RE: Protecting Multiple Public IP Workstations

["Shawn Jackson" <sjackson () horizonusa com>]

> From: MATT GIBSON [mailto:mattgibson () shaw ca]
> We've got a client who (for various reasons) has a network (that's
currently p2p), 
> and all the workstations (6) have public IP addresses.  It's a windows
network 
> (mixed 98 and 2000), and we're putting in a new server (win2k) Just
wondering how to 
> best protect this network? 

This is a practice I've never liked. At an ISP I used to work for they
setup some SOHO's like
This, just routing them a subnet through the sub-interface through the
DSL ATM and they would
Use that as their network settings. It works, but in my eyes is not
needed in this 'day-n-age'.
With NAT technologies cheaper then dirt it's easy to add some level of
protection on the network.

If you MUST use the server itself, which I don't recommend, use IP
filtering against the WAN
Interface to keep that box a little more secure. Give the internal
systems private IP's and route
Traffic through the server. Your best bet it to pick up a $150.00
NAT/Firewall/Router, I've always
Liked Netgears line of "Security Routers" but Sonicwall has some very
good low end kit. The PIX line
Has some very good low end firewalls but they are more of a handful then
the Sonicwall or Netgear stuff.

If you keep he public IP's just install a good personal firewall, say
ZoneAlarm and allow only your
'known' systems access past the firewall. This won't stop worm, etc, but
makes the system more secure
> From scanning and script kiddies.

Remember to keep everything up2date!


> 1) To use firewalls at the client level (don't like this idea)

Nothing wrong with this idea, if you going to have your systems visible
to the Inet it should be a
Requirement. Configured right you won't need to touch the workstations
often and with a little 
Training your users should be good to know what warning/screen means
what. We do this with our
VPN clients.

> 2) To use RRAS on the server, and have the server route all the public 
> IP's through it first, and then run some sort of firewall on the
server.

Why? Use private IP's on the clients then use RRAS to route through the
public interface, this adds
A level of security to the network itself. To properly route the traffic
on the public IP addresses you
Would have to have your ISP route the subnet through your RRAS server
otherwise those workstations won't
Be reachable if they are 'truly' behind the server. In that case you
would just use private
IP addresses anyways.

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521

www.horizonusa.com
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

---------------------------------------------------------------------------
----------------------------------------------------------------------------