Re: LAN access while VPN is up

• Previous message: Duane Arnold: "Re: Is it possible for someone to access my HD even though I am running a firewall?"
• In reply to: Moe Trin: "Re: LAN access while VPN is up"
• Next in thread: Moe Trin: "Re: LAN access while VPN is up"
• Reply: Moe Trin: "Re: LAN access while VPN is up"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 31 Oct 2005 21:55:41 -0500

Moe Trin wrote:
> In the Usenet newsgroup comp.security.firewalls, in article
> <68f9f.1790$J14.80418@news20.bellglobal.com>, Triffid wrote:
>
>
>>I've forgotten my reason - no doubt it was bizarre.
>
>
> The two most common reasons for choosing the "Class A" range of RFC1918
> are: 1) it's the first one listed in the tables of such addresses; and
> 2) people think it's impressive - forgetting that the address doesn't
> appear on the Internet, and no one else is going to know you are using it.

More likely down to my habit of changing default settings - most home
networking gear comes out of the box set to 192.168.x.x, like the NAT
router I was using before deciding to invest in a firewall. Not that I
have any faith in security by obscurity, but a lot of poorly coded
malware falls over if the system isn't bog-standard (especially in the
windoze world). This is not the first time I've been bitten - legitimate
software has been known to fall over because I didn't install windoze
where it is 'supposed' to be...

>>The tunnel runs from my laptop to my employer's VPN switch. The intent
>>of the client configuration enforced by the switch is to prevent my
>>laptop having simultaneous access to the corporate intranet and public
>>internet.
>
>
> That's done with procedure/policy here. The system I have to connect to
> the company net has one network interface - to that net only. My home
> systems are on a different net, physically isolated from the company
> computer - the classic "air gap". I can also get in to the company
> net via SSH over the Internet, but the number of hoops to jump through
> makes using the company box preferable. Yes, that means two data links
> in the house.

No such luxury here. I could create separate networks that only touch at
the Netscreen. However, it's a low-end model, so that involves switching
it to 'home/work mode' - which wipes the config so I get to start over :-(

>>The VPN client on my laptop routes everything except 192.168.0.0/16 up
>>the tunnel, and disconnects the tunnel if I mess with the routing table.
>>Since my local LAN isn't 192.168.x.x, it's unreachable while the tunnel
>>is up.
>
>
> Got it. I've got a minor advantage that I have 'root' (admin user) on
> all systems here, including the company box, which would allow me to
> do a lot of things. The company box has a non-routable address (they
> see no reason why I need a real address), and if I'm really desperate
> to reach the Internet without using my own systems, I can SSH into a
> system at work, and reach out from there.

On the odd occasion I need to reach the Internet while working, I can
use the corporate gateway via the tunnel. What I can't do is get
hardcopy on a local printer, or grab something off the local file server
- at least not without dropping the tunnel.

Unless there's a trick that hasn't occurred to me (hence my original
post), my choices are:

1. Renumber the local network to 192.168.x.x
2. Use the Netscreen to create a second local network
3. Use one of the spare routers to create a second local network
4. Status Quo

Only 2 and 4 make sense to me. 1 is almost as painful as 2, but doesn't
segregate home/work. 3 uses more electricity but provides weaker
segregation than 2. 4 is tolerable but not ideal.

Triffid

• Previous message: Duane Arnold: "Re: Is it possible for someone to access my HD even though I am running a firewall?"
• In reply to: Moe Trin: "Re: LAN access while VPN is up"
• Next in thread: Moe Trin: "Re: LAN access while VPN is up"
• Reply: Moe Trin: "Re: LAN access while VPN is up"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]