Which measure is most effective as a proactive safeguard against ARP spoofing on a switched network?

Study for the EC-Council Certified Ethical Hacker (CEH) v13 Exam. Utilize flashcards and multiple-choice questions with helpful hints and detailed explanations. Excel in your exam preparation!

Multiple Choice

Which measure is most effective as a proactive safeguard against ARP spoofing on a switched network?

Explanation:
ARPs map IP addresses to MACs on a local network, and on a switched network an attacker can exploit this by sending forged ARP replies to associate their MAC with another device’s IP, such as the gateway. The strongest proactive defense is to tightly control what hardware can send traffic on each switch port. Port security does exactly that by binding MAC addresses to specific switch ports (with options like sticky MAC learned addresses). Once a port is configured to allow only the expected MACs, an attacker’s device—whose MAC won’t be on the allowed list—cannot inject frames or participate in the network, preventing ARP replies from successfully poisoning the ARP cache. This enforcement happens at the switch level before ARP processing, so it stops the attack before it can occur. In contrast, ARPwatch is a monitoring tool that detects anomalies after they happen; it can alert you to spoofing but doesn’t prevent it. Static ARP entries can prevent spoofing but are not scalable in large or dynamic networks and require manual maintenance on many devices. DHCP snooping guards against rogue DHCP servers and helps with some defenses like Dynamic ARP Inspection when paired with it, but on its own it doesn’t provide a broad, proactive ARP spoofing defense across all devices and traffic.

ARPs map IP addresses to MACs on a local network, and on a switched network an attacker can exploit this by sending forged ARP replies to associate their MAC with another device’s IP, such as the gateway. The strongest proactive defense is to tightly control what hardware can send traffic on each switch port. Port security does exactly that by binding MAC addresses to specific switch ports (with options like sticky MAC learned addresses). Once a port is configured to allow only the expected MACs, an attacker’s device—whose MAC won’t be on the allowed list—cannot inject frames or participate in the network, preventing ARP replies from successfully poisoning the ARP cache. This enforcement happens at the switch level before ARP processing, so it stops the attack before it can occur.

In contrast, ARPwatch is a monitoring tool that detects anomalies after they happen; it can alert you to spoofing but doesn’t prevent it. Static ARP entries can prevent spoofing but are not scalable in large or dynamic networks and require manual maintenance on many devices. DHCP snooping guards against rogue DHCP servers and helps with some defenses like Dynamic ARP Inspection when paired with it, but on its own it doesn’t provide a broad, proactive ARP spoofing defense across all devices and traffic.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy