mikey250
asked on
isa 2006 & routers - how to add a static arp entry
hi ive been reading about isa 2006 & securing the deployment:
http://technet.microsoft.com/en-us/library/bb794718.aspx#AppendixA
note: these comments below are what i found in the above 'url' & would appreciate some advice!!
"to help protect from man-in-the-middle attacks on the address resolution protocol (arp) cache, we recommend that you place a router before the isa server computer. this is because arp packets cannot be routed through a router. when isa server shares a physical network with an untrusted network, we recommend that you configure isa server to perform static arp. for optimal security, we recommend that you add a static arp entry for the default gateway and on other hosts on the same physical network"
note: my internal network separated via isa 2006/internal (member server) is using a 'class a' address ie: 10.0.0.x/23.
note: i currently have no 'site-to site vpns'/branch offices or anything like that, as i just use isa for the firewall to protect internal domain users, although i may add a remote vpn for those users wishing to work from home, but at the moment (not added yet)
qns1. my network is in a 'domain & (not a workgroup') so im not sure if adding a router behind the isa 2006 server is (relevant), as suggested below, until i read the (above url), but i would like to know the answer ?
qns2.
regarding comments below i already have a single cisco switch for my internal lan network and at the moment i have not added the following, but not sure if this relates to (qns2) below: ?
"protect against layer 2 attacks by deploying security solutions such as layer 2 isa and static mac or port associations on switches."
int fa0/1
switchport mode access - added
portfast spanning-tree - added
switchport port-security - not added yet
switchport port-security maximum 1 - not added yet
switchport port-security mac-address xxxx.xxxx.xxxx.xxxx - not added yet as what mac ?
no shut
note: the above will obviously relate to the specific pc or server plugged in for eg
qns3.
the paragraph below instructs that instead of an internal network directly connected to the isa/internal nic, i should put a (router) before the isa/internal nic & as a result i should add for optimal security 'a static arp entry for the default gateway & on other hosts & if so is the below correct ?
step 1
arp -s nnn.nnn.nnn.nnn ee-ee-ee-ee-ee-ee
(where n's are the ip address and e's are the ethernet mac address)
e.g. in a console prompt on the ISA Server, enter the following:
arp -s 192.168.100.20 a3-00-92-b3-c3-33 - should this be the router interface ???
qns4.
step 2.
also, if you setup static arp entries, they do not persist across reboots, so you need to put the arp commands into a batch file and run them as part of the machine's startup script. ?
note: if i add a router this would mean i would then have not 2 but 3 separate subnets ie 1 connecting the internal network to 'int fa0/0 for eg & fa0/1' connecting to isa/internal nic and 1 allocated via my 'isp' as the isa/external public ip address!!!!!!!!!!!!!!
http://technet.microsoft.com/en-us/library/bb794718.aspx#AppendixA
note: these comments below are what i found in the above 'url' & would appreciate some advice!!
"to help protect from man-in-the-middle attacks on the address resolution protocol (arp) cache, we recommend that you place a router before the isa server computer. this is because arp packets cannot be routed through a router. when isa server shares a physical network with an untrusted network, we recommend that you configure isa server to perform static arp. for optimal security, we recommend that you add a static arp entry for the default gateway and on other hosts on the same physical network"
note: my internal network separated via isa 2006/internal (member server) is using a 'class a' address ie: 10.0.0.x/23.
note: i currently have no 'site-to site vpns'/branch offices or anything like that, as i just use isa for the firewall to protect internal domain users, although i may add a remote vpn for those users wishing to work from home, but at the moment (not added yet)
qns1. my network is in a 'domain & (not a workgroup') so im not sure if adding a router behind the isa 2006 server is (relevant), as suggested below, until i read the (above url), but i would like to know the answer ?
qns2.
regarding comments below i already have a single cisco switch for my internal lan network and at the moment i have not added the following, but not sure if this relates to (qns2) below: ?
"protect against layer 2 attacks by deploying security solutions such as layer 2 isa and static mac or port associations on switches."
int fa0/1
switchport mode access - added
portfast spanning-tree - added
switchport port-security - not added yet
switchport port-security maximum 1 - not added yet
switchport port-security mac-address xxxx.xxxx.xxxx.xxxx - not added yet as what mac ?
no shut
note: the above will obviously relate to the specific pc or server plugged in for eg
qns3.
the paragraph below instructs that instead of an internal network directly connected to the isa/internal nic, i should put a (router) before the isa/internal nic & as a result i should add for optimal security 'a static arp entry for the default gateway & on other hosts & if so is the below correct ?
step 1
arp -s nnn.nnn.nnn.nnn ee-ee-ee-ee-ee-ee
(where n's are the ip address and e's are the ethernet mac address)
e.g. in a console prompt on the ISA Server, enter the following:
arp -s 192.168.100.20 a3-00-92-b3-c3-33 - should this be the router interface ???
qns4.
step 2.
also, if you setup static arp entries, they do not persist across reboots, so you need to put the arp commands into a batch file and run them as part of the machine's startup script. ?
note: if i add a router this would mean i would then have not 2 but 3 separate subnets ie 1 connecting the internal network to 'int fa0/0 for eg & fa0/1' connecting to isa/internal nic and 1 allocated via my 'isp' as the isa/external public ip address!!!!!!!!!!!!!!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi bembi, ok thanks for that!!!!:)
ASKER
sound advice!!!! appreciated
ASKER
q1 - you state: '8 external ip addresses' from where ?