Re: [fw-wiz] Windows dynamic ARP
- From: "Darden, Patrick S." <darden@xxxxxxxx>
- Date: Wed, 26 Nov 2008 11:49:52 -0500
I don't think this will help. The Gratuitous ARP is sent out when the windows machine is first booting up--it is checking to see if it is duplicating anybody's IP address.
--p
-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx]On Behalf Of John
Mason Jr
Sent: Wednesday, November 26, 2008 11:33 AM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Windows dynamic ARP
Paul D. Robertson wrote:
On Wed, 26 Nov 2008, Darden, Patrick S. wrote:How about this:
Some possibilities you might have already thought of for doing this in a
roundabout fashion:
1. If you are using advanced switches, you can implement this on them.
Allow only certain MACs to connect to your network. 2. If your switches
I can MAC-lock switch ports, however what I'm looking for is a host-level
backup to MAC locking the network layer, so that if there's a network
compromise, or a hub is introduced in to the physical topology the game is
not immediately lost.
don't have the ability to do #1, perhaps your switches, core switches,
or core router can filter out ARP requests/replies. 3. You can turn off
ARP won't cross a router- I'm specifically trying to shore up the host OS
so that the host/network seperation still happens, but there's a layer of
protection if the network layer or administrator is compromised.
ARP response in windows (not quite what you wanted, I think)
http://www.windowsreference.com/networking/enabledisable-response-to-arp-request-without-unicase-source-ethernet-address/
Hmm, that looks mostly like it's a unicast/multi-and-broadcast switch-
maybe there's someone who's done enough firewall code who can point me to
a good shim location? The built-in firewall seems to be IP layer only.
I'm going to have a good play with /32ing the subnet mask and adding a
routing table entry for each host, but I really think that's going to end
up being sub-optimal- as is adding a null static entry for every IP
address I don't want to communicate with in the subnet (I'm betting the
ARP table is a linear search in most network stacks.)
Paul
<http://www.windowsreference.com/windows-vista/set-gratuitous-arp-requests-in-windows-server-2008-and-windows-vista/>
John
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- References:
- Re: [fw-wiz] Windows dynamic ARP
- From: John Mason Jr
- Re: [fw-wiz] Windows dynamic ARP
- Prev by Date: Re: [fw-wiz] Windows dynamic ARP
- Next by Date: Re: [fw-wiz] VPN NAT issue
- Previous by thread: Re: [fw-wiz] Windows dynamic ARP
- Next by thread: Re: [fw-wiz] Windows dynamic ARP
- Index(es):
Relevant Pages
|
