Detections
Analytics

2.3 Proxy ARP

Information

Proxy ARP is a technique by which a device on a given network answers the ARP queries for a network address that is not on that network. The ARP proxy is aware of the location of the traffic's destination,and offers its own MAC address as the final destination. Proxy ARP is supported on L3 physical and VLAN interfaces. It is disabled by default. Disabling Proxy ARP on unused interfaces in AOS-CX switches prevents the switch from responding to ARP requests on behalf of other devices, ensuring that it does not act as a proxy for IP address resolution on inactive ports.

Enhances network security by preventing potential misuse of unused interfaces, such as spoofing or unauthorized traffic redirection. It also reduces unnecessary processing and ARP-related traffic on the network.

Solution

Proxy ARP is disabled on all interfaces by default. Proxy ARP appears in the configuration only if it is enabled (which is usually undesirable). Disable this on an interface if it is enabled using below Configuration -

switch(config)# interface <ID>
switch(config)# no ip proxy-arp
switch(config)# no ip local-proxy-arp
switch(config)# no ipv6 local-proxy-nd

Impact:

Disabling Proxy ARP on unused interfaces minimizes attack surfaces, safeguards against ARP-based attacks, and contributes to an optimized and secure network environment by eliminating unnecessary overhead on inactive ports.

See Also

https://workbench.cisecurity.org/benchmarks/24202

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.2

Plugin: ArubaOS

Control ID: a1aae0c0867082d3c9f268ae8ec8030322e4047a3003b005f299bef5179c6803