topic Re: ARP Poisoning Attack in Security e-Series

ARP Poisoning Attack

Thierry1 — Mon, 06 Feb 2017 14:29:03 GMT

Hello all,

As you know, ARP poisoning attack is the process of linking an attacker’s MAC address with the IP address of a legitimate user on a local area network using fake ARP messages. As a result, data sent to the host IP address is instead transmitted to the attacker.

I need to protect a network with ARP poisoning attacks. All the servers are using fixed IP adresses (so no DHCP).

Do you have some experience and how you proceed to protect your network ?

A easy solution is to implement static ARP entries but i"m looking for an another solution if you have.

Thank you.

Re: ARP Poisoning Attack

Vince-Whirlwind — Tue, 07 Feb 2017 01:50:33 GMT

Really, if you are in a situation where devices on a broadcast segment are untrusted, you should segregate them using port isolation.

Re: ARP Poisoning Attack

Thierry1 — Tue, 07 Feb 2017 07:13:18 GMT

It''s not really untursted devices, but we are in a PCI context and we need to run vulnerability scans. ARP poisoning is part of the scan and we need to protect our environnement against this attack.

Re: ARP Poisoning Attack

parnassus — Tue, 07 Feb 2017 15:21:51 GMT

Not sure if informations about Dynamic ARP Protection feature apply entirely - I mean: now, years after the linked article - also to actual Aruba 2920 but this article would be interesting enough to start with (and so...looking for a similar feature on Aruba 2920 could be the very first thing to do): on HPE ArubaOS-Switch Access Security Guide for WB.16.03 there is a clear reference [*] about Dynamic ARP Protection (page 384), part of "Configuring Advanced Threat Protection" Chapter 17 (among others, also DHCP Snooping, Dynamic IP Lockdown and Instrumentation Monitor, are discussed topics).

[*] I'm quite sure I saw the same feature described in earlier WB.15.18 documentation too.