After dealing with one of those idiotic worms on our LAN with FreeBSD 
servers and Windows workstations, I realized that we don't do much 
peer-to-peer sharing on our LAN and connections from workstation to 
workstation could be eliminated with only a slight loss in 
convenience, as files are usually shared on the Samba server.

However, blocking Windows-to-Windows commmunications would stop the 
spread of these silly Microsoft worms.

One expensive way to do this is with Layer 3 switches. This would be 
really cost-prohibitive for a small company.

I was wondering if anyone had any ideas on modifying or "inhibiting" 
ARP so that it would not give out the MAC addresses of any of the 
machines on the LAN to another machine on the LAN, except the address 
of the FreeBSD servers, which are worm-immune.

I realize that ARP would have to be defeated on the Windows machines 
in order for this to work.

I've also considered double NAT-ing the workstations and then limiting 
the ports on my layer 2 switches to kill the "learn" function and 
only accept one MAC on a port. Transient users and wireless users 
would then be on the "outside" side of the 2nd NAT. I find that these 
users are the ones that bring in the worms when coming back from a 
road trip where they were plugged into who-knows-what networks.

[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to