Introduction to ARP Defense

The system provides a series of ARP defense functions to protect your network against various ARP attacks:

• ARP Learning: Hillstone devices can obtain IP-MAC bindings in an Intranet from ARP learning, and add them to the ARP list. By default this function is enabled. Hillstone devices will always keep ARP learning on, and add the learned IP-MAC bindings to the ARP list. If any IP or MAC address changes during the learning process, Hillstone devices will add the updated IP-MAC binding to the ARP list. If this function is disabled, only IP addresses in the ARP list can access Internet.
• MAC Learning: Hillstone devices can obtain MAC-Port bindings in an Intranet from MAC learning, and add them to the MAC list. By default this function is enabled. Hillstone devices will always keep MAC learning on, and add the learned MAC-Port bindings to the MAC list. If any MAC address or port changes during the learning process, Hillstone devices will add the updated MAC-Port binding to the MAC list.
• ARP Binding: If IP-MAC, MAC-Port or IP-MAC-Port binding is enabled, packets that are not matched to the binding will be dropped to protect against ARP spoofing or MAC address list attacks. The combination of ARP and MAC learning can achieve the effect of "real-time scan + static binding", and make the defense configuration more simple and effective.
• Authenticated ARP: Authenticated ARP is implemented on the ARP client Hillstone Secure Defender. When a PC with Hillstone Secure Defender installed accesses Internet via the interface that enables Authenticated ARP, it will perform an ARP authentication with the Hillstone device to assure the MAC address of the device being connected to the PC is trusted.
• DHCP Snooping: With this function enabled, the system can create binding relationship between the MAC address of the DHCP client and the allocated IP address by analyzing the packets between the DHCP client and server. When ARP Inspection is also enabled, the system will check if an ARP packet passing through can be matched to any binding of the list. If not, the ARP packet will be dropped.
• Host Defense: With this function enabled, the device can send gratuitous ARP packets for different hosts to protect them against ARP attacks.
• ARP Inspection: Hillstone devices support ARP Inspection for interfaces. With this function enabled, the system will inspect all the ARP packets passing through the specified interfaces, and compare the IP addresses of the ARP packets with the static IP-MAC bindings in the ARP list and IP-MAC bindings in the DHCP Snooping list.