How do YOU safeguard yourself from mitm/mitb attacks?

[thetan]

all office systems at work use static ARP, static IPs (only clients get DHCP, because we care about them MiTM'ing each other less). Also, we implement port security on all ports on switches connected to our office systems (super pain in the ass). It's good to remember to disable ICMP redirection too.

Static ARP prevents ARP Poisoning MiTM (and saves minor bandwidth), Static DHCP prevents MiTM from DHCP spoofing (also saves minor bandwidth), Port security protects office systems from CAM smashing reversion half-duplex MiTM attacks as well as Port Stealing MiTM attacks (fucking annoying as shit to maintain).

ARP is the most common attack vector, because it's easy and fast. DHCP spoofing is essentially just as easy (especially when a DHCP exhaustion attack is ran on the main DHCP server first), Port stealing is less known of and exploits the CAM routing algorithms used by level 2 switches to think that a victim computer is connected to the attackers port on the switch and CAM smashing is the flooding of the CAM tables in a switch, causing it to revert to act like a HUB and broadcast all received data out to all ports.

[l3ane]

In addition to what was said above, you can try ARPon.

ArpON (Arp handler inspectiON) is a portable handler daemon that make ARP secure in order to avoid the Man In The Middle through ARP Spoofing/Poisoning. It detects and blocks also Man In The Middle through ARP Spoofing/Poisoning for DHCP Spoofing, DNS Spoofing, WEB Spoofing, Session Hijacking and SSL/TLS Hijacking & co attacks.

Or if you're using windows I seen this little app on irongeek's site called DecaffinatID, which I made a small post about on my blog - http://hakhub.blogspot.com/2010/12/irongeeks-decaffeinatid.html

Doesn't even compare to ARPon though, but it does alert you. I thought it was a nice addition to my IDS though.