faq

Q: Will ARPDefender protect my entire network from ARP Poison Routing MitM attacks?

A: Yes.  You will need one ARPDefender unit for each broadcast domain.

Q:  I have a larger (Class B) LAN with over 1000 hosts.  Does ARPDefender support this?

A:  ARPDefender will do fine on Class B. It's more of a performance issue - like a sniffer, ARPDefender will drop packets if there are too many to monitor.  Even if coverage is not 100%. it will still always serve to provide monitoring & deterrent.

In a large switched network, ARPDefender will perform flawlessly if it is set up to monitor only those hosts that are subject to attack - Routers, Servers, Mainframes, etc... where you can guarantee 100% coverage.

Q: How does ARPDefender detect ARP Poison Routing MitM attacks?

A: ARPDefender runs an optimized version of ARPWatch to detect ARP Poison Routing MitM attacks as they occur.

Q: How will ARPDefender alert me for ARP Poison Routing attacks?

A: ARPDefender works around the clock, and sends its alerts via email. These can be routed to pager, cell phone, email, or 24x7 managed security services.

Q: Can I configure ARPDefender to send alerts to multiple email addresses?

A: Not yet.  However, there's nothing to stop you from configuring mail forwarding of any sort from your email system to as many recipients as you wish.

Q: Do I need to set up a monitoring port on my switch to connect ARPDefender?

A: Yes, in order to catch all attacks, ARPDefender should be plugged into a monitoring port.

Q: One of the switches is a Cisco managed switch and everything else is unmanaged. To monitor all ports would all managed switches be required? And would they all need the RSPAN feature?

A: Yes, in order to monitor *all* ports, you'd have to use all managed switches, but you don't typically need to monitor all ports.  Let's look at this from a security perspective. 

1)  You will get alerts for any new devices on this LAN, no matter what you're using.  You will be alerted for any new device plugged into any hub, managed or unmanaged switch as long as you're on the same broadcast domain (LAN).

 2)  For ARP Spoofing defense - what are the attack vectors?  In the vast majority of environments, your valuable targets are servers, workstations, routers, and mainframes.  Workstations don't typically connect to other workstations, and a hacker would not normally try to intercept traffic from workstation to workstation. 

There are 2 sides to an ARP Spoofing attack - source and destination.  Both sides are spoofed for a successful attack.  The hacker will always need to spoof one 'valuable' end - whether that be a local server, mainframe, or the router.

Therefore, you can use your managed router's SPAN ability to protect your 'valuable' switched assets on the LAN - the points where clients must connect to get at valuable data.  Only a few ports need be monitored for adequate protection.

Monitor:

Q:  Some of my facilities don’t have managed switches.  How do I protect those?

A:  Smaller facilities with fewer 'targets' are easy to protect.  Let’s use a bank branch as an example.  In the IT closet, utilize a small hub or network tap to connect your router, the ARPDefender unit, and optionally any local servers.  Then uplink that hub or tap to the switch for connectivity to the rest of the branch.  Your hub will be safe because it’s in a locked IT closet.  ARPDefender will now catch any ARP Spoofing attempts made on the router or the servers from anywhere within the branch.  You've now saved yourself thousands of dollars on the cost of a managed switch without degraded performance while providing yourself with superior standalone protection. 

 Q: How secure is the ARPDefender box itself?

A: ARPDefender only runs SSH v2 for access to the configuration menu. This menu access can even be turned off so that the unit is only accessible via direct serial connection.  There is no direct shell access to the underlying OS, which is hardened to firewall standards. The only outbound flows are the emailed alerts.  A temporary outbound secure connection can be initiated to us for support sessions in case you need it - but only for the short duration that you explicitly enable it on the unit.

 Q: Should I expect false positives?

A: While false positives could occur by having a user change his Ethernet MAC address multiple times, this is highly unlikely. All ARP Spoofing Alerts should be immediately and thoroughly investigated.

Q: My Windows workstations aren't registered in my DNS, and thus the ARPDefender alerts only contain their IP Addresses.  Is there a way I can get their workstation names?

A: ARPDefender only uses DNS to resolve host names.  If you need to find the Windows NetBIOS name, issue the command NBTSTAT -A {IP Address} from any Windows machine on your network.

support & warranty

The support and warranty contract includes remote technical support, complete hardware coverage, and functional firmware upgrades.  90 days of support and warranty are included in the purchase price of every unit.  Extended support and warranty are available in two- and five-year terms.  All coverage must remain contiguous; the initial extended support and warranty contract must be purchased within the first 90 days.  The extended support and warranty are discounted if purchased with the unit, and further discounted if purchased for the 5-year term.

Table:  Extended Support and Warranty Costs

documentation

AD-Manual-V3.03.pdf

getting help

For great technical support, please email us at support@arpdefender.com.