as for ARP, its demand support for MacSec and SecureID, which imply new hardware/PHY for both kind of interfaces, sadly.
or CGA-based SEND replacement for both ARP and NDP, but industry goes for 1st option(actually all controllers vendors).
as for VLAN’s - even w/radius they vulnerable in default state. http://resources.infosecinstitute.com/vlan-hacking/ (not most extensive guid/conclusion, but really short and straightforward, probably).
Zorro: I believe you misunderstood my feature request. If you use the DHCP Server on the Mikrotik it is possible to add the MAC address of the client which got the lease to the ARP table of the router. If you now disabled ARP learning only Clients with DHCP can talk over the router and ARP spoofing got much harder too - just what you need in an enterprise client network. What’s just on the Mikrotiks is that this works also if the Mikrotik is doing DHCP Relay. We’re doing this with our Extreme Network Switch for years now.
And the other ARP security feature is call Gratuitous ARP. If the router sees an ARP reply with his IP address on the network it sends out a Gratuitous ARP, so the clients which accept Gratuitous ARP are not using the one of the attacker.
Additional feature request for improved security would be adding TACACS support! RADIUS is old, much less secure, and seriously lacking in logging features on the administration side of routers!
If not, then I am seriously having to look at replacing a few dozen MikroTik RB’s with a product that is more secure in this respect. I am up for an upgrade of my network, and can easily change to a different brand since I am replacing everything to improve performance anyway! No threat intended, however, I can assure you I have no problem changing brands of equipment.
What has TACACS (Terminal Access Controller Access-Control System) to do with authenticating network devices? As far as I know TACACS is only used for authenticating users that want to access the router (= the admins) .. it has nothing to do with network security or I’m mistaken?
My understanding based on my research is that TACACS and RADIUS do exactly the same things. TACACS just does them better and more securely. Also TACACS adds additional logging that RADIUS does not support for more auditing. RADIUS uses UDP whereas TACACS uses TCP. RADIUS does not encrypt the entire transaction where as TACACS does.
For authenticating users to login via ssh access onto the router or something like this you’re correct. But for authentication devices for network access via 802.1x RADIUS is the only game in town. And the encryption of data is not so important there as EAP-TLS is mostly used (If security is a concern) for the authentication which establishes a secure TLS connection.
