Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

ARP Spoofing

Jaguar
Occasional Advisor

ARP Spoofing

Hi,
May I know which ProCurve switches prevent ARP spoofing? I read that static ARP may potentially solve the problem.
2 REPLIES
Tino H. Seifert
Occasional Visitor

Re: ARP Spoofing

Hello,

on a 9300m Switch you can create something like a static ARP table. But the solution can not be implemented very easily.

Most likely you want something different: IEEE 802.1X, which can be used to make sure only authorized users can connect to the network. The users are than authorized against an RADIUS server by there credentials, time of access and location. IEEE 802.1X is available on all recent Procurve Switches (please take a look at the datasheet).

With kind regards
Tino H. Seifert
Leo Katona
Occasional Advisor

Re: ARP Spoofing


ProCurve switches do not implement what is typically called Dynamic ARP Inspection by various vendors. This feature is mostly used (and useful) in service provider networks.

Creating static ARP entries for all hosts and routers both on the clients as well as the routers/routing switches would effectively prevent ARP spoofing, but it would be very tedious to maintain these entries even on a medium-sized network.

Also, most ProCurve routing switches don't allow static ARP entries to be created, so this approach wouldn't work.

If you are dealing with a relatively small corporate network, you could prevent ARP spoofing by allocating a separate VLAN and IP subnet (using private IP addresses) for each host or group of hosts between which you suspect ARP spoofing might take place.

With just one host on each VLAN/subnet and a ProCurve switch routing between them, no ARP spoofing would be possible. This way you wouldn't have to configure any static ARP entries anywhere.

This might be practical if you either have a very small network or you have just a handful of hosts or servers that you're trying to protect from ARP spoofing.

802.1x which someone mentioned doesn't validate ARP traffic. It just allows you to identify each user physically connecting to your network and a) place them in a normal VLAN, b) place them in a restricted "guest" VLAN, or c) deny them any access to the network. However, once a user has been authenticated successfully and permitted access to the network, there is nothing to prevent them from sending spoofed ARP traffic to everyone on the same VLAN.

-leok