4

I read this article about man-in-the-middle arp poisoning and how it works , it seems that arp poisoning programs exploits the fact that ARP protocols trusts any packet to be true and modify its table based on it . Question is : why the ARP modified versions hasn't been used on large scale yet ? (or has it ?) i saw many papers at IEEE describing what they called "enhanced versions " of ARP (couldn't read it cause it needs log in ) that suppose to be immune to "man-in the-middle-attacks" and arp poisoning in general . are there disadvantage for any of the mechanisms used to verify arp replay packets ? in other words is the simplicity of ARP essential that cant be changed?

HSN
  • 1,188
  • 12
  • 23
  • May be people like to use legacy systems until they become completely useless. – Shurmajee Apr 22 '13 at 11:49
  • I think there is a much broader question here.There are several other protocols out there that are known to be vulnerable but as long as they are giving us the functionality we are satisfied. – Shurmajee Apr 22 '13 at 11:56
  • @MayankSharma i doubt "like " has a place here , personal preference and resistance for change might be a good explanation for normal users why don't they change for more secured versions\products if existed , but what about companies ? they cant risk their business for that . however about "why we use protocols that might be vulnerable , well i think (speaking from business point of view ) its about feasibility . sometime the cost of implementing a solution exceeds the expected benefits . – HSN Apr 22 '13 at 12:07
  • I personally know a few organizations that are still using windows XP pro(support to end soon) or windows server 2003. in the industry you will find many such legacy systems that are using older software and protocol.the biggest example I think would be the adoption of ipv6 not going as expected.though it has advanced security features and solves the problem of address space saturation, organizations are not very active because their older systems are still doing the job. – Shurmajee Apr 22 '13 at 16:35
  • Replacing a protocol like arp is going to be a very big task.i think you would like to have a look at dynamic arp inspection. This a mitigation technique for arp poisoning – Shurmajee Apr 22 '13 at 16:44
  • Can you post the title of the article you were trying to read from IEEE, some others may have access and may be able to read and comment. – Eric G Apr 24 '13 at 04:20

2 Answers2

3

Question is : why the ARP modified versions hasn't been used on large scale yet ?

What is the cost of addressing this versus the risk? ARP is a local subnet issue. If someone is already successfully on your LAN you probably have a much bigger problem because they can still do attacks at higher layers of the communications stack. Is this where you want to spend your dollars versus other problems?

Port level authentication such as 802.1x, TLS, VPNs, and other protocols may provide adequate protection in the view of a risk assessment or you may be implementing protections at the switch/bridge. There is also likely the cost and complexity of management versus the return on investment. Then again, there may also be a marketing issues where no one has commercialized and convinced the people with the check book to spend on this, especially when things like DLP and SIEM are just so much sexier, costly, and fun.

Community
  • 1
Eric G
  • 9,691
  • 4
  • 31
  • 58
1

I know a few businesses that have implemented the 802.1x (OSI Layer 2 encryption and authentication that prevent attacks such as man and in middle attack). It takes time and money to setup it.

Switch can put each port on a separated VLAN, thus preventing man in the middle attack. Why implementing 802.1x to prevent man in the midle attacks when you can save money and time by simply using VLAN? Also, there are others security setups that are easier to setup than 802.1x.They are not as secure as 802.1x but they still provide great security.

In private and controlled environments such as banks or government offices, the IT department has the control over all devices, so they can setup such security. But if a school wants to implement this, not all devices support 802.1x. So they are better using other techniques such as VLAN to protect their students. It is pointless to try use 802.1x and if a device does not support it, fall back on the regular ARP protocol. In this case they are better using other type of security controls.

Francois Valiquette
  • 347
  • 2
  • 9