This topic of network awareness is dear to my heart — not because of what it does but because it is network-based and I started out in the IT field as a network engineer, so networking holds a special place for me. What do I mean by “network awareness”? Network awareness is simply being aware of when a new device is put on your network, here’s how to use ARPwatch to do so.
Rogue devices vs ARPwatch
Unless you already have a network access control (NAC) solution in place, most of you probably don’t know when a new device is put on your network. Yes, we know the dangers that exist, such as rogue DHCP servers or “drop boxes” that attackers leave behind to gain a foothold inside your network. The question remains, how can we identify when something new is put on our network without spending a ton of money and time on a NAC? One word: ARPwatch.
So, what is ARPwatch and what does it do? ARPwatch is a tool that watches for ARP traffic on a network and then records every MAC address it sees in a database. Every time it sees a new MAC address, it can send you an email alert to let you know there’s a new device on the network. It’s a great tool for identifying not only new devices but also ARP spoofing and network flip/flops, for which you’ll receive email notifications.
ARPwatch setup considerations
So, how much does something like this run? Free! Oh, yes, I love open source! So, you fire up your favorite flavor of Linux, throw ARPwatch and an SMTP server on it, edit a couple of config files, and you’re off to the races. There is one downside to ARPwatch that is not a fault of the application but simply how networking “works”: You’ll need to have a network adapter on each of the subnets you want to monitor. This is because ARP is a layer two protocol and is contained within a broadcast domain (a subnet). If you have a virtual environment and are using VLAN tagging in your virtual setup, this is not a problem. If you want to put this on a physical box, though, it’s a bit more challenging.
ARPwatch is not a magician, so it can’t tell you where the machine is on your network, but it can tell you the MAC address, IP address, and sometimes the network adapter vendor in the email alerts. This means you’ll need to do a little digging when you receive these alerts. You’ll need to find out where this device is by checking switch and access point MAC address tables unless you already have a utility to help you with this, such as “SwitchMiner.” When you first set up ARPwatch, its database is empty, so every device will be new and you may want to spend time validating every MAC address so you know you’re starting with a clean slate.
Now that we’ve discussed ARPwatch, what it is, and how it works, let’s take a look at how to set it up and see it in action! Check out this free video on ARPwatch at Linux Academy.
ARPwatch final thoughts
I hope you see the value in what ARPwatch can bring to your environment and how simple of a solution it is. Also, keep in mind this isn’t something you’d want to monitor a guest network with as you’d get alerts all day long. This is meant to use used to monitor your protected environments. Once again, open source to the rescue! I can’t believe this is already the end of March, wow! Well, off to April and new topics. See you next week!