Solved

Two separate networks sharing cables

Posted on 2003-12-01
14
317 Views
Last Modified: 2010-04-11
If you configure two networks using different IP ranges and let them share cables, hubs and switches - can they communicate and would that be a security risk?

Say, one configured on 192.168.0.*, and the other on 10.0.0.*. Could viruses or other attacks (eg. Blaster), spread from one network to the other?

And if you have one computer with two NICs, each configured for each range and a software firewall only allowing for communication on port 80. Does this make the net vulnerable?

The motivation for this is to use the same cables for a production network and an administration network, saving some money and not lowering security. The networks must be able to communicate to provide web production reports for the administration.
0
Comment
Question by:risoy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 3
  • +1
14 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 9850635
Hi risoy,
Mmm yes and no if the two networks were on seperate VLANS then the broadcast traffic that spreads viri would be stopped, to do this you would need switching at layer 3 and trunking protocols, or a LOT of routers

PeteL
0
 

Author Comment

by:risoy
ID: 9850696
Could you elaborate?
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 9851833
Ill do my best :0)

Your best ption is to physically seperate the two networks and put a firewall inbetween them

OR Move each connection onto a seperate switch and pur a firewall/router between the tow networks.

OR Build VLANS (Virtual LANS) to do this you will need switches that can operae at layer 3 (network layer) usually switches operate at layer 2 (data link layer) if Ive just confused you do a google search on OSI MODEL.

A VLAN splits a physical lan up into two or more virtual LANS, this is usually done to cut down broadcast traffic and make the network more efficient.

In a VLAN enviriment switches are connected together using TRUNKS which carry the VLAN traffic to other switches and keet the traffic seperate.

VLANS were designed to cut down on broadcast traffic, and as such will stop any virus that is propogated in this manner. BUT I would strongly advise goint for option 1 or 2 above, in your case option 2 would work out cheaper

Pete
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 57

Expert Comment

by:Pete Long
ID: 9851837
sheesh my typing is getting worse

PL
0
 
LVL 24

Expert Comment

by:SunBow
ID: 9854402
It really depends on a lot.  For common little hubs, you can have any address you want, and they'll communicate on same wire. For sophisticated switch, it may censor a subnet - does it have address? Does it also route?

Depends.  Example, 10.0.0.*.  is internal address, not routable, so most attacks for IP address will ignore them as unfindable. However, if you connect to internet, and have a proxy that converts or pretends that the address is routable, then yes, the internet IP attack will find you.

> And if you have one computer with two NICs, each configured for each range

That is a little incomplete, but as-is, it fairly looks like a "routing", or router configuration, which can thus block communicaiton between the twoo subnets unless it is also configured to route, which is often not a very good thing to do, except when you manage it well.

> only allowing for communication on port 80. Does this make the net vulnerable?

Um, shall we say that port 80 is among the top vulnerabilities? That good enough for you?

> and a software firewall

Using SW firewall on each unit is a very good step, if they are not old and very slow PCs.  Configure them to block everything, then open up only what you have to.

Your best defense for now btw is to get every piece of SW from Microsoft upgraded to each patch level. No matter what. It is cheap except for the excessive personal and connection time required. But essential, very essential.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9855645
>If you configure two networks using different IP ranges and let them share cables, hubs and switches - can they >communicate
As they're on different subnets, TCP/IP traffic would have to pass through a router
You see this sometimes where unplanned expansion required quick addition of a non-contiguous subnet or where admins want to keep snmp or other network management traffic seperate (on the cheap)

>and would that be a security risk?
All one would have to do would be to change their IP address to communicate directly with the other nodes.
Broadcast traffic, IPX, netbios and layer 2 would also be passed.
Short answer - it ain't good.

>Say, one configured on 192.168.0.*, and the other on 10.0.0.*.
>Could viruses or other attacks (eg. Blaster), spread from one network to the other?
Exploits using TCP/IP would have to pass through the router. Layer 2 exploits would not.

