11

Does windows have an equivalent of the Linux Network Namespace?

I want to create a new interface and have that interface only accessible to specific applications, that interface would not be listening on the standard windows ports (139 445 etc).

Ideally the application would not be able to use the other interfaces either, but that's less important for my use case.

Most importantly the interfaces would not communicate with each other at the OS level, they would need to actually send packets out to a physical/virtual network if they wanted to communicate between each other. The IP ranges could even be overlapped (of course then they couldn't talk to each other directly).

Rowan Smith
  • 211
  • 1
  • 4
  • there could be some informations to dig there: https://docs.microsoft.com/en-us/virtualization/windowscontainers/container-networking/architecture – A.B Feb 01 '20 at 19:38
  • some elements here: https://unit42.paloaltonetworks.com/what-i-learned-from-reverse-engineering-windows-containers/ – Thibault Deheurles Nov 11 '20 at 13:32

1 Answers1

2

The bottom line answer is a flat no.

Windows does not have anything approaching an equivalent to Linux namespaces.

The closest I can think of personally (perhaps there are better answers out there) are job objects but I can’t think of a clear way to do what you want. Maybe ACLs? I recommend neither approach, but those are the two things that come to mind as far as isolating specific resources to specific processes.

The problem is network interfaces are handled at a low level in the OS and since windows doesn’t expose a way within the kernel to control access on a per user land application basis it’s not clear to me how you could generally achieve this without a custom driver of some sort.

Grant Curell
  • 1,043
  • 6
  • 19