Re: tcp/ip routing question / router design
JGrimshaw_at_ASAP.com
Date: 05/14/04
- Previous message: Depp, Dennis M.: "RE: Protecting an Exchange server?"
- In reply to: first last: "tcp/ip routing question / router design"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "first last" <in5ecure24@hotmail.com> Date: Fri, 14 May 2004 11:31:50 -0500
Hello,
It looks like you are trying to route without an additional router to do
what you want.
The first answer is to get an additional $50 cheapo router. But you said
this was too expensive.
The second answer would be another PC running the OS of your choice with
two NICs with routing enabled on it--but as you said, you already thought
of this and rejected it as being too expensive, not having an unused PC
lying around somewhere. Even an old 486 laptop with two nics can do this.
Since you want a DMZ, I see that you DO have additional computers to hook
up, so I am having difficulty seeing why one of your current machines
can't support an additional the network cards and the minimal routing that
would need to be done. Cheap ethernet cards are $10. They are not the
best, but they don't have to be much faster than the DSL connection's
uplink speed...
If your DSL router supports trunking, which I am doubting, you can
configure the interface to support the DMZ and the private VLAN, and then
also configure your switch for multiple VLANs and trunk the traffic to the
router. But since cost is an issue, you probably do not possess a switch
that supports the 802.1Q standard.
Failing all of that, run IPX on one of the networks and use microsoft's
gateway for netware service to provide file and print capability for your
mininetwork. No one on the outside would likely be able to get to it...
and only allow the machines that need to get on the internet to have an IP
address. You can have multiple protocols running over the same physical
medium. The gateway service will provide the needed capability to share
files, and only one network card is provided. But the IPX devices will
not have internet access. There may be a way to translate IPX to IP, but
I am not aware of it.
Finally, you confuse me as to how to do this securely. You've already
stated you don't have an extra PC and you don't have any money and you
don't want to share the capability on an existing PC that could just as
easily share files or a printer with little overhead. What is it you are
trying to secure? How did you get the extra PC for for use as a software
firewall? That machine could be the router, too, since you only need a
default route and two statics for the dmz and private.
In the event that someone is more helpful than myself, you may have
additional questions to ask, such as:
Now that your PCs are in the DMZ, what is their purpose? To be less
secure than the private network, so that they may share services with The
Internet? If that is the case, unless your 1 port dsl modem supports PAT
with static port redirection and that you have the capability to configure
this, none of your services are going to be shared, or unless you get a
number of static addresses from the DSL network, and assign them
statically to your DMZ devices. In the event you have a decent amount of
public addresses available for your disposal, you can set up a two tiny
vlans (perhaps two /29s [255.255.255.248] allowing for I think six
assignable addresses out of the 8 available in each vlan). You also need
to tell the router how to get to your DMZ and private network, since the
only things it knows about when powered on are it's external interface and
internal interface addresses and how to get data back and forth from each.
Something has to be running routing to make the decision on how to get to
each subnet.
In the event you run out of public addresses and need to use private ones,
you need to find out how to have NAT overload (PAT) running on at least
one public address from the DSL network. For the private network, a good
example is a PC with two nics running Windows Internet Connection Sharing.
But you already struck that down as being costly and resource intensive.
If the DSL router is functional enough, you can set up the PAT on that,
but with only one exit port, the router would have to support trunking to
carry both the DMZ VLAN and the private VLAN. And your switch would have
to be configured to support trunking on the port connected to the DSL
router, and the switch would also have to be configured to have the two
different VLANs logically segregated.
There is a saying--you can't make a silk purse out of a sow's ear.
Your best bet is to have the DMZ be the public addresses, assigned, I
assume, either statically or by DHCP when connected to the switch
connecting to the cable modem. If you expect to use a software firewall
in its traditional sense, then it has to sit in front of everybody and
have different subnets and addresses for its internal and external NICs. I
don't know how you'd plan to do this if you expect to use public addresses
for the DMZ unless you make a /30 between the router and the firewall, and
then have another subnet of public addresses on the inside of the
firewall. Hopefully, your little DSL router can support this, but I am
thinking it is blindly assigning addresses via passing along DHCP
requests, or performing NAT on its own.
Getting back to the task at hand, one of those DMZ machines will have to
support ICS or NAT, with an additional network card.
Your private network will be the ICS/NAT assigned network. In order for
that to do any good, you will need to scrounge up a switch or a hub to
hook into that ICS interface, and then hook the private network into that.
In the event that you cannot afford a switch or hub, then you may use a
crossover cable to connect one host device to the ICS. Crossover cables
cost around $10 on ebay plus shipping.
I can't think of a way you can do this without compromising your decision
to not buy additional equipment or using a computer as a multihomed
router.
"first last" <in5ecure24@hotmail.com>
05/12/2004 11:39 PM
To
security-basics@securityfocus.com, firewalls@securityfocus.com
cc
Subject
tcp/ip routing question / router design
hello everyone
I have a question bout which way is a better implementation for a router,
heres my situation.
I have a dsl "modem" that is a router, but it only has 1 ethernet port. im
saposed to plug the dsl stright into my pc but im not, i have both
connected
via a switch and everything worked instantaly, so im assuming i can plug
my
servers into the switch and run my network.
What i am trying to do is set up a DMZ, and my LAN to the internet. the
first way i was going to do this was via a software router/multihoned pc
(3
nics 1 for each network) and set up a firewall and routing ect ect, on
that
pc to securly route my networks.
1 problem is if i use only the dsl as a router (isp -> dsl -> switch ->
pcs)
then what do i do about having seperate networks for my LAN and DMZ and
internet conectivity? on the otherhand...
If i use a pc as a router seperating my DMZ and LAN is very easy since i
have a nic for each and 1 for my dsl. i dont see why i cant do this but,
this will consume a pc, and i dont realy have an extra one.
so my main question is which way do i go w/ or is there other good
options,
mind you money funds are low so simply buying a hardware router isnt realy
an option. My dsl has options for setting up a public and privet lan, but
its not like i can physicaly distinguish between the two.
So im pretty much just looking for the best way to set this up (from a
security standpoint) and recomendations, help, feed back is GREATLY
apricated - thank you
_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar ? get it now!
http://toolbar.msn.com/go/onm00200415ave/direct/01/
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
- Previous message: Depp, Dennis M.: "RE: Protecting an Exchange server?"
- In reply to: first last: "tcp/ip routing question / router design"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
