I would like to improve wireless security and certain other on-net security scenarios with a permanent ARP table entry. The idea being that someone on the same subnet or WiFi network will have a more difficult time spoofing my access point.
What clients support / don't support the feature of a permanent ARP entry?
How can I centralize the configuration, deployment and updates of this configuration?
"Static" ARP entries is the more commonly used term than "Permanent"; you should know this if you're Googling and the like.
Static ARP entries do provide protection against ARP poisoning / spoofing. However, someone in a position to perform ARP spoofing can also perform MAC spoofing to achieve close to the same effect, and overcome the obstacle that a static ARP entry presents. This reduces the relative value of putting this protection into place.
Under both Windows and Unix, static arp entries are configured using the command line tool 'arp' which is often called from a script, as @chris points out. You will not find an easy distributed management mechanism like, say, Group Policy to do it for you. Unless you've already got a tool in place for centralized configuration (puppet, cfengine, BladeLogic) you're stuck with manual work, another reason this protection isn't as attractive as one might like.
In my opinion, static ARP entries are a low-level security step which has limited advantages, whose management is troublesome, and whose over-riding of the way a dynamic network works will turn around and bite you in the MAC at some point. There are better places to spend your time and energy.
ARP tables are in the RAM of a device, and therefor they are never permanent.
However, you can add them at runtime, and have a script that adds them again when the device is rebooted. On linux, the "arp" tool can be used to add static entries (arp -s). You can incorporate the arp command in a /etc/network/if-pre-up.d/arp script on debian-based systems for instance. How to add commands that are executed during boot, is different on different platforms.
There isn’t a GP object which could manage the permanent ARP cache. For windows XP, we can use a logon script which could add the ARP entry.
However, in windows 7 and 2008, only administrator permission could add the ARP entry so that there isn’t any way to fulfill the requirement.
The command to add a permanent ARP entry is
ARP -s inet_addr eth_addr [if_addr]
