Broadband Tech > Security > Security > Isolating a System on a Home Network

Isolating a System on a Home Network

To what extent are you willing to go to secure your network? If you want true isolation, you really should have three network segments. (ie. Wan, Lan, and a DMZ) From what I understand your router (a brand might help) will only provide a Wan and a Lan interface. What type of services are you exposing to the outside?

By "disabling the client for microsoft networks and the file and printer sharing for microsoft networks"; Your cutting off netbios and file & print sharing. A great start if you do not require them. But this does not stop other services from contacting one another. This is where your software firewalls will come into play. What firewall software are you currently using?

If you want true isolation it will require additional hardware. Either a router that has three network interfaces, or computer running nix (3 nic cards) dedicated to do the job. There are many distro's that are up for the job.

If you don't want to make a hardware change and stick with the setup you have now. A properly configure software firewalls, AV, AT, all the junk removers are definately advised.

Last but not least, patch patch patch patch patch patch.

It comes back to what your comfortable with.

reply to krygen
If you're willing to fork out $ for a REAL firewall, a Netscreen 5GT will do exactly what you want in the Home/Office configuration. 1 WAN port, 2 HOME ports, and 2 OFFICE ports. Machines in the HOME zone can connect to the 'net, but not to any machines in the OFFICE zone. OFFICE zone machines can, however, connect to HOME zone machines.

I guess I'm taking exception to your term "REAL" firewall. Are you trying to imply something? I believe the poster is more interested in the concepts behind isolating a HOME network. The Netscreen may be a great router, but I believe it's an overkill.

reply to krygen
A simple solution that I have implemented for quite some time now, is running 2 Routers. This allows me to have one Network Segement for my servers and a Second Network Segment for my LAN systems.

Basically the setup is WAN to Router 1, Router 1 to Servers (Game, Web, etc..), Router 2 to LAN based systems. Should the servers become compromised the LAN systems are very well protected. The servers can not talk to the LAN systems at all, which is how I like it. In fact I have 3 segments thanks to my new modem which has a built in Router in it...all I have to do is hook a spare switch up and...bam!!!...another segment.:)
--
Just my 2 bits.

reply to krygen
wow... thanks for the great advice so far guys.

downtown, i'm using NIS2004 Pro. havn't had too many problems with it so i've just decided to keep it becuase I like it's integration with NAV.

I'm not sure if I really want to get new hardware, probably not a dedicated 'nix box either. Although I do realize that to be completely safe I will need to do something like that.

I was going to maybe get a copy of the sygate personal firewall to install on his system becuase of it's ability to thwart network attacks (or so I've been told). Think that will be enough protection?

gt7697c - good idea, that had occurred to me before, but how exactly are you getting it to work? Are you splitting the line from your modem and feeding each one into a router?

Also, just to throw one more question into the mix since you guys are such good help...

Will forwarding the ports on that machine be safe? Lets say I forward a range of about 15 ports, and run NIS2004. Is the machine likely to be compromised?

thanks again

Sygate seems to be a good choice for a software firewall. But there are lots of posts on this forum regarding software firewalls. Again it comes back to what your comfortable with.

Gt has a pretty slick setup. I think what he's referring to:

(WAN) - router - (DMZ - your computer) - router - (LAN - your buddies computer). You connect the LAN router to the DMZ router. That way he can connect to you (if he wants), but you can't connect to him. I'll leave this part for GT to explain because he's familiar with the setup.

Now for your forwarding ports question. Obviously it would be more secure if you didn't, but that wouldn't be any fun. It depends what services you plan to expose. If it's for a game, I can't see it being a problem.

If you end up forwarding ports, keep a close eye on your logs. You could also configure your router to only forward ports when you need to run the service (ie. not 24/7).

Good luck

downtown

reply to krygen


No I am not splitting the line at this time.

In the setup that I have Router 1 recieves the WAN connection and then shares the WAN connection with Router 2. This allows to me to manage the servers from the LAN side, and it allows protection should the server side get infected. While I don't have a True DMZ for the Servers or my LAN systems...I do still have a DMZ. (Or really I have something that marketing for these Routers calls a DMZ.) I have never had to use the DMZ for the Routers, I just simply forward the necessary ports. This allows for added protection as a DMZ means everything is open to that 1 machine or systems, while Port Forwarding means only a limited amount of ports are open to the system or machine the rest are still blocked.

So in essence Router 2 is assigned an IP subnet of Router 1 for Router 2's WAN connection. Router 2's LAN IP is different than Router 1's LAN IP.

HTH.:)
--
Just my 2 bits.

reply to krygen
ah.. didn't know you could connect 2 routers like that. I really should give it a try

reply to gt7697c
One more thing; If you have any tinfoil hats laying around the house.

You could try forwarding the ports you want. But instead of running the services you want, you could pick up portpeeker. A slick program by LinkLogger »www.linklogger.com/portpeeker.htm Bind portpeeker to those forwarded ports and see what activity it picks up. This will give you an idea of possible nasties trying to connect to you.

You did a good job of explaining my setup, I better go break out the Tin Foil hat now and hide under my server..or better yet hide my servers.:)

__________

Speaking of Tin Foil hats, if you don't want your buddy able to connect to you; setup the software firewall to block him from connecting and learning how to hack/exploit your system.
Please read my comments below. Thanks.:)
--
Just my 2 bits.

reply to krygen
does anyone know of port watchers that can watch a range of ports?

reply to krygen
You could forward a range of ports to a specific port which port peeker is bound to.

reply to gt7697c
Doesn't sound like much of a buddy if he is trying to hack your system

reply to krygen
You can connect two routers to two hubs to two switches to two bridges, if you want to.

reply to skelet0r
Was not intended to sound as if I have a buddy trying to hack a system, or that I was trying to hack a system.

What I was saying is that Router 2 is above Router 1 in the configuration. Therefore Router 2 can access systems in Router 1 and can also access the Modem. Router 1 can access the modem, but can not access Router 2's systems. Since I do not know Krygen's buddy, I thought I would try to point that out. From the looks of how I worded it I didn't get my point across.

To stop that activity/behavior you would configure a Software Firewall to block any connection attempts from Router 2's IP subnet, and it would stop any malicious activities either by: person (from Router 2 accessing the system in Router 1), virus, trojan, or spam.

This only effects systems in Router 1 not Router 2 if anyone uses my configuration. However it is not a problem for me as I am the only one that 1. Knows about the setup and is bright enough to go looking around the network to find anything at my house. 2. The only one who manages it.

HTH.:)
--
Just my 2 bits.