...it all started the other day when Irongeek posted his tutorial about nmap. Was really good. So then I browsed around on his website, looking for what all more stuff he had done. I saw one eye catching tutorial: Cain to ARP poison and sniff passwords

I had used Cain before to sniff passwords from a HUB, but had no clue about how easy it is with ARP poisoning and Man-in-the-middle attacks on a SWITCHed network, until I saw this tutorial where he shows how to do it in less than a minute.. ! I thought, maaan, that was way too easy to be true on any SWITCHed network. Decided to test it at work, and no, it's true alright, boy did it catch a bunch of passwords...!

So now I'm really concerned about the security at work. At our college we have a few thousands computers. Currently you can pick up passwords easily from pretty much anywhere...

What are all the options to secure and prevent one self from these kind of attacks???

I've tried to do some research and so far I've found this out:

1. You can "hardcode" all the MAC addresses on your network, but it's a big pain if you have a bigger network... This will make it a lot more secure, but there are obviously still ways around it...
2. Make sure ALL the communication on your network is using STRONG ENCRYPTION.
3. You can buy network devices that can detect (but not prevent) ARP/MITM attacks and then notify you about it... (anyone who can recommend something good?)
4. At first thoght you can only do this on the same local subnet you are connected to, but just found out it can be done on an internal network remotely, as long as the internal network has internet access... (which we do.. !)

This is really bad stuff! Could some of you give me more info about all this, and surely there must be a better way to protect one self against it... or??!