Go Back   The Scream! > COMPUTER RELATED > PC Security

Reply
 
Thread Tools Display Modes
  #1  
Old 18-May-2010, 18:46
Odyssey Odyssey is offline
Screamager
 
Join Date: Dec 2001
Posts: 190
Default DMZ & Secure zones in home LAN?

I have the following groups of devices on my LAN:

1) WiFi router, TIVO, Aluratek Internet Radio

2) 1 Linux and 2 Windows XP computers

3) Apple Mac Mini (used solely for photos and online banking)

I want Group 1 to be in a DMZ, isolated from Groups 2 & 3, and want to be able to use the Apple as the only device online when doing banking.

I am thinking of this setup:

Switch #1 to the WAN and connected to:

- Router #1 for Group 1 (this is the wireless router)
- Router @2 for Groups 2 & 3 (this router wired only)

Behind Router #2:

- using one port for Switch #2 for all of the Group 2 devices
- using one port for the Apple Mac Mini

The plan is that Group 1 should not have access to Groups 2 & 3 at any time, AND any time banking is to be done:

- Router #1 is unplugged from Switch #1 AND
- Switch #2 is unplugged from Router #2

leaving only the Apple online and only requiring unplugging of two ethernet cables.

This may seem like equipment overkill, but I have all the switches and routers that are needed, most of which are unused at the moment.

I don't understand enough about switches and routers to know whether one port of either device is effectively isolated from the other ports of the same device. So my question is how to improve/simplify the setup without compromising the objectives, or is this perhaps the minimum configuration to meet the objectives?
Reply With Quote
  #2  
Old 19-May-2010, 16:26
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default Re: DMZ & Secure zones in home LAN?

not sure what equipment you have, some routers have 'dmz' built in - but it's not always clear what is meant by DMZ or how it is implimented by a router

I will use terms as per ipcop just because..

red: wan side / internet

green: safe zone / normal personal PCs etc

orange: dmz / servers / computers you wish to be accessible from the i'net or they are untrusted in some fashion

if you have 2 NAT based routers (one can be the one which connects to the internet / WAN) then it should be possible to create a DMZ, since the orange network can be inside the first router's network, call this "WAN router" (i.e. connected directly to the WAN router)

the green network can be off the LAN side of the second router connected to the LAN side of the "WAN router" - this can be called "LAN router" - since the subnetwork will be different on the LAN side of this second router anything connected to the LAN side of the first router won't be able to connect in

humm, hope that makes sense,. probably easier with a diagram(!)
Reply With Quote
  #3  
Old 19-May-2010, 18:45
Odyssey Odyssey is offline
Screamager
 
Join Date: Dec 2001
Posts: 190
Default Re: DMZ & Secure zones in home LAN?

Hello Sil,

I may be using terms of art that I really don't understand, and DMZ may be one of them. I only want the Group 1 to be as isolated as possible from Groups 2 and 3. The Tivo and the Aluratek engage constantly in communication over the Internet to update schedules, etc. and I have no idea what their vulnerability to attack and compromise is. So I lumped them along with the Wifi Access Point/Router (Zyxel P-330 v2) into a "less secure" category, which since I have concerns about the security of any and all of them, I want to be isolated as much as is practical from Groups 2 & 3.

BTW, the other (wired only) router is a DLink DL-604

As I reflect further on this, the ideal thing would be to have two IP addresses, but that is pretty pricey compared to what I have now, and so am trying to duplicate, from a functional standpoint, as much as is practical using the single IP address I have.

An ipcop router is something that has been on my "to-do" list for many moons now. Would an ipcop computer/router with two ethernet cards help with the solution to this?

Alternatively, would two different workgroups (or three-one for each group) help at all?

I hope this helps clarify what I am trying to do (and also helps your understanding of how limited my understanding of all of this is) and maybe helps you with a suggestion (or two).

