Security Basics mailing list archives
Re: tcp/ip routing question / router design
From: JGrimshaw () ASAP com
Date: Fri, 14 May 2004 11:31:50 -0500
Hello, It looks like you are trying to route without an additional router to do what you want. The first answer is to get an additional $50 cheapo router. But you said this was too expensive. The second answer would be another PC running the OS of your choice with two NICs with routing enabled on it--but as you said, you already thought of this and rejected it as being too expensive, not having an unused PC lying around somewhere. Even an old 486 laptop with two nics can do this. Since you want a DMZ, I see that you DO have additional computers to hook up, so I am having difficulty seeing why one of your current machines can't support an additional the network cards and the minimal routing that would need to be done. Cheap ethernet cards are $10. They are not the best, but they don't have to be much faster than the DSL connection's uplink speed... If your DSL router supports trunking, which I am doubting, you can configure the interface to support the DMZ and the private VLAN, and then also configure your switch for multiple VLANs and trunk the traffic to the router. But since cost is an issue, you probably do not possess a switch that supports the 802.1Q standard. Failing all of that, run IPX on one of the networks and use microsoft's gateway for netware service to provide file and print capability for your mininetwork. No one on the outside would likely be able to get to it... and only allow the machines that need to get on the internet to have an IP address. You can have multiple protocols running over the same physical medium. The gateway service will provide the needed capability to share files, and only one network card is provided. But the IPX devices will not have internet access. There may be a way to translate IPX to IP, but I am not aware of it. Finally, you confuse me as to how to do this securely. You've already stated you don't have an extra PC and you don't have any money and you don't want to share the capability on an existing PC that could just as easily share files or a printer with little overhead. What is it you are trying to secure? How did you get the extra PC for for use as a software firewall? That machine could be the router, too, since you only need a default route and two statics for the dmz and private. In the event that someone is more helpful than myself, you may have additional questions to ask, such as: Now that your PCs are in the DMZ, what is their purpose? To be less secure than the private network, so that they may share services with The Internet? If that is the case, unless your 1 port dsl modem supports PAT with static port redirection and that you have the capability to configure this, none of your services are going to be shared, or unless you get a number of static addresses from the DSL network, and assign them statically to your DMZ devices. In the event you have a decent amount of public addresses available for your disposal, you can set up a two tiny vlans (perhaps two /29s [255.255.255.248] allowing for I think six assignable addresses out of the 8 available in each vlan). You also need to tell the router how to get to your DMZ and private network, since the only things it knows about when powered on are it's external interface and internal interface addresses and how to get data back and forth from each. Something has to be running routing to make the decision on how to get to each subnet. In the event you run out of public addresses and need to use private ones, you need to find out how to have NAT overload (PAT) running on at least one public address from the DSL network. For the private network, a good example is a PC with two nics running Windows Internet Connection Sharing. But you already struck that down as being costly and resource intensive. If the DSL router is functional enough, you can set up the PAT on that, but with only one exit port, the router would have to support trunking to carry both the DMZ VLAN and the private VLAN. And your switch would have to be configured to support trunking on the port connected to the DSL router, and the switch would also have to be configured to have the two different VLANs logically segregated. There is a saying--you can't make a silk purse out of a sow's ear. Your best bet is to have the DMZ be the public addresses, assigned, I assume, either statically or by DHCP when connected to the switch connecting to the cable modem. If you expect to use a software firewall in its traditional sense, then it has to sit in front of everybody and have different subnets and addresses for its internal and external NICs. I don't know how you'd plan to do this if you expect to use public addresses for the DMZ unless you make a /30 between the router and the firewall, and then have another subnet of public addresses on the inside of the firewall. Hopefully, your little DSL router can support this, but I am thinking it is blindly assigning addresses via passing along DHCP requests, or performing NAT on its own. Getting back to the task at hand, one of those DMZ machines will have to support ICS or NAT, with an additional network card. Your private network will be the ICS/NAT assigned network. In order for that to do any good, you will need to scrounge up a switch or a hub to hook into that ICS interface, and then hook the private network into that. In the event that you cannot afford a switch or hub, then you may use a crossover cable to connect one host device to the ICS. Crossover cables cost around $10 on ebay plus shipping. I can't think of a way you can do this without compromising your decision to not buy additional equipment or using a computer as a multihomed router. "first last" <in5ecure24 () hotmail com> 05/12/2004 11:39 PM To security-basics () securityfocus com, firewalls () securityfocus com cc Subject tcp/ip routing question / router design hello everyone I have a question bout which way is a better implementation for a router, heres my situation. I have a dsl "modem" that is a router, but it only has 1 ethernet port. im saposed to plug the dsl stright into my pc but im not, i have both connected via a switch and everything worked instantaly, so im assuming i can plug my servers into the switch and run my network. What i am trying to do is set up a DMZ, and my LAN to the internet. the first way i was going to do this was via a software router/multihoned pc (3 nics 1 for each network) and set up a firewall and routing ect ect, on that pc to securly route my networks. 1 problem is if i use only the dsl as a router (isp -> dsl -> switch -> pcs) then what do i do about having seperate networks for my LAN and DMZ and internet conectivity? on the otherhand... If i use a pc as a router seperating my DMZ and LAN is very easy since i have a nic for each and 1 for my dsl. i dont see why i cant do this but, this will consume a pc, and i dont realy have an extra one. so my main question is which way do i go w/ or is there other good options, mind you money funds are low so simply buying a hardware router isnt realy an option. My dsl has options for setting up a public and privet lan, but its not like i can physicaly distinguish between the two. So im pretty much just looking for the best way to set this up (from a security standpoint) and recomendations, help, feed back is GREATLY apricated - thank you _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar ? get it now! http://toolbar.msn.com/go/onm00200415ave/direct/01/ --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- tcp/ip routing question / router design first last (May 14)
- Re: tcp/ip routing question / router design JGrimshaw (May 14)