RE: One computer two different networks

["Andrew Aris" <andrew () dev bigfishinternet co uk>]

This would appear to work - but it doesn't. It would be an horrendous idea
from a security point of view, when on the "internet" network the machine
would be much more open to various threats that might compromise the
machine. This leaves you in a position where potentially compromised
machines are constantly dipping into the "secured" network, handling some
sensitive information and then rejoining the "internet" network allowing any
potential malware to potentially "phone home" with data collected from the
"secured" network - Machines that do this would have to be considered no
more secure than the "internet" network itself which would defeat the whole
idea.

If you are going to use the same physical machine for both networks then the
operating environments need to be completely seperated - the three major
ways of doing this would be to either have a terminal server located in a
DMZ providing the nessecary functionality, a virtualised environment (such
as vmware of virtual PC) bound to a second NIC, or live boot CD (such as
Bart PE if you are in a windows environment).

Personally I would go for a virtual machine since doing it this way means no
reboots (a failing of the live CD option) and if you set it up not to keep
any persistant state from the sessions you eliminate most future maintenace
on them since regardless of what malware etc they pick up it will all be
gone the next time the virtual machine is restarted.


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Jamie Wareham
Sent: 10 October 2006 19:20
To: Santiago Barahona
Cc: security-basics () securityfocus com
Subject: RE: One computer two different networks

   I have set up a dual network situation similar to what you need.
This is how I accomplished the task.  Set up separate networks (diff. IP
ranges, server, switches, etc.).  Then, you would run cabling from each
network to a dual port outlet installed near each workstation and should be
easily accessible for the user. Now, the user simply "unplugs" and "plugs"
into the target server's wall outlet and runs a batch file (which the admin
puts in their desktops) that runs a brief DHCP release/renew process and
maps needed drives "on the fly". 

 When they are done, just "plug" back into the other outlet and run the
batch file again.  Works like a charm.

J~

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Santiago Barahona
Sent: Tuesday, October 10, 2006 10:04 AM
To: security-basics () securityfocus com
Subject: One computer two different networks

Hi all,

(First of all I want to apologise if I am misplacing this question, if so
I'd appreciate if anyone could point me to the right direction)

So here is the situation:

We have about 250 computers that are isolated in a high-security network, we
want to give internet access to those computer users without compromising
the secured network...of course our first thought is to buy 250 computers so
the users can switch between computers (one for the secure network, one for
internet)... but that might not be most practical solution...

So, I've been looking around and I've found a product called DATAGATE, from
Tenix which works as a "Data Diode"... looks interesting... but I'd like to
have a second opinion...

Does anyone know about other products or techniques on how to accomplish
this??

thanks!


------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in Information
Security. Our program offers unparalleled Infosec management education and
the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in Information
Security. Our program offers unparalleled Infosec management education and
the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------




---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------