Configuring Advanced Threat Protection
Dynamic ARP Protection
Dynamic ARP Protection
Introduction
On the VLAN interfaces of a routing switch, dynamic ARP protection ensures
that only valid ARP requests and responses are relayed or used to update the
local ARP cache. ARP packets with invalid IP-to-MAC address bindings adver
tised in the source protocol address and source physical address fields are
discarded. For more information about the ARP cache, refer to “ARP Cache
Table” in the
Multicast and Routing Guide
.
ARP requests are ordinarily broadcast and received by all devices in a broad
cast domain. Most ARP devices update their IP-to-MAC address entries each
time they receive an ARP packet even if they did not request the information.
This behavior makes an ARP cache vulnerable to attacks.
Because ARP allows a node to update its cache entries on other systems by
broadcasting or unicasting a gratuitous ARP reply, an attacker can send his
own IP-to-MAC address binding in the reply that causes all traffic destined for
a VLAN node to be sent to the attacker's MAC address. As a result, the attacker
can intercept traffic for other hosts in a classic "man-in-the-middle" attack.
The attacker gains access to any traffic sent to the poisoned address and can
capture passwords, e-mail, and VoIP calls or even modify traffic before
resending it.
Another way in which the ARP cache of known IP addresses and associated
MAC addresses can be poisoned is through unsolicited ARP responses. For
example, an attacker can associate the IP address of the network gateway
with the MAC address of a network node. In this way, all outgoing traffic is
prevented from leaving the network because the node does not have access
to outside networks. As a result, the node is overwhelmed by outgoing traffic
destined to another network.
Dynamic ARP protection is designed to protect your network against ARP
poisoning attacks in the following ways:
■
Allows you to differentiate between trusted and untrusted ports.
■
Intercepts all ARP requests and responses on untrusted ports before
forwarding them.
10-15
Summary of Contents for PROCURVE 2910AL
Page 1: ...Access Security Guide ProCurve Switches W 14 03 2910al www procurve com ...
Page 2: ......
Page 3: ...HP ProCurve 2910al Switch February 2009 W 14 03 Access Security Guide ...
Page 84: ...Configuring Username and Password Security Front Panel Security 2 36 ...
Page 156: ...TACACS Authentication Operating Notes 4 30 ...
Page 288: ...Configuring Secure Socket Layer SSL Common Errors in SSL setup 8 22 ...
Page 416: ...Configuring Advanced Threat Protection Using the Instrumentation Monitor 10 28 ...
Page 572: ...Using Authorized IP Managers Operating Notes 14 14 ...
Page 592: ...12 Index ...
Page 593: ......