[myth]

All of the above

Also, changing the network topology will reduce the effectiveness.... Ie, when designing the network, if its feaseable, adding more subnets... Thats a VERY basic way of saying it, but the basic idea is if you subnet the lan more, then theres less static arps that would need to be applied and reduce the amount of IDS systems on the network...

Remember security is like an onion, placing an IDS there is just pointless if its on its own, becuase you can just ARP poison that IDS server in a way to 'isolate' it.. Using IPSec etc is kind of OK, but theres methods of faking certificates on weak authentication schemes. Placing Static ARPs is kind of OK but you need to apply them to every computer - so put them in login scripts. Using a correct type of IDS - ie Snort INLINE to actively monitor and kill connections is another method that should ALSO be applied in extreme circumstances...

So,
Static ARPs + Correct use and location of network IDS's (Snort / Checkmate) + Static ARPs via login scripts to keep up-to-date + Subnetting the lans more (even via VLANs) + *Considering the use of IPv6 and other* + CORRECT Encryption of the protocols will allow even arp poisoned traffic to become useless

Those 6 methods would stop even the most dedicated hacker from using that method - so they might just go buy Key Katcher / Key Ghost and use that method instead...

* Dont quote me on that

[320X]

Well there are many files to detect promisc mode...
Like antisniff or PMD, arpassure.... for windows systems
and for linux arpalert uses ARP address monitoring to help prevent unauthorized connections on the local network. If an illegal connection is detected, a program or script is launched, which could be used to send an alert message, for example.