HPE Community
Switches, Hubs, and Modems
1752809 Members
6148 Online
108789 Solutions
New Discussion юеВ

ARP Spoofing

 
Jaguar
Occasional Advisor

тАО10-20-2006 03:36 AM

тАО10-20-2006 03:36 AM

ARP Spoofing

Hi,
May I know which ProCurve switches prevent ARP spoofing? I read that static ARP may potentially solve the problem.
0 Kudos
2 REPLIES 2
Tino H. Seifert
New Member

тАО10-24-2006 09:33 PM

тАО10-24-2006 09:33 PM

Re: ARP Spoofing

Hello,

on a 9300m Switch you can create something like a static ARP table. But the solution can not be implemented very easily.

Most likely you want something different: IEEE 802.1X, which can be used to make sure only authorized users can connect to the network. The users are than authorized against an RADIUS server by there credentials, time of access and location. IEEE 802.1X is available on all recent Procurve Switches (please take a look at the datasheet).

With kind regards
Tino H. Seifert
0 Kudos
Leo Katona
Occasional Advisor

тАО10-29-2006 01:57 PM

тАО10-29-2006 01:57 PM

Re: ARP Spoofing


ProCurve switches do not implement what is typically called Dynamic ARP Inspection by various vendors. This feature is mostly used (and useful) in service provider networks.

Creating static ARP entries for all hosts and routers both on the clients as well as the routers/routing switches would effectively prevent ARP spoofing, but it would be very tedious to maintain these entries even on a medium-sized network.

Also, most ProCurve routing switches don't allow static ARP entries to be created, so this approach wouldn't work.

If you are dealing with a relatively small corporate network, you could prevent ARP spoofing by allocating a separate VLAN and IP subnet (using private IP addresses) for each host or group of hosts between which you suspect ARP spoofing might take place.

With just one host on each VLAN/subnet and a ProCurve switch routing between them, no ARP spoofing would be possible. This way you wouldn't have to configure any static ARP entries anywhere.

This might be practical if you either have a very small network or you have just a handful of hosts or servers that you're trying to protect from ARP spoofing.

802.1x which someone mentioned doesn't validate ARP traffic. It just allows you to identify each user physically connecting to your network and a) place them in a normal VLAN, b) place them in a restricted "guest" VLAN, or c) deny them any access to the network. However, once a user has been authenticated successfully and permitted access to the network, there is nothing to prevent them from sending spoofed ARP traffic to everyone on the same VLAN.

-leok
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.