Cyber Ops Associate V1: Module 8 - Address Resolution Protocol (ARP)

Course Overview

• Focus: Skills and knowledge for an Associate-level Security Analyst in a Security Operations Center.
• Goal: Preparation for Cisco 200-201 Certification (CBROPS).

Module 8: Address Resolution Protocol (ARP)

• Focus: MAC and IP addresses, predominantly IPv4.
• Key Concepts:
  • Examination of Ethernet frames.
  • ARP requests and potential network impact.

MAC and IP Addresses

MAC Addresses

• 48-bit number also known as a physical address.
• Local connectivity within a LAN (Layer 2).
• Shortened for presentation: showing two pairs instead of six.

IP Addresses

• Known as logical addresses (Layer 3).
• Used for communication leaving the local network.

ARP Functionality

• Transforms IP address knowledge into a corresponding MAC address.
• Uses broadcast to find unknown MAC addresses from known IP addresses.
  • Sends: "I know this IP address, who has this address?"
  • Builds the ARP table (ARP cache).

ARP Process

• IP to MAC address mapping and maintenance.
• Devices purge old entries (aging out of unused addresses).
• View ARP table with command: arp -a.
• ARP requests are broadcasted.

ARP Issues

• Broadcast Flooding: Can overwhelm local media.
• Network Setup: Needs proper configuration (CSMA/CA, CSMA/CD).
• ARP Spoofing & Attacks:
  • Threat actors spoof default gateways for data interception.
  • ARP poisoning can redirect or intercept data.

IPv6 Differences

• Does not use ARP; relies on Neighbor Discovery via Neighbor Solicitation/Acknowledgement.

Conclusion

• Differentiated between physical (MAC) and logical (IP) addresses.
• Explained ARP's role in determining MAC addresses from IP addresses.
• Discussed ARP's limitations and potential security issues.

Note: Practical labs and examples, including videos, will be available for hands-on learning. Feel free to reach out with questions or concerns.