312-50V10 · Question #658
A network admin contacts you. He is concerned that ARP spoofing or poisoning might occur on his network. What are some things he can do to prevent it? Select the best answers.
The correct answer is A. Use port security on his switches. B. Use a tool like ARPwatch to monitor for strange ARP activity. D. If you have a small network, use static ARP entries.. ARP spoofing prevention requires multiple layers including switch-level controls, monitoring, and static mappings. Firewalls and static IPs alone do not address the Layer 2 nature of ARP attacks.
Question
A network admin contacts you. He is concerned that ARP spoofing or poisoning might occur on his network. What are some things he can do to prevent it? Select the best answers.
Options
- AUse port security on his switches.
- BUse a tool like ARPwatch to monitor for strange ARP activity.
- CUse a firewall between all LAN segments.
- DIf you have a small network, use static ARP entries.
- EUse only static IP addresses on all PC's.
How the community answered
(59 responses)- A75% (44)
- C19% (11)
- E7% (4)
Why each option
ARP spoofing prevention requires multiple layers including switch-level controls, monitoring, and static mappings. Firewalls and static IPs alone do not address the Layer 2 nature of ARP attacks.
Port security on switches restricts the number of MAC addresses per port and can prevent an attacker from flooding the CAM table or injecting spoofed ARP replies tied to rogue MAC addresses.
ARPwatch passively monitors the network for ARP traffic and alerts administrators when unexpected MAC-to-IP mappings appear, providing real-time detection of poisoning attempts.
Firewalls operate at Layer 3 and above and cannot inspect or block ARP traffic, which is a Layer 2 broadcast protocol confined within a LAN segment.
Static ARP entries hard-code MAC-to-IP mappings in the ARP cache, preventing dynamic ARP replies from overwriting legitimate entries and neutralizing poisoning at the host level.
Static IP addresses fix the IP layer but do not prevent an attacker from broadcasting forged ARP replies that map those IPs to a malicious MAC address.
Concept tested: ARP spoofing prevention techniques at Layer 2
Source: https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-top
Topics
Community Discussion
No community discussion yet for this question.