Disjoint Networks

B

b@nD

Banned
Joined
Mar 22, 2012
Messages
754
Reaction score
1
This is the scenario ( something for the security and routing guys )

I have a management VLAN and on this subnet I have one host ( XP machine ) that I use for management.

This VLAN is not connected to the internet for security reasons but can access all the other VLAN's on their private IP's via intervlan routing.

This is fine but because the host is not connected to the internet there is no automatic updates to the OS or anti-virus.

It is possible to set up two ( or perhaps more ) gateways in XP BUT they must all be on the same subnet as the host
( It is possible to allocate different routes to these different gateways via the ROUTE command )

SO -- if I want to have two gateways with a disjoint network on ONE host the only way to do this is with two NIC's
eg say 10.10.10.1 and 10.10.1.1 ( one subnet is connected to the "Intranet" and one to the Internet.
( NAT is setup for the subnets that go to the Internet )

A kind of "multi-homing" / DMZ setup.

Am I correct so far ?

Is there any better way to do this ?
( have a management VLAN used only for accessing switches and routers with one or two hosts on this VLAN used only for management purposes and not connected to the internet )

I was thinking possibly about time based ACL's to only provide a window for updates ? ( on the router )

Maybe setting something up on the router rather than worrying about the host / s ?

What does CCNP security say ?
 
b@nD said:
What does CCNP security say ?
Click to expand...

I would create an ACL ( you allocate a time base to it if you really want to) to allow your host to connect to the MS update server range on port 80/443 and do the same for the AV. But to be honest. If you really mant to be an@l about it you can always manually do updates once every 6 months. As long as your XP has SP3 your in good shape. Also limit the inter vlan com's. Only allow the required ports needed between the vlans example ssh, RDP ,HTTP, HTTPS, SNMP, and make sure to block 135. You should be more than fine. Also load nesser on your management system and scan your "internet" vlan for exploits.

HTH
 
Never multi home a device and bridge it to your internal network. If you are security conscious, this is a big no.

I dont quite understand your setup I think, but i dont really see the problem.
You have a server in a vlan that is used only for management.

At moment, it routes to a L3 device (what device is this?)
Why not just allow that server access out to just AV and MSupdates with no incoming access?

I assume you default route to the L3 device (either a router or firewall), so just leave it like that.
Add an ACL and nat rule allowing your management host out to specific locations and you are done
 
Update

syntax said:
Never multi home a device and bridge it to your internal network. If you are security conscious, this is a big no.
Click to expand...
OK
Hhhmmmm

In the host .........

One NIC and one gateway on one subnet to the Internet
and
One NIC and one gateway and a different subnet going internal

With the applicable ROUTE statements ( can specify a SINGLE IP , more than one IP or a /24 )
( Surely that is already some form of security ? )

Is configuring connectivity between the two counted as routing or bridging ?

[ I have always wanted to fiddle around with multiple NIC's and multiple port NIC's :) ]

syntax said:
I dont quite understand your setup I think, but i dont really see the problem.
You have a server in a vlan that is used only for management.
At moment, it routes to a L3 device (what device is this?)
Why not just allow that server access out to just AV and MSupdates with no incoming access?
Click to expand...
L3 = Cisco 877
What ports and IP's would I have to allow for updates of the OS as well as MSE ?
I assume these would have to have an egress as well as an ingress ?
(Blocking other traffic is fine )

NAT could be used to port forward only what is needed ?

syntax said:
I assume you default route to the L3 device (either a router or firewall), so just leave it like that.
Add an ACL and nat rule allowing your management host out to specific locations and you are done
Click to expand...
Yes -- but the management VLAN is not associated with any dialer -- ( ie no outside access )
I would have to associate that VLAN with a VLAN that does have internet access and put an ACL on that ?
[ Is this more intervlan routing or really just bridging ( of subnets ) ? ]

Am running a firewall CBAC
Also forwarding NetBios traffic to allow browsing and name resolution but with an ACL to block it outside
( Do not have AD or DNS setup , do have a WINS server so perhaps the forwarding is not really necessary ?)

Thanks for all your suggestions so far.
Fortunately I have all the bits and pieces ( many years of scrimping and "junk" hunting ) so once I have a better idea of how this is done I can go and physically test it out.
:D
 
Busy BEEEE

You ALL ; have all been busy .......
So have I :)
Scratched out a NIC dusted it off and installed it
Scratched out some UTP made up a cable and connected it up

Here is a little quiz first

IF you cannot ping an interface can you still connect to it ?

:D
 
b@nD said:
Here is a little quiz first

IF you cannot ping an interface can you still connect to it ?

:D
Click to expand...

Depends on where you are trying to connect from. If it's on the same segment then it should be possible, if it's via another routed interface then maybe not depending on your configs.
 
ICMP vs SSH ( and scanning )

ponder said:
Depends on where you are trying to connect from.
If it's on the same segment then it should be possible, if it's via another routed interface then maybe not depending on your configs.
Click to expand...
ICMP is meant to denote connectivity
However
You do not need ICMP to connect via SSH ( even on a disjoint network )
ie A simple ping is not going to show you anything.
but
I suppose if you did a multi port , multi protocol scan this would show up ?
Have not got around to playing with that stuff yet :)
Still
ACL's -- wonderful things.


Here are some links about multi-homing -- very interesting

This is Windows stuff but seeing as most host machines are Windows -- still applicable to routing and switching

Strong and Weak Host Models

Tip: Setting a gateway preference on a multihomed XP workstation

Source IP address selection on a Multi-Homed Windows Computer

Eccentricities of Windows networking

I have done some prelim configuration and testing which seem to indicate that multi-homing does not necessarily have to mean bridging.
From within the intranet I cannot ping telnet or otherwise connect to the isolated VLAN
but
If someone could give me an idea of how to test from a security perspective then that would be great.
In the mean time I will go and look for diagrams and examples of secure network topologies.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X