Solved

How to create a one way network link between 2 computers?

Posted on 2003-11-02
25
772 Views
Last Modified: 2012-08-30
How can i create a one way(unidirectional) network link between 2 computers A and B? I want to allow computer A to be able to transmit to computer B and computer B to receive only but I don't want computer B to transmit to computer A.
So to speak, computer A transmit only, computer B receive only. Please advise and thanks in advance.
It would greatly help me if someone could advise me with a hardware solution.

Thanks guys...
0
Comment
Question by:rave80
  • 10
  • 7
  • 3
  • +2
25 Comments
 
LVL 9

Assisted Solution

by:svenkarlsen
svenkarlsen earned 20 total points
Comment Utility
It would be rather hard to make a hardware solution, because the principle of networking includes some bi-directional communication regardless of which way the traffic goes.

What do you need it for, - perhaps there is an alternative...
0
 

Author Comment

by:rave80
Comment Utility
I need this kind of setup because I need to implement some sort of a data diode where information flows from an internal network to an external network without the external network able to access the internal network.
0
 
LVL 9

Expert Comment

by:svenkarlsen
Comment Utility
You should probably look at some firewall solution, - your specification is to week for me to give any further advice.
0
 

Author Comment

by:rave80
Comment Utility
sorry svenkarlsen, what do you mean by my specification is "to week" for you?
0
 
LVL 9

Expert Comment

by:svenkarlsen
Comment Utility
pardon my british, - I meant to write 'vague'
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
What OS are these computers running?

The most "generic" solution I would be able to recommend is FTP.  Computer B runs an FTP server, with authentication and user rights.  The user on computer A logs on to computer B's FTP server, and is only granted "write" rights to a specific folder/directory.

There is still some 2-way communication related to the connection, but that is all.  If you give nobody rights to anything except the specific user that Computer A uses, and that user has only write permissions, it is relatively secure.
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
What you say about a "data diode" that only allows internal network traffic to flow to external and vice-versa, then you are talking about a firewall.  There are firewall applicances where they are purchased as a piece of hardware, but there is still software involved.
0
 

Author Comment

by:rave80
Comment Utility
ShineOn,
i understand that using a hardware firewall will work but it's too expensive. I tried a solution myself. Please advise me on whether it is feasible ?

The 2 comp are using w2k os. and consist of one NIC each. so i thought i can use a special rj45 cable with it's tx+ and tx- connected to computer B's NIC rx+ and rx- but computer B's NIC tx+ and tx- is not connected. In order to keep the transmitting comp A NIC alive, i tap comp A's NIC tx+ and tx- to it's rx+ and rx-. Therefore to w2k, it appears as a valid network connection. Then i use UDP to send some packets from comp A to B. Will it work ?

Please advise. Thanks a million.
0
 
LVL 3

Assisted Solution

by:MaxQ
MaxQ earned 20 total points
Comment Utility
You really don't want to do a layer 1 (physical layer) solution here.  Put a
personal firewall package on the sending machine to protect it from the
receiving one.  Some of them are even free for personal use.  Links:

http://www.kerio.com/kpf_home.html
http://www.zonelabs.com
http://blackice.iss.net/product_pc_protection.php

0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
Is there more than one PC involved in this link?

If not, if it's just a one-to-one connection, then you should be able to use the Windows file system security and user authentication to block access.

Give the user for Computer A write rights only to a specific location on Compuer B.  Disable file sharing on Computer A.
0
 

Author Comment

by:rave80
Comment Utility
Thanks MAXQ but I have to do a layer 1 solution because if i put a firewall s/w on the sending machine, it can be easily disabled to allow information to flow back.

My application involves someone transferring file to comp A and comp A will transfer those files to comp B and comp B will forward to another network.

I don't want those people that are transferring files to comp A to be able to retrieve anything from the network connected to comp B therefore i do not want comp B to be able to send back anything. As the users have access to comp A, they can easily disable the firewall.

ShineOn, you are talking about read write access to specific location but i am searching for solutions that forbid comp B to even ping comp A.
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
What you want, then, is to install a ZIP drive on both PCs and have the person from PC A put the data to a ZIP disk and carry it over to the person on PC B and hand it to them.

Networks flow both ways.  If you don't grant admin or power-user rights to any users on computer A they shouldn't be able to stop services or alter permissions.
0
NetScaler Deployment Guides and Resources

Citrix NetScaler is certified to support many of the most commonly deployed enterprise applications. Deployment guides provide in-depth recommendations on configuring NetScaler to meet specific application requirements.

 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
You're asking for an easy-out, hackproof, layer-1 firewall that will pass certain protocols in one direction (which automatically takes it to Layer 3,)  and want it installed so a multi-user, unsecured PC is secured from a downstream PC.  Interesting thought, and if you can figure it out you can make a fortune, but I don't think it's doable within the parameters you have provided.  

If you want to do what you say you want to do, you need to install either a separate firewall between the two, or a software firewall on the multi-user unsecured PC.  If you can't afford the separate firewall, then your best option will be the software firewall.  That means you will have to figure out a way to make that PC secure from its users, which is *very* possible with Win2K.
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
Oh, another thought -

You mentioned that each PC has one NIC.  If that is the case, how will "computer X" connect to "computer A" to sen data to "computer A" if the only NIC is connecting "computer A" to "computer B," and how will "computer B" send data elsewhere if its only NIC is connected to "computer A?"  Do they each have modems for the other transactions, or mainframe emulation cards, or something?

