Re: [fw-wiz] Windows dynamic ARP



Paul D. Robertson wrote:
On Wed, 26 Nov 2008, Darden, Patrick S. wrote:

Some possibilities you might have already thought of for doing this in a
roundabout fashion:

1. If you are using advanced switches, you can implement this on them. Allow only certain MACs to connect to your network. 2. If your switches

I can MAC-lock switch ports, however what I'm looking for is a host-level backup to MAC locking the network layer, so that if there's a network compromise, or a hub is introduced in to the physical topology the game is not immediately lost.

don't have the ability to do #1, perhaps your switches, core switches,
or core router can filter out ARP requests/replies. 3. You can turn off

ARP won't cross a router- I'm specifically trying to shore up the host OS so that the host/network seperation still happens, but there's a layer of protection if the network layer or administrator is compromised.

ARP response in windows (not quite what you wanted, I think)
http://www.windowsreference.com/networking/enabledisable-response-to-arp-request-without-unicase-source-ethernet-address/


Hmm, that looks mostly like it's a unicast/multi-and-broadcast switch- maybe there's someone who's done enough firewall code who can point me to a good shim location? The built-in firewall seems to be IP layer only.

I'm going to have a good play with /32ing the subnet mask and adding a routing table entry for each host, but I really think that's going to end up being sub-optimal- as is adding a null static entry for every IP address I don't want to communicate with in the subnet (I'm betting the ARP table is a linear search in most network stacks.)

Paul
How about this:

<http://www.windowsreference.com/windows-vista/set-gratuitous-arp-requests-in-windows-server-2008-and-windows-vista/>



John

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Why Corporate America uses PCs and not Mac
    ... it across a hard wired network, ... As long as you don't have Macs on a wireless network, ... Consumer field (eg, outside of Enterprise), as this would limit MS's ...
    (comp.sys.mac.advocacy)
  • Really Need Network Help!
    ... AirPort went hooey and some Macs (there are six on the defunct network ... It's connected to the cable modem via an Ethernet cable. ...
    (comp.sys.mac.system)
  • Re: [fw-wiz] Layer 2 (stealth) firewalls - PBR?
    ... Does running a stealth firewall remove the need for PBR? ... determines traffic flow between them based on destination MACs... ... and both of them are on the same IP network and go to ... But, through laborious insanity, you manage to install whatever ...
    (Firewall-Wizards)
  • Re: Macs in the enterprise? They must all be "Maccies". :-)
    ... of Mac lovers among the networking company's 6,100 employees. ... use Macs instead of the standard-issue PCs that run Microsoft's ... should be respected when it comes to productivity. ... if they are compatible with the network - no problem. ...
    (comp.sys.mac.advocacy)
  • RE: mac questions
    ... > be using Macs on the network you want to pick a different extension. ... I can pretty easily reinstall as I haven't ... If you've already installed the SBS server and have had it up for any ...
    (microsoft.public.windows.server.sbs)