rave80
asked on
How to create a one way network link between 2 computers?
How can i create a one way(unidirectional) network link between 2 computers A and B? I want to allow computer A to be able to transmit to computer B and computer B to receive only but I don't want computer B to transmit to computer A.
So to speak, computer A transmit only, computer B receive only. Please advise and thanks in advance.
It would greatly help me if someone could advise me with a hardware solution.
Thanks guys...
So to speak, computer A transmit only, computer B receive only. Please advise and thanks in advance.
It would greatly help me if someone could advise me with a hardware solution.
Thanks guys...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You should probably look at some firewall solution, - your specification is to week for me to give any further advice.
ASKER
sorry svenkarlsen, what do you mean by my specification is "to week" for you?
pardon my british, - I meant to write 'vague'
What OS are these computers running?
The most "generic" solution I would be able to recommend is FTP. Computer B runs an FTP server, with authentication and user rights. The user on computer A logs on to computer B's FTP server, and is only granted "write" rights to a specific folder/directory.
There is still some 2-way communication related to the connection, but that is all. If you give nobody rights to anything except the specific user that Computer A uses, and that user has only write permissions, it is relatively secure.
The most "generic" solution I would be able to recommend is FTP. Computer B runs an FTP server, with authentication and user rights. The user on computer A logs on to computer B's FTP server, and is only granted "write" rights to a specific folder/directory.
There is still some 2-way communication related to the connection, but that is all. If you give nobody rights to anything except the specific user that Computer A uses, and that user has only write permissions, it is relatively secure.
What you say about a "data diode" that only allows internal network traffic to flow to external and vice-versa, then you are talking about a firewall. There are firewall applicances where they are purchased as a piece of hardware, but there is still software involved.
ASKER
ShineOn,
i understand that using a hardware firewall will work but it's too expensive. I tried a solution myself. Please advise me on whether it is feasible ?
The 2 comp are using w2k os. and consist of one NIC each. so i thought i can use a special rj45 cable with it's tx+ and tx- connected to computer B's NIC rx+ and rx- but computer B's NIC tx+ and tx- is not connected. In order to keep the transmitting comp A NIC alive, i tap comp A's NIC tx+ and tx- to it's rx+ and rx-. Therefore to w2k, it appears as a valid network connection. Then i use UDP to send some packets from comp A to B. Will it work ?
Please advise. Thanks a million.
i understand that using a hardware firewall will work but it's too expensive. I tried a solution myself. Please advise me on whether it is feasible ?
The 2 comp are using w2k os. and consist of one NIC each. so i thought i can use a special rj45 cable with it's tx+ and tx- connected to computer B's NIC rx+ and rx- but computer B's NIC tx+ and tx- is not connected. In order to keep the transmitting comp A NIC alive, i tap comp A's NIC tx+ and tx- to it's rx+ and rx-. Therefore to w2k, it appears as a valid network connection. Then i use UDP to send some packets from comp A to B. Will it work ?
Please advise. Thanks a million.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Is there more than one PC involved in this link?
If not, if it's just a one-to-one connection, then you should be able to use the Windows file system security and user authentication to block access.
Give the user for Computer A write rights only to a specific location on Compuer B. Disable file sharing on Computer A.
If not, if it's just a one-to-one connection, then you should be able to use the Windows file system security and user authentication to block access.
Give the user for Computer A write rights only to a specific location on Compuer B. Disable file sharing on Computer A.
ASKER
Thanks MAXQ but I have to do a layer 1 solution because if i put a firewall s/w on the sending machine, it can be easily disabled to allow information to flow back.
My application involves someone transferring file to comp A and comp A will transfer those files to comp B and comp B will forward to another network.
I don't want those people that are transferring files to comp A to be able to retrieve anything from the network connected to comp B therefore i do not want comp B to be able to send back anything. As the users have access to comp A, they can easily disable the firewall.
ShineOn, you are talking about read write access to specific location but i am searching for solutions that forbid comp B to even ping comp A.
My application involves someone transferring file to comp A and comp A will transfer those files to comp B and comp B will forward to another network.
I don't want those people that are transferring files to comp A to be able to retrieve anything from the network connected to comp B therefore i do not want comp B to be able to send back anything. As the users have access to comp A, they can easily disable the firewall.
ShineOn, you are talking about read write access to specific location but i am searching for solutions that forbid comp B to even ping comp A.
What you want, then, is to install a ZIP drive on both PCs and have the person from PC A put the data to a ZIP disk and carry it over to the person on PC B and hand it to them.
Networks flow both ways. If you don't grant admin or power-user rights to any users on computer A they shouldn't be able to stop services or alter permissions.
Networks flow both ways. If you don't grant admin or power-user rights to any users on computer A they shouldn't be able to stop services or alter permissions.
You're asking for an easy-out, hackproof, layer-1 firewall that will pass certain protocols in one direction (which automatically takes it to Layer 3,) and want it installed so a multi-user, unsecured PC is secured from a downstream PC. Interesting thought, and if you can figure it out you can make a fortune, but I don't think it's doable within the parameters you have provided.
If you want to do what you say you want to do, you need to install either a separate firewall between the two, or a software firewall on the multi-user unsecured PC. If you can't afford the separate firewall, then your best option will be the software firewall. That means you will have to figure out a way to make that PC secure from its users, which is *very* possible with Win2K.
If you want to do what you say you want to do, you need to install either a separate firewall between the two, or a software firewall on the multi-user unsecured PC. If you can't afford the separate firewall, then your best option will be the software firewall. That means you will have to figure out a way to make that PC secure from its users, which is *very* possible with Win2K.
