Re: tcp/ip routing question / router design

[JGrimshaw () ASAP com]

Hello,

It looks like you are trying to route without an additional router to do 
what you want.

The first answer is to get an additional $50 cheapo router.  But you said 
this was too expensive.

The second answer would be another PC running the OS of your choice with 
two NICs with routing enabled on it--but as you said, you already thought 
of this and rejected it as being too expensive, not having an unused PC 
lying around somewhere.  Even an old 486 laptop with two nics can do this.

Since you want a DMZ, I see that you DO have additional computers to hook 
up, so I am having difficulty seeing why one of your current machines 
can't support an additional the network cards and the minimal routing that 
would need to be done.  Cheap ethernet cards are $10.  They are not the 
best, but they don't have to be much faster than the DSL connection's 
uplink speed...

If your DSL router supports trunking, which I am doubting, you can 
configure the interface to support the DMZ and the private VLAN, and then 
also configure your switch for multiple VLANs and trunk the traffic to the 
router.  But since cost is an issue, you probably do not possess a switch 
that supports the 802.1Q standard.

Failing all of that, run IPX on one of the networks and use microsoft's 
gateway for netware service to provide file and print capability for your 
mininetwork.  No one on the outside would likely be able to get to it... 
and only allow the machines that need to get on the internet to have an IP 
address.  You can have multiple protocols running over the same physical 
medium.  The gateway service will provide the needed capability to share 
files, and only one network card is provided.  But the IPX devices will 
not have internet access.  There may be a way to translate IPX to IP, but 
I am not aware of it.

Finally, you confuse me as to how to do this securely.  You've already 
stated you don't have an extra PC and you don't have any money and you 
don't want to share the capability on an existing PC that could just as 
easily share files or a printer with little overhead.  What is it you are 
trying to secure?  How did you get the extra PC for for use as a software 
firewall?  That machine could be the router, too, since you only need a 
default route and two statics for the dmz and private. 

In the event that someone is more helpful than myself, you may have 
additional questions to ask, such as:

Now that your PCs are in the DMZ, what is their purpose?  To be less 
secure than the private network, so that they may share services with The 
Internet?  If that is the case, unless your 1 port dsl modem supports PAT 
with static port redirection and that you have the capability to configure 
this, none of your services are going to be shared, or unless you get a 
number of static addresses from the DSL network, and assign them 
statically to your DMZ devices.  In the event you have a decent amount of 
public addresses available for your disposal, you can set up a two tiny 
vlans (perhaps two /29s [255.255.255.248] allowing for I think six 
assignable addresses out of the 8 available in each vlan).   You also need 
to tell the router how to get to your DMZ and private network, since the 
only things it knows about when powered on are it's external interface and 
internal interface addresses and how to get data back and forth from each. 
 Something has to be running routing to make the decision on how to get to 
each subnet. 

In the event you run out of public addresses and need to use private ones, 
you need to find out how to have NAT overload (PAT) running on at least 
one public address from the DSL network.  For the private network, a good 
example is a PC with two nics running Windows Internet Connection Sharing. 
 But you already struck that down as being costly and resource intensive. 
If the DSL router is functional enough, you can set up the PAT on that, 
but with only one exit port, the router would have to support trunking to 
carry both the DMZ VLAN and the private VLAN.  And your switch would have 
to be configured to support trunking on the port connected to the DSL 
router, and the switch would also have to be configured to have the two 
different VLANs logically segregated.

There is a saying--you can't make a silk purse out of a sow's ear.

Your best bet is to have the DMZ be the public addresses, assigned, I 
assume, either statically or by DHCP when connected to the switch 
connecting to the cable modem.  If you expect to use a software firewall 
in its traditional sense, then it has to sit in front of everybody and 
have different subnets and addresses for its internal and external NICs. I 
don't know how you'd plan to do this if you expect to use public addresses 
for the DMZ unless you make a /30 between the router and the firewall, and 
then have another subnet of public addresses on the inside of the 
firewall.  Hopefully, your little DSL router can support this, but I am 
thinking it is blindly assigning addresses via passing along DHCP 
requests, or performing NAT on its own.

Getting back to the task at hand, one of those DMZ  machines will have to 
support ICS or NAT, with an additional network card.

Your private network will be the ICS/NAT assigned network.  In order for 
that to do any good, you will need to scrounge up a switch or a hub to 
hook into that ICS interface, and then hook the private network into that. 
 In the event that you cannot afford a switch or hub, then you may use a 
crossover cable to connect one host device to the ICS.  Crossover cables 
cost around $10 on ebay plus shipping.

I can't think of a way you can do this without compromising your decision 
to not buy additional equipment or using a computer as a multihomed 
router.

 



"first last" <in5ecure24 () hotmail com> 
05/12/2004 11:39 PM

To
security-basics () securityfocus com, firewalls () securityfocus com
cc

Subject
tcp/ip routing question / router design






hello everyone

I have a question bout which way is a better implementation for a router, 
heres my situation.

I have a dsl "modem" that is a router, but it only has 1 ethernet port. im 

saposed to plug the dsl stright into my pc but im not, i have both 
connected 
via a switch and everything worked instantaly, so im assuming i can plug 
my 
servers into the switch and run my network.

What i am trying to do is set up a DMZ, and my LAN to the internet. the 
first way i was going to do this was via a software router/multihoned pc 
(3 
nics 1 for each network) and set up a firewall and routing ect ect, on 
that 
pc to securly route my networks.

1 problem is if i use only the dsl as a router (isp -> dsl -> switch -> 
pcs) 
then what do i do about having seperate networks for my LAN and DMZ and 
internet conectivity? on the otherhand...

If i use a pc as a router seperating my DMZ and LAN is very easy since i 
have a nic for each and 1 for my dsl. i dont see why i cant do this but, 
this will consume a pc, and i dont realy have an extra one.

so my main question is which way do i go w/ or is there other good 
options, 
mind you money funds are low so simply buying a hardware router isnt realy 

an option. My dsl has options for setting up a public and privet lan, but 
its not like i can physicaly distinguish between the two.

So im pretty much just looking for the best way to set this up (from a 
security standpoint) and recomendations, help, feed back is GREATLY 
apricated - thank you

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar ? get it now! 
http://toolbar.msn.com/go/onm00200415ave/direct/01/


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 

any course! All of our class sizes are guaranteed to be 10 students or 
less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the 
skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------