isa 2006 & routers - how to add a static arp entry

hi ive been reading about isa 2006 & securing the deployment:

note:  these comments below are what i found in the above 'url' & would appreciate some advice!!

"to help protect from man-in-the-middle attacks on the address resolution protocol (arp) cache, we recommend that you place a router before the isa server computer. this is because arp packets cannot be routed through a router. when isa server shares a physical network with an untrusted network, we recommend that you configure isa server to perform static arp. for optimal security, we recommend that you add a static arp entry for the default gateway and on other hosts on the same physical network"

note: my internal network separated via isa 2006/internal (member server) is using a 'class a' address ie: 10.0.0.x/23.

note: i currently have no 'site-to site vpns'/branch offices or anything like that, as i just use isa for the firewall to protect internal domain users, although i may add a remote vpn for those users wishing to work from home, but at the moment (not added yet)

qns1.  my network is in a 'domain & (not a workgroup') so im not sure if adding a router behind the isa 2006 server is (relevant), as suggested below, until i read the (above url), but i would like to know the answer ?


regarding comments below i already have a single cisco switch for my internal lan network and at the moment i have not added the following, but not sure if this relates to (qns2) below: ?

"protect against layer 2 attacks by deploying security solutions such as layer 2 isa and static mac or port associations on switches."

int fa0/1
switchport mode access - added
portfast spanning-tree - added
switchport port-security - not added yet
switchport port-security maximum 1 - not added yet
switchport port-security mac-address xxxx.xxxx.xxxx.xxxx - not added yet as what mac ?
no shut

note: the above will obviously relate to the specific pc or server plugged in for eg


the paragraph below instructs that instead of an internal network directly connected to the isa/internal nic, i should put a (router) before the isa/internal nic & as a result i should add for optimal security 'a static arp entry for the default gateway & on other hosts & if so is the below correct ?

step 1

arp -s nnn.nnn.nnn.nnn ee-ee-ee-ee-ee-ee
(where n's are the ip address and e's are the ethernet mac address)

e.g. in a console prompt on the ISA Server, enter the following:

arp -s a3-00-92-b3-c3-33 - should this be the router interface ???


step 2.

also, if you setup static arp entries, they do not persist across reboots, so you need to put the arp commands into a batch file and run them as part of the machine's startup script. ?

note: if i add a router this would mean i would then have not 2 but 3 separate subnets ie 1 connecting the internal network to 'int fa0/0 for eg & fa0/1' connecting to isa/internal nic and 1 allocated via my 'isp' as the isa/external public ip address!!!!!!!!!!!!!!
Who is Participating?
Q1: This is just an example, what is ment with "untrusted network".
If you have more than one IP address, you can add servers to these IP Addresses, which are then directly accessable over the internet.
If you have only one IP address from your provider, only this IP (and the internet itself of course) is the "untrusted network".

So your internal network (behind ISA) is trusted (as it is your own) and usually no reason to lock it down.  

The only question what is left is, if there is a need to lock the external interface.
If you have an endpoint device (router) from your provider, there is usually no need.
"When ISA Server shares a physical network with an untrusted network"
The definition untrusted network is the external network. I.e. you have 8 external IP addresses, they are external and shares its network with all other external addresses.
They are taking about additional servers, which are in this 8 IP address range, not about internal addresses.

you can use arp -a to see the actual arp table on your ISA.
You may recognize, that the default gateway is dynamic.
The article stated to make it static
you can do this by
arp -s externalGatewayIP externalMAC
arp -s 00-12-34-AB-12-34

In a router szenario it look like
external - router - ISA - internal network

in this situation, an external attacker can not compromise arp records...(as not routable)

In direct Internet connection
external - ISA - internal network
In this situation, an attacker could compromise the dynamic arp record, i.e. to redirect traffic.
In this situation, to make is static can makes sense.

Nevertheless, in most cases you have a router to the outside world, at least you need an endpoint device between your external interface and the ISP.
And this is usually a router.

As I stated, the ISA default gateway points to an external address...
Do not care at all, what is used inside.
(As long as you do not assume an inside hacker)

This is not quite true, at least not in this passage.
...instructs that instead of an internal network directly connected to the isa/internal nic...
they are talking about "untrusted network". I can not find any part in the article, where such a instruction is given.
For arp syntax, the above...

Yes, a batch can help to reset it.
mikey250Author Commented:
hi bembi, thanks for that advice!!!

q1 - you state: '8 external ip addresses' from where ?
mikey250Author Commented:
hi bembi,  ok thanks for that!!!!:)
mikey250Author Commented:
sound advice!!!! appreciated
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.