Security Basics mailing list archives
RE: Protecting Multiple Public IP Workstations
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Fri, 27 Feb 2004 09:40:07 -0800
From: MATT GIBSON [mailto:mattgibson () shaw ca] We've got a client who (for various reasons) has a network (that's
currently p2p),
and all the workstations (6) have public IP addresses. It's a windows
network
(mixed 98 and 2000), and we're putting in a new server (win2k) Just
wondering how to
best protect this network?
This is a practice I've never liked. At an ISP I used to work for they setup some SOHO's like This, just routing them a subnet through the sub-interface through the DSL ATM and they would Use that as their network settings. It works, but in my eyes is not needed in this 'day-n-age'. With NAT technologies cheaper then dirt it's easy to add some level of protection on the network. If you MUST use the server itself, which I don't recommend, use IP filtering against the WAN Interface to keep that box a little more secure. Give the internal systems private IP's and route Traffic through the server. Your best bet it to pick up a $150.00 NAT/Firewall/Router, I've always Liked Netgears line of "Security Routers" but Sonicwall has some very good low end kit. The PIX line Has some very good low end firewalls but they are more of a handful then the Sonicwall or Netgear stuff. If you keep he public IP's just install a good personal firewall, say ZoneAlarm and allow only your 'known' systems access past the firewall. This won't stop worm, etc, but makes the system more secure
From scanning and script kiddies.
Remember to keep everything up2date!
1) To use firewalls at the client level (don't like this idea)
Nothing wrong with this idea, if you going to have your systems visible to the Inet it should be a Requirement. Configured right you won't need to touch the workstations often and with a little Training your users should be good to know what warning/screen means what. We do this with our VPN clients.
2) To use RRAS on the server, and have the server route all the public IP's through it first, and then run some sort of firewall on the
server. Why? Use private IP's on the clients then use RRAS to route through the public interface, this adds A level of security to the network itself. To properly route the traffic on the public IP addresses you Would have to have your ISP route the subnet through your RRAS server otherwise those workstations won't Be reachable if they are 'truly' behind the server. In that case you would just use private IP addresses anyways. Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Protecting Multiple Public IP Workstations MATT GIBSON (Feb 26)
- Re: Protecting Multiple Public IP Workstations Kevan Olhausen (Feb 27)
- <Possible follow-ups>
- RE: Protecting Multiple Public IP Workstations Duston Sickler (Feb 27)
- RE: Protecting Multiple Public IP Workstations Shawn Jackson (Feb 27)
- RE: Protecting Multiple Public IP Workstations Mike (Feb 27)