ARP protection

Discussion in 'other firewalls' started by chaos16, Feb 26, 2005.

Thread Status:
Not open for further replies.
  1. chaos16

    chaos16 Registered Member

    Wat is ARP protection that zonealarm haso_O??

    is it recommended to enable it or leave it disabledo_O

    INTOXSICKATED Registered Member

    arp is "address resolution protocol". when i used to use zonealarm pro, i was told to leave the 'enable arp protection box' unchecked. i believe this feature is not even available in zonelalarm free. it has something to do with ip addresses, maybe somebody else know more.
  3. Phant0m

    Phant0m Registered Member

  4. hollywoodpc

    hollywoodpc Registered Member

    Very good Phant0m . You beat me to it . lol . Take care
  5. chaos16

    chaos16 Registered Member

    i got zonealarm pro.

    so then i should enable ito_O??
  6. Alec

    Alec Registered Member

    To understand ARP protection, you have to understand what ARP does. Modern day network communications are like giant layer cakes. The IP protocol, with its IP address which everyone is familiar with, is just one layer in this cake -- the "network layer". Below the "network layer" is the "data link" layer where things like Ethernet protocol and/or Token Ring protocol live. And below that, of course, is the "physical layer" which is comprised of physical interconnect specifications like 10BaseT and/or 100BaseTX.

    So while everyone is familiar with the concept that for any two computers to talk together they have to know each others IP address, it is not as widely known (or at least commonly remembered) that for any two computers on an Ethernet network to talk to each other they also have to have another address called a Media Access Control (or MAC) address. In theory, every Ethernet network adapter has a unique, hard-coded MAC address burned in by the adapter manufacturer.

    When two computers on an Ethernet network want to talk to each other at the IP level, with IP addresses, they first have to determine what MAC address corresponds with the recipient's IP address. Well, first actually, I suppose the computer needs to determine whether it's on the same subnet or not, but lets just make it a little easier and assume that we are talking about two machines on the same subnet. Anyway, the machine initiating the conversation sends out an Ethernet broadcast called an ARP request which basically is saying "Hey... who out there is" Well, every other machine on that subnet basically ignores the question, but the device with that IP issues an ARP reply which is basically like shouting back "I'm and my MAC address is F7-0D-33-E6-BA-72". Now, when the original machine wants to talk to it no longer needs to use an Ethernet broadcast, rather it send packets directly to the MAC address that was returned.

    In order to minimize the need for constant ARP requests and replys, each machine builds up a table that maps IP address to MAC address in something called an ARP cache. You can see the ARP cache by typing in "arp -a" in a command box on Windows. But, here is where it gets tricky and there is room for mischieviousness. The ARP caching concept was sort of built on the honor system and not a lot of thought apparently went into security. Typically, most ARP caching implementations simply listen for ARP replies and sticks them in its table whether those replys were solicited or not. So bad guys can send out spoofed ARP replies that your machine will trustingly put into it's ARP cache... this is called ARP poisoning.

    Why would the bad guys do this? Well most modern Ethernet networks make use of switches. Unlike a hub, switches make it difficult for bad guys to sniff traffic because a switch results in the two devices talking directly to each other with little chance for a third machine to eavesdrop. But, the bad guys have gotten clever and what they can do now is that they can poison your ARP cache so that their machine looks like the subnet gateway. That is, they can put themselves in the middle of all traffic that is going outside the local subnet and likely, say, to the public internet. They forward all traffic each way, so you are never the wiser, but they are now performing a man-in-the-middle attack. They can now snoop on basically everything you are doing. But it all sort of hinges on them being able to poison your ARP cache in the first place.

    What I believe ZoneAlarm's "ARP protection" does, is that it only allows ARP replies to make it into the ARP cache if they were first solicited via an ARP request. That way, bad guys can't arbitrarily poison your ARP cache anytime they want. Now, I'm not sure exactly what happens in a situation where your machine sends out a legitimate ARP request for, say, the real gateway IP address and the bad guys try to reply quicker than the real gateway. I suppose it presents a race situation, and just results in too much instability for it to be workable for the bad guys. Also, while ARP cache entries do timeout after a little while, these timeouts aren't necessarily predictable and the gateway entry probably does not timeout real frequently since active web surfing or email useage would tend to restart the timeout clock for the gateway ARP cache entry with every communication.
  7. Alec

    Alec Registered Member

    It's probably only really useful for large corporate LANs where you think there might be some hackers snooping on co-workers. On home LANs it's probably not terribly useful. At least not in any way that I can think of off the top of my head. If your at home just leaving it disabled is probably ok.
  8. hollywoodpc

    hollywoodpc Registered Member

    Bottom line is , if you have a lan , you may want to initiate it . Gee . lol
  9. Alec

    Alec Registered Member

    Well, I'm not going to apologize for attempting to explain technical issues for the benefit of all that might read this thread and may not be as knowledgeable as you. :rolleyes:
  10. Kerodo

    Kerodo Registered Member

    I appreciate the explanation and found it interesting. Thanks Alec... ;)
Thread Status:
Not open for further replies.