Solved

Two separate networks sharing cables

Posted on 2003-12-01
14
309 Views
Last Modified: 2010-04-11
If you configure two networks using different IP ranges and let them share cables, hubs and switches - can they communicate and would that be a security risk?

Say, one configured on 192.168.0.*, and the other on 10.0.0.*. Could viruses or other attacks (eg. Blaster), spread from one network to the other?

And if you have one computer with two NICs, each configured for each range and a software firewall only allowing for communication on port 80. Does this make the net vulnerable?

The motivation for this is to use the same cables for a production network and an administration network, saving some money and not lowering security. The networks must be able to communicate to provide web production reports for the administration.
0
Comment
Question by:risoy
  • 5
  • 5
  • 3
  • +1
14 Comments
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
Hi risoy,
Mmm yes and no if the two networks were on seperate VLANS then the broadcast traffic that spreads viri would be stopped, to do this you would need switching at layer 3 and trunking protocols, or a LOT of routers

PeteL
0
 

Author Comment

by:risoy
Comment Utility
Could you elaborate?
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
Ill do my best :0)

Your best ption is to physically seperate the two networks and put a firewall inbetween them

OR Move each connection onto a seperate switch and pur a firewall/router between the tow networks.

OR Build VLANS (Virtual LANS) to do this you will need switches that can operae at layer 3 (network layer) usually switches operate at layer 2 (data link layer) if Ive just confused you do a google search on OSI MODEL.

A VLAN splits a physical lan up into two or more virtual LANS, this is usually done to cut down broadcast traffic and make the network more efficient.

In a VLAN enviriment switches are connected together using TRUNKS which carry the VLAN traffic to other switches and keet the traffic seperate.

VLANS were designed to cut down on broadcast traffic, and as such will stop any virus that is propogated in this manner. BUT I would strongly advise goint for option 1 or 2 above, in your case option 2 would work out cheaper

Pete
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
sheesh my typing is getting worse

PL
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
It really depends on a lot.  For common little hubs, you can have any address you want, and they'll communicate on same wire. For sophisticated switch, it may censor a subnet - does it have address? Does it also route?

Depends.  Example, 10.0.0.*.  is internal address, not routable, so most attacks for IP address will ignore them as unfindable. However, if you connect to internet, and have a proxy that converts or pretends that the address is routable, then yes, the internet IP attack will find you.

> And if you have one computer with two NICs, each configured for each range

That is a little incomplete, but as-is, it fairly looks like a "routing", or router configuration, which can thus block communicaiton between the twoo subnets unless it is also configured to route, which is often not a very good thing to do, except when you manage it well.

> only allowing for communication on port 80. Does this make the net vulnerable?

Um, shall we say that port 80 is among the top vulnerabilities? That good enough for you?

> and a software firewall

Using SW firewall on each unit is a very good step, if they are not old and very slow PCs.  Configure them to block everything, then open up only what you have to.

Your best defense for now btw is to get every piece of SW from Microsoft upgraded to each patch level. No matter what. It is cheap except for the excessive personal and connection time required. But essential, very essential.
0
 
LVL 18

Expert Comment

by:chicagoan
Comment Utility
>If you configure two networks using different IP ranges and let them share cables, hubs and switches - can they >communicate
As they're on different subnets, TCP/IP traffic would have to pass through a router
You see this sometimes where unplanned expansion required quick addition of a non-contiguous subnet or where admins want to keep snmp or other network management traffic seperate (on the cheap)

>and would that be a security risk?
All one would have to do would be to change their IP address to communicate directly with the other nodes.
Broadcast traffic, IPX, netbios and layer 2 would also be passed.
Short answer - it ain't good.

>Say, one configured on 192.168.0.*, and the other on 10.0.0.*.
>Could viruses or other attacks (eg. Blaster), spread from one network to the other?
Exploits using TCP/IP would have to pass through the router. Layer 2 exploits would not.

