What is ARP protection and should i enable it?


ARP is "address resolution protocol".

To understand ARP protection, you have to understand what ARP does. Modern day network communications are like giant layer cakes. The IP protocol, with its IP address which everyone is familiar with, is just one layer in this cake -- the "network layer". Below the "network layer" is the "data link" layer where things like Ethernet protocol and/or Token Ring protocol live. And below that, of course, is the "physical layer" which is comprised of physical interconnect specifications like 10BaseT and/or 100BaseTX.

So while everyone is familiar with the concept that for any two computers to talk together they have to know each others IP address, it is not as widely known (or at least commonly remembered) that for any two computers on an Ethernet network to talk to each other they also have to have another address called a Media Access Control (or MAC) address. In theory, every Ethernet network adapter has a unique, hard-coded MAC address burned in by the adapter manufacturer.

When two computers on an Ethernet network want to talk to each other at the IP level, with IP addresses, they first have to determine what MAC address corresponds with the recipient's IP address. Well, first actually, I suppose the computer needs to determine whether it's on the same subnet or not, but lets just make it a little easier and assume that we are talking about two machines on the same subnet. Anyway, the machine initiating the conversation sends out an Ethernet broadcast called an ARP request which basically is saying "Hey... who out there is" Well, every other machine on that subnet basically ignores the question, but the device with that IP issues an ARP reply which is basically like shouting back "I'm and my MAC address is F7-0D-33-E6-BA-72". Now, when the original machine wants to talk to it no longer needs to use an Ethernet broadcast, rather it send packets directly to the MAC address that was returned.

In order to minimize the need for constant ARP requests and replies, each machine builds up a table that maps IP address to MAC address in something called an ARP cache. You can see the ARP cache by typing in "arp -a" in a command box on Windows. But, here is where it gets tricky and there is room for mischievousness. The ARP caching concept was sort of built on the honor system and not a lot of thought apparently went into security. Typically, most ARP caching implementations simply listen for ARP replies and sticks them in its table whether those replies were solicited or not. So bad guys can send out spoofed ARP replies that your machine will trustingly put into it's ARP cache... this is called ARP poisoning.

Why would the bad guys do this? Well most modern Ethernet networks make use of switches. Unlike a hub, switches make it difficult for bad guys to sniff traffic because a switch results in the two devices talking directly to each other with little chance for a third machine to eavesdrop. But, the bad guys have gotten clever and what they can do now is that they can poison your ARP cache so that their machine looks like the subnet gateway. That is, they can put themselves in the middle of all traffic that is going outside the local subnet and likely, say, to the public internet. They forward all traffic each way, so you are never the wiser, but they are now performing a man-in-the-middle attack. They can now snoop on basically everything you are doing. But it all sort of hinges on them being able to poison your ARP cache in the first place.

What ZoneAlarm's "ARP protection" does, is that it only allows ARP replies to make it into the ARP cache if they were first solicited via an ARP request.

ARP protection is really useful for large corporate LANs where you think there might be some hackers snooping on co-workers. On home LANs there is no real need to enable it.

Was this article helpful?

Have more questions?

Submit Request