Re: Multiple LANs: Firewall advice required.

From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 07/13/05 

Date: Wed, 13 Jul 2005 15:00:56 -0500

In the Usenet newsgroup comp.security.firewalls, in article
<1121249786.399644.96140@z14g2000cwz.googlegroups.com>, rhoaste@hotmail.com
wrote:

>I have 3 LANs that are totally separate from each other. It's very
>important that data must not be routed from one LAN to another.

OK. Do the individual LANs have access to any other networks INCLUDING
the Internet? If so, the routers to those other LANs need to have null
routes set for these three, so that packets from LAN A are not sent out
to the Internet and there routed to LAN B or C. Of course, if they are
meant to be totally separated, they probably shouldn't have ANY access
to other networks, especially the Internet.

>What I need to do is to have a PC that has access to ALL of the LANs
>simultaneously. What I'm thinking of doing is to introduce a PC that
>had 3 NICs installed, each of the NICs connected to each of the LANs.

What O/S? What ever it is, there must not be anything offering
network services. This PC would be a 'client' to 'servers running
on the three LANs only.

>Physical access to the PC with the multiple NICs would be restricted,
>and the system would not be connected to the internet; it's sole
>purpose would be to access specific mainframe systems on each of the
>local area networks by use of terminal emulator software.

As long as the terminal emulation does not have a file transfer
capability (such as {X|Y|Z}Modem, Kermit, etc.) and the terminal
emulation is only displaying data rather than generating it, this
might work.

>Is there any need for the use of a firewall in this situation- the PC
>wouldn't route data.

No more than normal for the O/S. I would recommend that the LANs use
a switched technology (as opposed to hubs, concentrators, or coax), so
that the common PC only sees packets destined for it.

>I realise that a firewall would be preferable in this situation, but I
>dont really see the need if the data cannot route between networks.

Routing between networks also takes the cooperation of the end points.
Assume networks A and B, and a single system named X with NICs on both,
a system on network A has to know that to reach network B, it has to send
packets to host X and let it relay them. Likewise, network B has to know
to reach (or even reply) to network A, it has to send the packets to X.
If A doesn't know about B, or vice versa, OR if A (or B) doesn't know that
X will forward packets, then it doesn't matter if X is going to do anything
because the hosts on network A will return a message "Network Unreachable"
for any attempt to communicate to B (and vice versa).

>Before anyone shouts at me, I understand that I must adhere to a
>solution that is satisfactory and that's why I'm asking the question
>here.

A lot depends on what the requirements are. Are they 'legal' (meaning
civil or military law, or contractual), company policy, or merely keeping
brothers/sisters from seeing what's on the siblings network?

>Please advise what would be the most secure solution.

Three dumb terminals without removable media (floppies, CDs), sharing
only the table and power outlet. "Nothing beats an air gap in maintaining
 network security".

>Advice on a good secure software firewall that would be of use in this
>situation would be most useful.

Personally, I can't see the need for one ASSUMING nothing gets installed
on the LANs that give them clue that other LANs exist, AND there is control
of what software gets installed on the common PC.

        Old guy

Relevant Pages

  • Re: Losing Static IP Address / Changing to Automatic (expects DHCP)
    ... > You're right - your network is somewhat unconventional. ... > are a good idea for larger LANs, or for LANs where connections come and ... > Actually, if you don't have outside connection, there is really no need to ... DHCP on one of the computers without an internet connection on the "other" ...
    (microsoft.public.windowsxp.network_web)
  • How can I securely share files between to private Lans in the same building
    ... between the lans but we want to maintain security by limiting access ... Internet routers, dhcp servers, running. ... connect the wan ports to a hub and plug a server into the hub. ... policy will automatically be routed to the other network. ...
    (comp.security.firewalls)
  • Re: Losing Static IP Address / Changing to Automatic (expects DHCP)
    ... >Peer to peer network with no router or ICS-configured computer or other DHCP ... >Somebody comes in with a laptop that has the same IP address set up as is on ... addresses, and control connections, rigorously. ... are a good idea for larger LANs, or for LANs where connections come and go, and ...
    (microsoft.public.windowsxp.network_web)
  • Re: what is the different between "intranet" and "LAN"?
    ... A Local Area Network is a single network connected by ... each host on that network is wired to every other host on ... more of these LANs together to act more or less as one. ... The concept of an "Internet Protocol" was developed because ...
    (comp.os.linux.networking)
  • Re: Who wants SACK? (Re: was My planned work on networking stack)
    ... >> on LANs, or is it useful in both contexts? ... > packets in a TCP window so that only the missing/damaged packet needs to ... If you don't have SACK, ...
    (freebsd-net)
Quantcast