Oh, another thought -
You mentioned that each PC has one NIC. If that is the case, how will "computer X" connect to "computer A" to sen data to "computer A" if the only NIC is connecting "computer A" to "computer B," and how will "computer B" send data elsewhere if its only NIC is connected to "computer A?" Do they each have modems for the other transactions, or mainframe emulation cards, or something?
Seems to me that you left something out. What is the REAL connectivity for both comp A and comp B? It may be a matter of NICs and networks rather than firewalls.
If you aren't routing through comp A to comp B and they are on separate networks, then comp x shouldn't be able to see comp B, much less access any network data beyond comp B - all comp x should be able to see is comp A.
Maybe if you told us exactly what your configuration is, we can help even more. It may be easier than you think.
You mentioned that each PC has one NIC. If that is the case, how will "computer X" connect to "computer A" to sen data to "computer A" if the only NIC is connecting "computer A" to "computer B," and how will "computer B" send data elsewhere if its only NIC is connected to "computer A?" Do they each have modems for the other transactions, or mainframe emulation cards, or something?
Seems to me that you left something out. What is the REAL connectivity for both comp A and comp B? It may be a matter of NICs and networks rather than firewalls.
If you aren't routing through comp A to comp B and they are on separate networks, then comp x shouldn't be able to see comp B, much less access any network data beyond comp B - all comp x should be able to see is comp A.
Maybe if you told us exactly what your configuration is, we can help even more. It may be easier than you think.
Depending on how you want to send the data from A to B - You could use TCP/IP filtering on computer A, then just permit the port that you want to send data through to computer B - also do the same on computer B.
bubz0r - that depends on other connectivity. The Win2K filtering is not that strong as to discern specific ports from specific interfaces/addresses.
We still need to know what the details of rave80's current setup and exactly what is envisioned within that framework.
We still need to know what the details of rave80's current setup and exactly what is envisioned within that framework.
ASKER
Thanks ShineOn and bubz0r, ok i indeed left out something. here is my actual setup.
______________ ____________
| | | |
| Network A |------comp A(x.x.x.x)------comp B(x.x.x.y)------| Network B |
|_____________| |___________|
In comp A, there's suppose to be 2 NIC, one connecting to Network A , the other to comp B.
In comp B, there's also 2 NIC, one connecting to comp A, the other to Network B.
Clients PC are in Network A, so they will dump files to comp A. then in comp A, there's suppose to be a software responsible to grab the files and transfer it to comp B.
In comp B, there's suppose to be another program responsible to receive the files and put it in local directory. So the clients in Network B will tcp to comp B to retrieve the saved files.
So now, clients in network A are able to see comp A thru network neighbourhood and they can physically access comp A. so if comp A and B are networked using tcp/ip then user accessing comp A will be able to PING comp B right? so they can access comp B even though none of it's folder are shared. There's the thing i wish to prevent. I do not want them to be able to PING comp B but at the same time, files are needed to transfer to comp B.
Please advise.
______________ ____________
| | | |
| Network A |------comp A(x.x.x.x)------comp B(x.x.x.y)------| Network B |
|_____________| |___________|
In comp A, there's suppose to be 2 NIC, one connecting to Network A , the other to comp B.
In comp B, there's also 2 NIC, one connecting to comp A, the other to Network B.
Clients PC are in Network A, so they will dump files to comp A. then in comp A, there's suppose to be a software responsible to grab the files and transfer it to comp B.
In comp B, there's suppose to be another program responsible to receive the files and put it in local directory. So the clients in Network B will tcp to comp B to retrieve the saved files.
So now, clients in network A are able to see comp A thru network neighbourhood and they can physically access comp A. so if comp A and B are networked using tcp/ip then user accessing comp A will be able to PING comp B right? so they can access comp B even though none of it's folder are shared. There's the thing i wish to prevent. I do not want them to be able to PING comp B but at the same time, files are needed to transfer to comp B.
Please advise.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What is the risk involved in pinging? Is computer B in the hsnds of a gang of hackers? I don't mean to minimize your security concerns, but in a networked environment, you must have limits, especially if you want to spend a minimum of money on the solution. A software firewall on Computer A, with no rights to it or any other services granted to anyone that logs onto Computer A, would serve your purpose. It could block all traffic except outgoing FTP, and nobody but the Administrator would be able to stop the firewall service.
What else could your organization possibly want, beyond forcing people to walk back and forth with ZIP disks?
What else could your organization possibly want, beyond forcing people to walk back and forth with ZIP disks?
... just delete ping.exe :)
There are other things that can be done to further secure the environment. Things like disabling uneccessary protocols, and disabling services that are not needed for the process. Every service you disable is another potentialk exploit removed.
ASKER
Sorry Shineon and bubz0r, Thanks for offering me solutions.
Anyway I've design a hardware and software solution which does exactly what I wanted to do initially. It's a fool proof solution and nothing can be done to compromise it. There's absolutely only a one way connection to comp B. If any of you guys are interested, maybe we can get together and package it into a marketable solution. My email is ZeuX80@gmail.com
I've given points to those who have helped me regarding this question. Thanks everybody.
Anyway I've design a hardware and software solution which does exactly what I wanted to do initially. It's a fool proof solution and nothing can be done to compromise it. There's absolutely only a one way connection to comp B. If any of you guys are interested, maybe we can get together and package it into a marketable solution. My email is ZeuX80@gmail.com
I've given points to those who have helped me regarding this question. Thanks everybody.
ASKER
Not to forget maxQ and svenkarlsen, Thanks guys. Hope you guys are satisfied with the points I give. Thanks!
ASKER