Seems to me that you left something out.   What is the REAL connectivity for both comp A and comp B?  It may be a matter of NICs and networks rather than firewalls.

If you aren't routing through comp A to comp B and they are on separate networks, then comp x shouldn't be able to see comp B, much less access any network data beyond comp B - all comp x should be able to see is comp A.

Maybe if you told us exactly what your configuration is, we can help even more.  It may be easier than you think.
0
 

Expert Comment

by:bubz0r
Comment Utility
Depending on how you want to send the data from A to B - You could use TCP/IP filtering on computer A, then just permit the port that you want to send data through to computer B - also do the same on computer B.
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
bubz0r - that depends on other connectivity.  The Win2K filtering is not that strong as to discern specific ports from specific interfaces/addresses.

We still need to know what the details of rave80's current setup and exactly what is envisioned within that framework.
0
 

Author Comment

by:rave80
Comment Utility
Thanks ShineOn and bubz0r, ok i indeed left out something. here is my actual setup.
______________                                                                   ____________
|                      |                                                                   |                  |
|  Network A     |------comp A(x.x.x.x)------comp B(x.x.x.y)------|  Network B  |
|_____________|                                                                  |___________|

In comp A, there's suppose to be 2 NIC, one connecting to Network A , the other to comp B.
In comp B, there's also 2 NIC, one connecting to comp A, the other to Network B.

Clients PC are in Network A, so they will dump files to comp A. then in comp A, there's suppose to be a software responsible to grab the files and transfer it to comp B.
In comp B, there's suppose to be another program responsible to receive the files and put it in local directory. So the clients in Network B will tcp to comp B to retrieve the saved files.

So now, clients in network A are able to see comp A thru network neighbourhood and they can physically access comp A. so if comp A and B are networked using tcp/ip then user accessing comp A will be able to PING comp B right? so they can access comp B even though none of it's folder are shared. There's the thing i wish to prevent. I do not want them to be able to PING comp B but at the same time, files are needed to transfer to comp B.

Please advise.
0
 
LVL 35

Accepted Solution

by:
ShineOn earned 60 total points
Comment Utility
Boy do I ever have a solution for you!.

1)  Folx in Network A have access to Computer A on Nic A1.  They can write all they want to a specific location (and only that location) on Computer A. Call it folder A1.

2)  Computer A has a nifty set of software tools, from WilsonWindowWare.com, called WinBatch.  WinBatch, based on a scheduled execution, checks the location for files on Computer A.  If files exist, they get copied to a SEPARATE, SECURE FROM ANY NETWORK folder (call it A2) and deleted from A1.

3) Also on a schedule, after performing the file move in step 2, computer A connects to computer B using a secure FTP connection.  It sends whatever file(s) are in A2 to computer B, in location B1).

4)  Computer B has a secure FTP server running on the A/B connection.  It *only* allows incoming data from Computer A, from a specific user ID.

5)  Computer B, on a timed schedule, using WinBatch, checks for data in B1.  When it sees data there, it copies it to B2, which is a folder not accessible to the FTP client on Computer A.  On a regular basis, whenever data is in B2, another process running WinBatch on B will send the data in B2 to wherever it needs to go on Network B, using another secure login.

This way, the ONLY connection between comp A and comp B is a write-only FTP connection, plus the whole shot is automated. Would that work for you?
0
 

Assisted Solution

by:bubz0r
bubz0r earned 30 total points
Comment Utility
Looks good ShineOn but what about Comp A pinging Comp B?  Sounds like a firewall still needs to be used on Comp B to block all traffic except Port 20 and 21.  But you'd need a firewall to either set specific open ports per NIC or set filters to only allow NIC A2 address to access NIC B1 on port 20 and 21.

Unless you use TCP/IP filtering on NIC B1 and just permit 20 and 21.  Comp A will stilll be able to ping Comp B1 but as far as I know they cant do much else?
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
What is the risk involved in pinging?  Is computer B in the hsnds of a gang of hackers?  I don't mean to minimize your security concerns, but in a networked environment, you must have limits, especially if you want to spend a minimum of money on the solution.  A software firewall on Computer A, with no rights to it or any other services granted to anyone that logs onto Computer A, would serve your purpose.  It could block all traffic except outgoing FTP, and nobody but the Administrator would be able to stop the firewall service.

What else could your organization possibly want, beyond forcing people to walk back and forth with ZIP disks?
0
 

Expert Comment

by:bubz0r
Comment Utility
... just delete ping.exe :)
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
There are other things that can be done to further secure the environment.  Things like disabling uneccessary protocols, and disabling services that are not needed for the process.  Every service you disable is another potentialk exploit removed.
0
 

Author Comment

by:rave80
Comment Utility
Sorry Shineon and bubz0r, Thanks for offering me solutions.
Anyway I've design a hardware and software solution which does exactly what I wanted to do initially. It's a fool proof solution and nothing can be done to compromise it. There's absolutely only a one way connection to comp B. If any of you guys are interested, maybe we can get together and package it into a marketable solution. My email is ZeuX80@gmail.com
I've given points to those who have helped me regarding this question. Thanks everybody.
0
 

Author Comment

by:rave80
Comment Utility
Not to forget maxQ and svenkarlsen, Thanks guys. Hope you guys are satisfied with the points I give. Thanks!
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now