Thanks,
robert
Reply With Quote
  #4  
Old 20-May-2010, 08:31
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default Re: DMZ & Secure zones in home LAN?

yep, I wasn't saying you need IPcop, I think similar can be done with the 2 routers you have

so router 1 - this one connects you to the i'net, put the less safe computers / whatever here directly connected to this router

router 2, this is the router for the safe zone PCs - they connect to the LAN side of this, the WAN side (would normally be the i'net) will be connected to the LAN side of 'router 1'

that way, PCs on router 2 can connect out to the PCs and i'net but the unsafe network cannot connect in to PCs behind router 2
Reply With Quote
  #5  
Old 07-January-2011, 21:52
Odyssey Odyssey is offline
Screamager
 
Join Date: Dec 2001
Posts: 190
Default Re: DMZ & Secure zones in home LAN?

Here's a possible variation on the above. I can get a fixed, second IP address from my ISP for a modest monthly sum. With two IP addresses, I would imagine that even greater separation could be established, but this stretches my mechanical understanding as to how it might be set up.

At present, I have optical fibre to my home. There is a box on the outside that converts the optical signal into a digital signal which runs by copper to my wall jack (one incoming RJ-45 receptacle). If I had a second IP addy, would this also come in on the same wire or would a new copper wire be required?

If on a different copper wire, then separation is pretty much a given.

Assuming on the same wire, can a router (such as my DL-604, or any other, or a switch) securely route each of the two IP addys to separate places. E.g., could it send one to one computer (we'll call it the "secure" computer) which is used only for banking, etc, and everything else to my existing Dell multiport switch, on which the Tivo, Internet Radio, WiFi, and other wired computers reside?

Assuming that this is possible, would the two be isolated at all from each other. For example, if a sniffer was operating on the "everything else" lan, could it sniff traffic on the secure side?

I imagine that I am not stating this well, but hope you get the idea and can comment.

Even assuming that all of the above is possible, even practical, would it offer any advantage over the two router arrangement you outlined?

Another possibility, due to the infrequent nature of "secure" access needs, could I not just unplug the existing router from the wall jack and plug in another router attached to the computer to be used solely for "secure" transactions?

I appreciate your patience and assistance on this. As you can tell, I am, as usual, in over my head.

Thanks,
robert
Reply With Quote
  #6  
Old 08-January-2011, 02:19
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default Re: DMZ & Secure zones in home LAN?

well - DMZ has different meanings - I think at least, essentially it seems you are saying you have more than one computer, one of the computers will / is only used for specific 'secure' transactions and that must be kept separate from any of the others

the most simple way is to have nothing connected to the secure computer, it's sat there on it's own with no connection to anything. When you need this computer to be online you can just unplug any of the other computers and connect the secure computer to the router - job done

I'll have a guess at the other bits., generally if you have an i'net connection and the ISP says you can have more than one IP address that is sent down the same line / i'net connection as before, so you have the same phyisical connection, just more than one IP is directed toward it from the ISP

I'm not sure exactly what you are needing and the nature / requirement of the 'secure' computer, perhaps if there was more info it might be clearer / offer more options perhaps
Reply With Quote
  #7  
Old 08-January-2011, 21:55
Odyssey Odyssey is offline
Screamager
 
Join Date: Dec 2001
Posts: 190
Default Re: DMZ & Secure zones in home LAN?

Hello Sil,

I have a fairly high spec linux (Ubuntu 10.04), two XP Home SP3, and an old Apple Mac Mini (the secure computer),

My D-Link dl-604 router feeds:
1) a ZyXEL Wireless Access Point,
2) a Dell multi port switch, both of these in the office, and,
3) in another room, a 2nd switch with an Aluratek Internet Radio and a Tivo, via CAT 5.

Using the WiFi are a 2nd Tivo and the fairly frequent guest in our home.

The four computers above are currently connected by CAT 5 to the switch.

Hackers are getting more clever and intrusive all the time. I am not techically able to ensure that none of the devices listed above, including the router, will not be hacked.

I have no control over what sites the visitors might connect to. And I don't have to tell you about the risk of a trojan, keylogger, rootkit, etc. being downloaded by careless browsing, or even visiting a high profile site that state of the art hackers have poisoned.

So my thought process is just to isolate the apple from everything else. Leave it turned off when not in use, or at least off the network, wired and wireless.

When it is needed and used, it would be the only computer online.