>And if you have one computer with two NICs, each configured for each range and a software firewall only >allowing for communication on port 80.
You're describing a router or firewall, it it was properly configured it would mitigate exposure.
> Does this make the net vulnerable?
It depends on if what's listening on port 80 has vulnerabilities

>The motivation for this is to use the same cables for a production network and an administration network, saving >some money and not lowering security. The networks must be able to communicate to provide web production >reports for the administration.
Unless you're using coax, you're in a star or extended star environment.
Recabling, if you're using hubs or low end switches, routing or VLANs are a more standard and secure method of segregating traffic.
 
0
 

Author Comment

by:risoy
Comment Utility
In the network setup I described there would be no routers apart from maybe the one (very secure, fully patched :-) webserver connected to both subnets, but it will only allow for port 80 access towards the administation network. So, in reality, there is no need for any other communication between the two subnets.

I understand this is not a secure setup for deliberate attacks, but for most viruses/worms etc. spread across the administration network - I can't really see how it could leap across from one subnet to the other? Remember, there must be at least one computer (database+webserver) connected to both networks even with separate cabeling.

Let's say that having them (production and administration) on the same subnet is 0% secure, could we say that separating (two subnets) them is 95% secure? But in order to be completely secure we either must lay separate cables or set up two VLANs?

Thanks for many good replies so far.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 18

Expert Comment

by:chicagoan
Comment Utility
> could we say that separating (two subnets) them is 95% secure?
it's still 0% secure as there is direct access at layer 2
It's better in the sense there'd be no casual discovery or TCP/IP access.


 >But in order to be completely secure we either must lay separate cables or set up two VLANs?
You already have seperate cables, it's just a matter of patching things in the wiring closets to seperate hubs.
Nothing is completely secure, but they would be completely seperated

0
 

Author Comment

by:risoy
Comment Utility
> It's better in the sense there'd be no casual discovery or TCP/IP access.

What if the network only uses TCP/IP?

You see, I still don't understand how, for example Blaster, if it affects one network (the admin one) can spead over to the production one - even if there is access between them at layer 2. There is no routing between the nets. Never any communication. No domain controllers or the like on the production net.
0
 
LVL 18

Accepted Solution

by:
chicagoan earned 250 total points
Comment Utility
The network is a composite of
cable - which can carry anything from netbui over ethernet to a lightning strike
hubs - which simply repeat layer 2 traffic
switches - which span capabilities ranging from simple spanning tree port forwarding to layer 3 routing
network interface cards - which can simply be an ethernet tranceiver or can incorporate ipsec
Protocol Stacks - the software operating systems use to communicate with each other

You can focus on Blaster or other malware with TCP/IP specific transport methods and, yes, this scheme will reduce the propagation between the subnets (if intercommunication at the router/firewall level is adequate).
Take another example:Let's say one machine (a laptop brought from home) comes in with a worm. While you may not  have any vulnerable machines, that laptop can bring down both networks with traffic that, while it is not intended as a denial of service attack, saturates the network.

Yours is not a bad idea per se, and could provide some protection from casual browsing and TCP/IP born threats. I just don't want you to have any illusions about there being a real seperation of traffic on such a network. As a security analyst I'd say put the effort into policy development, education, general patching, server access control and auditing. Those are highly effective industry standard practices demonstative of due dilligence.

My other point is that even in a an environment where you're unable to VLAN, you generally have home runs from each machine and could physically seperate these networks in the wiring closet without much cost or effort. At that point you've not only divided the traffic but can concentrate your efforts on a zero-based communication model and open routes and ports on a protocol level.


0
 

Author Comment

by:risoy
Comment Utility
Could we conclude that viruses and data spread via TCP/IP would stay within one subnet - if there are no routes between them. But, there will be no protection for other protocols and the net will still be prone to Denial of Service attacks?
0
 
LVL 18

Expert Comment

by:chicagoan
Comment Utility
that about sums it up
0
 

Author Comment

by:risoy
Comment Utility
Thank you. You have been very helpfull.

Can I quote you on this and do you have a company name for reference?
0
 
LVL 18

Expert Comment

by:chicagoan
Comment Utility
see my profile
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now