I know there are a few switches out there that will do NAT and ACLs on every ethernet port. I was wondering: is anybody actually using these for firewalling yet?
I was thinking of just number every host as say 192.168.1.1 and then nat-ing every interface to a different source ip address. Basically it puts all network addressing in the hands of the switch admin, and takes dhcp completely out of the picture. I figure you would have a couple ACL's for client and server configs which you would bind to each interface.
The end result is users can't backend the network since all hosts are identically numbered, and any compromised host can only see a firewalled picture of any other host.
Add a honeypot connected to each switch by VLAN, and I figure you would have a pretty effective system with relatively low maintenance overhead. Of course getting it through OSI layer 8, (the political layer) would probably still be difficult.
I would still use a gateway firewall, but the above system would give some protection to unconfigured hosts, and force compliance with security policy. It would also make compromises easier to detect, since any internally originating scan would set of loads of ACL log messages.