So I take your suggestion about unplugging everything else from the router, then plugging in the Apple. However should the router be compromised, this would be a problem, so the relatively inexpensive solution maybe is to have a second router and literally unplug the entire network (including the D-Link) described above (which would no longer have the Apple attached), and plug in a second router to the gateway with the Apple now connected to it.

If this is a fairly foolproof alternative, is the make and model of the second router important, and if so, any suggestions? I guess some routers are a lot harder to crack than others, so it might be good to trade up from the D-Link dl-604 that I am using now, to more hardened equipment.

At least if the second (new) router is only online while the Apple is in use, there would be a much lower risk of it being compromised simply by virtue of it only being online for short spurts.

BTW, I do realize that I am fairly paranoid, but the financial consequences of being complacent and consequently comprimised could be painful. If I can avoid that with something as simple as the above then it seems to me worthwhile to go to the trouble.

Thanks for helping me work through this.
Reply With Quote
  #8  
Old 09-January-2011, 16:25
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default Re: DMZ & Secure zones in home LAN?

routers don't really get compromised, or rather if it's setup correctly there is really nothing that you need be worried about, if you have 2 routers setup and wish to switch between them fine but I don't think it's needed

a router is really just a bit of hardware running a very limited OS, it's already locked in such a way that nothing else can be running on it (it's not like a normal computer which can run various type of malware)

security is always a trade off between what's possible, what's likely, unlikely, how much hassle you are willing to go to, the 'cost' of outcome a possible breach of security etc etc

network sniffers etc are possible but unlikely, unless you are working for the CIA and if you are going to consider that you just as well think about using magnetic shielding on the windows to prevent EMFs from screens, how to stop data intercept at the phone exchange etc

most hacking/malware is random untargetted and crimes of oppertunity aimed mostly at careless users - most often the weakest link being the person at the keyboard!

PS, bare in mind also, let's pretend there is a network sniffer installed on your network, any data of interest will generally be sent over https (secure http protocol) like your bank account login etc, the sniffer will not be able to read that data and decode it anyway - unless again they are working at CIA and have a few supercomputers to play with

you don't say what the secure computer is to be used for, think in terms of layers, so let's say the computer is used for accessing your bank account - perhaps switch to an account that uses one time key generator for login authenication - it is a far more secure method
Reply With Quote
  #9  
Old 11-January-2011, 16:10
Odyssey Odyssey is offline
Screamager
 
Join Date: Dec 2001
Posts: 190
Default Re: DMZ & Secure zones in home LAN?

Sil, Many thanks. That is most helpful.

While I forgot to mention it earlier, my main concern is from keyloggers or screen capture malware. I would imagine that having a second network with only the one computer to replace the normally used one would be helpful in avoiding this risk.

And, yes, the "secure" computer is only used for banking.

Will look into banks using one time authentication, but may be difficult to change as there are other considerations influencing choice of banks.
Reply With Quote
  #10  
Old 11-January-2011, 20:33
Scoobs's Avatar
Scoobs Scoobs is offline
 
Join Date: May 2001
Location: In my own little world
Posts: 4,909
Default Re: DMZ & Secure zones in home LAN?

Natwest use Rapport software to protect your info on there site you can use it on others like paypay , etc.

small install runs in the browser all the time.

http://www.natwest.com/personal/onli...ILC-T2TrustBnr
__________________
SG5 Short Url
.......
Reply With Quote
  #11  
Old 11-January-2011, 21:04
Memfis Memfis is offline
Former TS! Team
 
Join Date: Feb 2002
Location: ex TS! Team Mansion squatter
Posts: 3,894
Default Re: DMZ & Secure zones in home LAN?

Having (skim) read this thread I think what you're wanting is just a basic split lan where one side cannot access the other.

