Arpwatch windows equivalent
Posted by Any-Promotion3744@reddit | sysadmin | View on Reddit | 30 comments
Is there a windows equivalent to Arpwatch that doesn't cost a ton?
Arpwatch is free but my manager really hates linux.
I find it useful receiving alerts when a new mac address is detected on the network.
I think ManageEngine OpUtils Professional can do it but it would cost a lot.
blckshdw@reddit
Ask your manager what he hates more: money or Linux?
Any-Promotion3744@reddit (OP)
linux is insecure and shouldn't be used
chrome is insecure and shouldn't be used
android is insecure and shouldn't be used
...
Smith6612@reddit
If Chrome is insecure, what is Microsoft Edge 🤔
If Android is insecure, why is Android for Work better at protecting data in BYOD envionments?
If Linux is insecure, why does nearly everything run it?Â
Hmm...Â
Ihaveasmallwang@reddit
Are of these are true only if you do not properly set up the management policies. Especially for the Android one since the fragmentation means some devices/brands may or may not receive updates that fix security vulnerabilities in a timely fashion or even at all. Much worse if any users use budget devices.
encrypttwice04@reddit
but fragmentation's the whole reason graphemeos exists, they control the entire update stack so you're not waiting on samsung or whoever to patch it
Ihaveasmallwang@reddit
A product that most people cannot install on the hardware they own. If the general user base actually had the technical knowledge to know how to unlock boot loaders and install custom roms, you probably wouldn’t have a job. Your niche product is not a solution. But thank you for admitting that the Android fragmentation is a security risk in itself.
_araqiel@reddit
I’m sure you’re well aware of this, but your boss is a dumbfuck.
Secret_Account07@reddit
Wait why is Linux insecure?
I mean what’s his reasoning for saying that?
Any-Promotion3744@reddit (OP)
who knows
maybe we should be running Ubuntu Pro
cwk9@reddit
I find with people like these its always based on some combo of ignorance and fear.
stufforstuff@reddit
The word you're looking for is "Stupidity".
Leinheart@reddit
Your boss is insecure and shouldn't be used.
TreborG2@reddit
THIS!
LoL
St0nywall@reddit
So much coffee snorted through my nose! LOL
greger416@reddit
Tbh sounds like your boss doesn't know shit.
natefrogg1@reddit
Run it on FreeBSD UNIX then
blckshdw@reddit
Great. Pony up some cash then
jaymz668@reddit
Linux is insecure.... he should see windows.
Curious201@reddit
arpwatch is useful, but on a modern network i would not build the whole process around mac sightings alone. randomized macs, docking stations, phones, and guest devices can make it noisy very quickly. if the goal is “tell me when something new appears,” you can get part of the way there with dhcp logs, windows dhcp audit logs, switch mac tables, or your firewall’s device inventory, depending on what you already run. if the goal is “do not allow unknown devices,” then you are really talking about 802.1x, nac, or at least tighter dhcp/reservation and switch port controls. for a cheaper middle ground i would probably start with dhcp alerting plus a small script or scheduled report before buying a full manageengine product.
ZY6K9fw4tJ5fNvKx@reddit
just use powershell, something like this :
while(1) { $x = $y; sleep 10; $y = arp -a; compare-object $x $y }
Or snmp traps on your switch if you have multiple vlans / want to do it properly.
IAmSnort@reddit
How about Solaris?Â
Any-Promotion3744@reddit (OP)
I was thinking about Ubuntu Pro
kerubi@reddit
These days, with devices randomizing and rotating their MAC addresses, arpwatch is not as useful as it used to be. Of course there are networks with non-MAC-rotating devices.
Any-Promotion3744@reddit (OP)
I kind of think of arpwatch is a level one type of security option. once every mac address is in the database, it gives you an idea of when an unknown device has connected to the network. See alert and investigate. mac addresses can be cloned so not an end all, be all.
Level 2 would be mac authentication. not great but somewhat better.
After that, you can do something like Aruba Clearpass policy manager.
kerubi@reddit
Just how ”Once every mac address is in the database” happens when the devices are rotating random MAC addresses?
NighthawkFoo@reddit
I thought the device uses a consistent MAC for the given network.
antiduh@reddit
Yes, otherwise dhcp would be sad.
Chellhound@reddit
Not what I'd recommend, necessarily, but you could make devices (VMs, etc) responsible for registering their MAC with the database and only alert if it's been more than T time since the new MAC was detected.
(You'd also need to purge old MACs, naturally)
Kikawala@reddit
There is now a more modern version of arpwatch called ANDwatch. Works with IPv6 as well.
https://github.com/dennypage/andwatch
glueall215@reddit
Compare the 6k annual cost of ManageEgjne unlimited OpUtils to say solar winds and see if it still feel like a lot.