Still, XArp is the best solution as firewalls seldom do ARP filtering and those that do perform ARP filtering have very primitive filters.

If you want to get an overview of mechanisms available for ARP attack detection, you can have a look at a (yet incomplete) presentation I once started: http://www.chrismc.de/development/xarp/arp_security_tools.html (http://www.chrismc.de/development/xarp/Securing_ARP_0_2_0.pdf)

Best regards,
Dipl.-Inform. Christoph P. Mayer
Institute of Telematics, University of Karlsruhe (TH)
Zirkel 2, 76128 Karlsruhe, Germany
Phone: +49 721 608 6415, Email: mayer () tm uka de
Web: http://www.tm.uka.de/~mayer/

firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]