>And if you have one computer with two NICs, each configured for each range and a software firewall only >allowing for communication on port 80.
You're describing a router or firewall, it it was properly configured it would mitigate exposure.
> Does this make the net vulnerable?
It depends on if what's listening on port 80 has vulnerabilities

>The motivation for this is to use the same cables for a production network and an administration network, saving >some money and not lowering security. The networks must be able to communicate to provide web production >reports for the administration.
Unless you're using coax, you're in a star or extended star environment.
Recabling, if you're using hubs or low end switches, routing or VLANs are a more standard and secure method of segregating traffic.
 
0
 

Author Comment

by:risoy
ID: 9856856
In the network setup I described there would be no routers apart from maybe the one (very secure, fully patched :-) webserver connected to both subnets, but it will only allow for port 80 access towards the administation network. So, in reality, there is no need for any other communication between the two subnets.

I understand this is not a secure setup for deliberate attacks, but for most viruses/worms etc. spread across the administration network - I can't really see how it could leap across from one subnet to the other? Remember, there must be at least one computer (database+webserver) connected to both networks even with separate cabeling.

Let's say that having them (production and administration) on the same subnet is 0% secure, could we say that separating (two subnets) them is 95% secure? But in order to be completely secure we either must lay separate cables or set up two VLANs?

Thanks for many good replies so far.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9857133
> could we say that separating (two subnets) them is 95% secure?
it's still 0% secure as there is direct access at layer 2
It's better in the sense there'd be no casual discovery or TCP/IP access.


 >But in order to be completely secure we either must lay separate cables or set up two VLANs?
You already have seperate cables, it's just a matter of patching things in the wiring closets to seperate hubs.
Nothing is completely secure, but they would be completely seperated

0
 

Author Comment

by:risoy
ID: 9857723
> It's better in the sense there'd be no casual discovery or TCP/IP access.

What if the network only uses TCP/IP?

You see, I still don't understand how, for example Blaster, if it affects one network (the admin one) can spead over to the production one - even if there is access between them at layer 2. There is no routing between the nets. Never any communication. No domain controllers or the like on the production net.
0
 
LVL 18

Accepted Solution

by:
chicagoan earned 250 total points
ID: 9858012
The network is a composite of
cable - which can carry anything from netbui over ethernet to a lightning strike
hubs - which simply repeat layer 2 traffic
switches - which span capabilities ranging from simple spanning tree port forwarding to layer 3 routing
network interface cards - which can simply be an ethernet tranceiver or can incorporate ipsec
Protocol Stacks - the software operating systems use to communicate with each other

You can focus on Blaster or other malware with TCP/IP specific transport methods and, yes, this scheme will reduce the propagation between the subnets (if intercommunication at the router/firewall level is adequate).
Take another example:Let's say one machine (a laptop brought from home) comes in with a worm. While you may not  have any vulnerable machines, that laptop can bring down both networks with traffic that, while it is not intended as a denial of service attack, saturates the network.

Yours is not a bad idea per se, and could provide some protection from casual browsing and TCP/IP born threats. I just don't want you to have any illusions about there being a real seperation of traffic on such a network. As a security analyst I'd say put the effort into policy development, education, general patching, server access control and auditing. Those are highly effective industry standard practices demonstative of due dilligence.

My other point is that even in a an environment where you're unable to VLAN, you generally have home runs from each machine and could physically seperate these networks in the wiring closet without much cost or effort. At that point you've not only divided the traffic but can concentrate your efforts on a zero-based communication model and open routes and ports on a protocol level.


0
 

Author Comment

by:risoy
ID: 9865074
Could we conclude that viruses and data spread via TCP/IP would stay within one subnet - if there are no routes between them. But, there will be no protection for other protocols and the net will still be prone to Denial of Service attacks?
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9865939
that about sums it up
0
 

Author Comment

by:risoy
ID: 9866204
Thank you. You have been very helpfull.

Can I quote you on this and do you have a company name for reference?
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9866477
see my profile
0

Featured Post

10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses
Course of the Month11 days, 11 hours left to enroll

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question