Because arp poisoning/spoofing (on a lan) is so easy, how do systems admins and security people protect their lan from it?

Well, I don't. To some small degree, I "trust" the devices on each LAN at work to not do that kind of thing. (It helps that they're running Windows, which makes -- or at least used to make, I'm not sure about XPSP2 -- it harder to generate this kind of ARP frame. But it's still relatively easy if you know how, and so we do trust the users to not violate the IT Policy Statement Thingy. Plus the wireless is as secure as I can make it.)

I doubt there's any foolproof way to prevent ARP poisoning attacks anyway (short of cryptographically-authenticated ARP or something; some way that each recipient of the broadcast ARP frame can verify that it's coming from the correct machine, through a shared secret or a public/private key or something). Supposedly /proc/sys/net/ipv4/conf/all/rp_filter -- or one of the files under /proc/sys/net, anyway -- can help with that (though perhaps that file's for routing?), but I guess I don't see how that would work without some way of guaranteeing that the received ARP frame is from the correct host.

ethernet doesnt really allow away to completely prevent it. Like bwkaz said, keep an eye on everything and dont use wireless or lock it down tight. Shut off open ports that arent being used on switches.

Other than that, there is always token ring :D

soule

Well, you could turn off both ARP and DHCP entirely -- give static addresses to all your machines, and maintain a huge static ARP table on every node, with a static entry for every other node.

Then stop the switches from passing ARP traffic, or stop your machines from accepting it.

That would probably make your network unusable -- but it would prevent ARP cache poisoning. ;)