Worms/FreeBSD servers/Windows clients
durham at jcdurham.com
Sun Sep 7 22:23:31 PDT 2003
After dealing with one of those idiotic worms on our LAN with FreeBSD
servers and Windows workstations, I realized that we don't do much
peer-to-peer sharing on our LAN and connections from workstation to
workstation could be eliminated with only a slight loss in
convenience, as files are usually shared on the Samba server.
However, blocking Windows-to-Windows commmunications would stop the
spread of these silly Microsoft worms.
One expensive way to do this is with Layer 3 switches. This would be
really cost-prohibitive for a small company.
I was wondering if anyone had any ideas on modifying or "inhibiting"
ARP so that it would not give out the MAC addresses of any of the
machines on the LAN to another machine on the LAN, except the address
of the FreeBSD servers, which are worm-immune.
I realize that ARP would have to be defeated on the Windows machines
in order for this to work.
I've also considered double NAT-ing the workstations and then limiting
the ports on my layer 2 switches to kill the "learn" function and
only accept one MAC on a port. Transient users and wireless users
would then be on the "outside" side of the 2nd NAT. I find that these
users are the ones that bring in the worms when coming back from a
road trip where they were plugged into who-knows-what networks.
More information about the freebsd-questions