ARPDefender® FAQs

Will ARPDefender protect my entire network from ARP Poison Routing MitM attacks? 
Yes. You will need one ARPDefender monitoring interface for each broadcast domain. 

How does ARPDefender detect ARP Poison Routing MitM attacks? 
ARPDefender runs an optimized version of ARPWatch to detect ARP Poison Routing MitM attacks as they occur. 

How will ARPDefender alert me for ARP Poison Routing attacks? 
ARPDefender works around the clock, and sends its alerts via email. These can be routed to pager, cell phone, email, or 24x7 managed security services 

With low false-positive alerts, the device is pretty quiet. How can I tell if ARPDefender is still running? 
ARPDefender will check in with status daily, weekly, or monthly as you prefer. 

Can I configure ARPDefender to send alerts to multiple email addresses? 
Not yet. However, there's nothing to stop you from configuring mail forwarding of any sort from your email system to as many recipients as you wish. 

Do I need to set up a monitoring port on my switch to connect ARPDefender? 
Yes, in order to detect unicast LAN attacks, ARPDefender must be plugged into a monitoring port. 
One of the switches is a Cisco managed switch and everything else is unmanaged. 

To monitor all ports would all managed switches be required? And would they all need the SPAN feature? 
Yes, in order to monitor *all* ports, you'd have to use all managed switches, but you don't typically need to monitor all ports.   

Some of my facilities don’t have managed switches. How do I protect those? 
Smaller facilities with fewer 'targets' are easy to protect. Let’s use a bank branch as an example. In the IT closet, utilize a small hub or network tap to connect your router, the ARPDefender unit, and optionally any local servers. Then uplink that hub or tap to the switch for connectivity to the rest of the branch. Your hub will be safe because it’s in a locked IT closet. ARPDefender will now catch any ARP Spoofing attempts made on the router or the servers from anywhere within the branch. You've now saved yourself thousands of dollars on the cost of a managed switch without degraded performance while providing yourself with superior standalone protection. 
  
Should I expect false positives? 
While false positives could occur by having a user change his Ethernet MAC address multiple times, this is highly unlikely. All ARP Spoofing Alerts should be immediately and thoroughly investigated. 

My Windows workstations aren't registered in my DNS, and thus the ARPDefender alerts only contain their IP Addresses. Is there a way I can get their workstation names?
ARPDefender only uses DNS to resolve host names. If you need to find the Windows NetBIOS name, issue the command NBTSTAT -A {IP Address} from any Windows machine on your network.