Re: arpwatch
From: Mikkel Christensen (mike_at_unifix.org)
Date: 09/12/03
- Previous message: Spencer D'oro: "Stop browsing the web through GP?"
- In reply to: ted koenig: "RE: arpwatch"
- Next in thread: Gunter Luyten: "Re: arpwatch"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 12 Sep 2003 01:05:22 +0200 To: security-basics@securityfocus.com
On Thu, 11 Sep 2003 16:43:19 -0400
"ted koenig" <tkoenig@lf-mail.com> wrote:
> I would think the only real purpose of doing arpwatch is to prevent apr, arp
> poison routing, and on a network of any major size/traffic volume you will
> notice a significant slowdown if somebody is up to that. Basically it
> effectively turns a switched network into a hubbed one by making everyone
> route through one machine, so that guy can sniff stuff out. For the most
> part, switches hamper the average sniffer.
Arp spoofing can be targeted against one host as well, in which case you will not get over-all performance loose, or you can arpspoof access to the router and gain control over the internet connection.
Arpwatch is realy cool(if you know a litle bit coding yourself) to monitor a wireless lan, set up a wireless lan subnet and make a database with all valid mac adresses in it and set arpwatch to launch an alart when an invalid mac adress are discovered. Admin should then be able to allow or reject that mac adresse and then the router betwen the wireless subnet and the intra/inter-net should filter this.
Relay neat setup, easy to do and works like a charm :)
>
> Ted Koenig
> LaFrance Corp.
> Network Administrator
>
>
> -----Original Message-----
> From: John T. Hollyoak [mailto:john@mail.isc.rit.edu]
> Sent: Thursday, September 11, 2003 3:05 PM
> To: security-basics@securityfocus.com
> Subject: Re: arpwatch
>
>
> Tomas / Zidan,
>
> I just wanted to respond and add some information and ask a few
> questions....
>
> a) What switches (that you are aware of) leak? Do you have any other
> information about this? links?
> b) port mirroring or a monitor port, is the way to go. Check out the
> monitor command on the cisco switches, for an example of how to do this.
> Basically maps a range of ports, to a single port, for the purposes of
> monitoring (i've actually used it for an IDS before).
> c) Using a tool within the Dsniff package, called "macof" ... this can be
> accomplished, simply by blasting the CAM table (Content Addressable Memory)
> with alot of addresses. The device will either fail open, or fail closed...
> meaning the basically turn into one big collision domain (hub).
>
> arpwatch is partially useful, if you have a small network. Anything that
> has a constant amount of ARP requests/replies .... will just create alot of
> junk.
>
> What are you trying to accomplish by using ARPwatch? Perhaps there is a
> better tool available .....
>
> John Hollyoak
>
>
> ----- Original Message -----
> From: "Tomas Wolf" <tomas@skip.cz>
> To: "zidan" <zidan00@fastmail.fm>
> Cc: <security-basics@securityfocus.com>
> Sent: Thursday, September 11, 2003 7:33 AM
> Subject: Re: arpwatch
>
>
> > my 2c --
> > a) some switches horribly leak :-)
> > b) port mirroring would be the best bet (managable switches necessary)
> > c) some under heavy load work like hubs (flood it)
> >
> > good luck - T.
> >
> > zidan wrote:
> >
> > >hello,
> > >
> > >I have recently installed arpwatch on one of our servers. I
> > >understood arpwatch "learns" arp replies, but since arp replies are
> > >destined to a specific MAC and this is a switched network, how can
> > >arpwatch see all arp replies ?
> > >
> > >
> > >-Z
> > >
> > >
> >
> >
> >
> > ----------------------------------------------------------------------
> > ----
> -
> > Captus Networks
> > Are you prepared for the next Sobig & Blaster?
> > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> > - Precisely Define and Implement Network Security
> > - Automatically Control P2P, IM and Spam Traffic
> > FIND OUT NOW - FREE Vulnerability Assessment Toolkit
> > http://www.captusnetworks.com/ads/42.htm
> > ----------------------------------------------------------------------
> > ----
> --
> >
>
>
> ---------------------------------------------------------------------------
> Captus Networks
> Are you prepared for the next Sobig & Blaster?
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Precisely Define and Implement Network Security
> - Automatically Control P2P, IM and Spam Traffic
> FIND OUT NOW - FREE Vulnerability Assessment Toolkit
> http://www.captusnetworks.com/ads/42.htm
> ----------------------------------------------------------------------------
>
>
> ---------------------------------------------------------------------------
> Captus Networks
> Are you prepared for the next Sobig & Blaster?
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Precisely Define and Implement Network Security
> - Automatically Control P2P, IM and Spam Traffic
> FIND OUT NOW - FREE Vulnerability Assessment Toolkit
> http://www.captusnetworks.com/ads/42.htm
> ----------------------------------------------------------------------------
>
>
-- --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
- Previous message: Spencer D'oro: "Stop browsing the web through GP?"
- In reply to: ted koenig: "RE: arpwatch"
- Next in thread: Gunter Luyten: "Re: arpwatch"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
