Broadband Tech > Security > Security > Isolating a System on a Home Network

reply to krygen

Re: Isolating a System on a Home Network

Sygate seems to be a good choice for a software firewall. But there are lots of posts on this forum regarding software firewalls. Again it comes back to what your comfortable with.

Gt has a pretty slick setup. I think what he's referring to:

(WAN) - router - (DMZ - your computer) - router - (LAN - your buddies computer). You connect the LAN router to the DMZ router. That way he can connect to you (if he wants), but you can't connect to him. I'll leave this part for GT to explain because he's familiar with the setup.

Now for your forwarding ports question. Obviously it would be more secure if you didn't, but that wouldn't be any fun. It depends what services you plan to expose. If it's for a game, I can't see it being a problem.

If you end up forwarding ports, keep a close eye on your logs. You could also configure your router to only forward ports when you need to run the service (ie. not 24/7).

Good luck

downtown

reply to krygen


No I am not splitting the line at this time.

In the setup that I have Router 1 recieves the WAN connection and then shares the WAN connection with Router 2. This allows to me to manage the servers from the LAN side, and it allows protection should the server side get infected. While I don't have a True DMZ for the Servers or my LAN systems...I do still have a DMZ. (Or really I have something that marketing for these Routers calls a DMZ.) I have never had to use the DMZ for the Routers, I just simply forward the necessary ports. This allows for added protection as a DMZ means everything is open to that 1 machine or systems, while Port Forwarding means only a limited amount of ports are open to the system or machine the rest are still blocked.

So in essence Router 2 is assigned an IP subnet of Router 1 for Router 2's WAN connection. Router 2's LAN IP is different than Router 1's LAN IP.

HTH.:)
--
Just my 2 bits.

One more thing; If you have any tinfoil hats laying around the house.

You could try forwarding the ports you want. But instead of running the services you want, you could pick up portpeeker. A slick program by LinkLogger »www.linklogger.com/portpeeker.htm Bind portpeeker to those forwarded ports and see what activity it picks up. This will give you an idea of possible nasties trying to connect to you.

You did a good job of explaining my setup, I better go break out the Tin Foil hat now and hide under my server..or better yet hide my servers.:)

__________

Speaking of Tin Foil hats, if you don't want your buddy able to connect to you; setup the software firewall to block him from connecting and learning how to hack/exploit your system.
Please read my comments below. Thanks.:)
--
Just my 2 bits.

Doesn't sound like much of a buddy if he is trying to hack your system

Was not intended to sound as if I have a buddy trying to hack a system, or that I was trying to hack a system.

What I was saying is that Router 2 is above Router 1 in the configuration. Therefore Router 2 can access systems in Router 1 and can also access the Modem. Router 1 can access the modem, but can not access Router 2's systems. Since I do not know Krygen's buddy, I thought I would try to point that out. From the looks of how I worded it I didn't get my point across.

To stop that activity/behavior you would configure a Software Firewall to block any connection attempts from Router 2's IP subnet, and it would stop any malicious activities either by: person (from Router 2 accessing the system in Router 1), virus, trojan, or spam.

This only effects systems in Router 1 not Router 2 if anyone uses my configuration. However it is not a problem for me as I am the only one that 1. Knows about the setup and is bright enough to go looking around the network to find anything at my house. 2. The only one who manages it.

HTH.:)
--
Just my 2 bits.