You only need one wan ip.
NAT protects each side of the lan from the other.
uses three routers (routers 2 and 3 can include wireless).
It doesn't matter if routers two and three use the same subnets (it actually makes it harder to access the other routers computers if you do).
Wireless ssid's and passkeys should be different on routers 2 and three.
Port forwarding is easily accomplished for xbox, voip, torrents etc

Routers are generally very secure - the very few that have been compromised so far must be compromised from inside the lan. So if router 2 gets compromised router 3 cant.

popped for dinner - I'll be back to add anything I've missed in a bit
Attached Thumbnails
Click image for larger version

Name:	split lan example.png
Views:	135
Size:	4.6 KB
ID:	2307  
Reply With Quote
  #12  
Old 11-January-2011, 21:48
Odyssey Odyssey is offline
Screamager
 
Join Date: Dec 2001
Posts: 190
Default Re: DMZ & Secure zones in home LAN?

Scoobs, I will look into Rapport.

Memfis, That is very helpful. I think I would avoid WiFi on the "secure" side router as this would just provide an additional means to penetrate.

Would both routers 2 and 3 be able to operate simultaneously without additional risk compared to unplugging the unsecure lan? That would be a lot more convenient.
Reply With Quote
  #13  
Old 11-January-2011, 21:52
Memfis Memfis is offline
Former TS! Team
 
Join Date: Feb 2002
Location: ex TS! Team Mansion squatter
Posts: 3,894
Default Re: DMZ & Secure zones in home LAN?

in my opinion everything you are doing is overkill but if you want to separate two parts of a lan easily without using a custom router OS this is how I'd do it.

yes routers 2 and 3 can operate simultaneously.

WiFi is of course optional.

Would both routers 2 and 3 be able to operate simultaneously without additional risk compared to unplugging the unsecure lan?
nothing is more secure than unplugging what's not in use but it's overkill. This setup means that one side of the lan cannot access the other side.

Last edited by Memfis; 11-January-2011 at 22:25.
Reply With Quote
  #14  
Old 11-January-2011, 22:08
Memfis Memfis is offline
Former TS! Team
 
Join Date: Feb 2002
Location: ex TS! Team Mansion squatter
Posts: 3,894
Default Re: DMZ & Secure zones in home LAN?

Bear in mind of the few routers that have been compromised- they have only been compromised until they have been rebooted. The OS is stored on a read only chip.

For example see the home hub threads on how hard it is to get into these things
Reply With Quote
  #15  
Old 11-January-2011, 22:21
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default Re: DMZ & Secure zones in home LAN?

you could do like mem says and use 3 routers, if we presume the 'secure computer' is reasonably trustworthy then you can ditch one of the routers, so untrusted / normal PCs can be connected directly to the router at the top (the one with the i'net connection) then the 'secure computer' can be behind the 2nd router, that prevents any of the untrusted PCs from being able to connect in
Reply With Quote
  #16  
Old 11-January-2011, 23:09
Memfis Memfis is offline
Former TS! Team
 
Join Date: Feb 2002
Location: ex TS! Team Mansion squatter
Posts: 3,894
Default Re: DMZ & Secure zones in home LAN?

I totally agree with Silver, it saves a router.
The secure PC can access the others, but they cannot access it.

As with my other diagram the IP address ranges can be changed.

Another shoddy microsoft paint diagram follows..
Attached Thumbnails
Click image for larger version

Name:	two routers.png
Views:	136
Size:	13.7 KB
ID:	2308  
Reply With Quote
  #17  
Old 12-January-2011, 01:45
Odyssey Odyssey is offline
Screamager
 
Join Date: Dec 2001
Posts: 190
Default Re: DMZ & Secure zones in home LAN?

Great!

This gives me a setup that is very convenient and gives me comfort that it mitigates risk. I agree that it is overkill, but for very little money, it salves my paranoia.

Thanks to all.

robert
Reply With Quote
Reply

Tags
cards, computer, connection, crack, digital, generator, hacked, hacking, home, internet, isp, line, make, nat, natwest, network, offer, online, phone, port, router, screen, security, software, trojan, windows, wireless, zone, zyxel

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Staic IP, Port Forward, DMZ CanineKiller TalkTalk 4 03-April-2010 09:43
lsass.exe Windows XP DigitalAlex General Software 17 12-August-2007 23:49
DNS with two zones and internal PCs zillah General Software 1 26-January-2007 11:14
SP2 on XP Home gem General Software 7 20-September-2004 19:53


All times are GMT +1. The time now is 03:36.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Copyright 1999-2014 The Scream!