Re: [fw-wiz] Windows dynamic ARP

On Wed, 26 Nov 2008, Darden, Patrick S. wrote:

Some possibilities you might have already thought of for doing this in a
roundabout fashion:

1. If you are using advanced switches, you can implement this on them.
Allow only certain MACs to connect to your network. 2. If your switches

I can MAC-lock switch ports, however what I'm looking for is a host-level
backup to MAC locking the network layer, so that if there's a network
compromise, or a hub is introduced in to the physical topology the game is
not immediately lost.

don't have the ability to do #1, perhaps your switches, core switches,
or core router can filter out ARP requests/replies. 3. You can turn off

ARP won't cross a router- I'm specifically trying to shore up the host OS
so that the host/network seperation still happens, but there's a layer of
protection if the network layer or administrator is compromised.

ARP response in windows (not quite what you wanted, I think)

Hmm, that looks mostly like it's a unicast/multi-and-broadcast switch-
maybe there's someone who's done enough firewall code who can point me to
a good shim location? The built-in firewall seems to be IP layer only.

I'm going to have a good play with /32ing the subnet mask and adding a
routing table entry for each host, but I really think that's going to end
up being sub-optimal- as is adding a null static entry for every IP
address I don't want to communicate with in the subnet (I'm betting the
ARP table is a linear search in most network stacks.)

Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."

firewall-wizards mailing list