Solved

Two separate networks sharing cables

Posted on 2003-12-01
14
311 Views
Last Modified: 2010-04-11
If you configure two networks using different IP ranges and let them share cables, hubs and switches - can they communicate and would that be a security risk?

Say, one configured on 192.168.0.*, and the other on 10.0.0.*. Could viruses or other attacks (eg. Blaster), spread from one network to the other?

And if you have one computer with two NICs, each configured for each range and a software firewall only allowing for communication on port 80. Does this make the net vulnerable?

The motivation for this is to use the same cables for a production network and an administration network, saving some money and not lowering security. The networks must be able to communicate to provide web production reports for the administration.
0
Comment
Question by:risoy
  • 5
  • 5
  • 3
  • +1
14 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 9850635
Hi risoy,
Mmm yes and no if the two networks were on seperate VLANS then the broadcast traffic that spreads viri would be stopped, to do this you would need switching at layer 3 and trunking protocols, or a LOT of routers

PeteL
0
 

Author Comment

by:risoy
ID: 9850696
Could you elaborate?
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 9851833
Ill do my best :0)

Your best ption is to physically seperate the two networks and put a firewall inbetween them

OR Move each connection onto a seperate switch and pur a firewall/router between the tow networks.

OR Build VLANS (Virtual LANS) to do this you will need switches that can operae at layer 3 (network layer) usually switches operate at layer 2 (data link layer) if Ive just confused you do a google search on OSI MODEL.

A VLAN splits a physical lan up into two or more virtual LANS, this is usually done to cut down broadcast traffic and make the network more efficient.

In a VLAN enviriment switches are connected together using TRUNKS which carry the VLAN traffic to other switches and keet the traffic seperate.

VLANS were designed to cut down on broadcast traffic, and as such will stop any virus that is propogated in this manner. BUT I would strongly advise goint for option 1 or 2 above, in your case option 2 would work out cheaper

Pete
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 9851837
sheesh my typing is getting worse

PL
0
 
LVL 24

Expert Comment

by:SunBow
ID: 9854402
It really depends on a lot.  For common little hubs, you can have any address you want, and they'll communicate on same wire. For sophisticated switch, it may censor a subnet - does it have address? Does it also route?

Depends.  Example, 10.0.0.*.  is internal address, not routable, so most attacks for IP address will ignore them as unfindable. However, if you connect to internet, and have a proxy that converts or pretends that the address is routable, then yes, the internet IP attack will find you.

> And if you have one computer with two NICs, each configured for each range

That is a little incomplete, but as-is, it fairly looks like a "routing", or router configuration, which can thus block communicaiton between the twoo subnets unless it is also configured to route, which is often not a very good thing to do, except when you manage it well.

> only allowing for communication on port 80. Does this make the net vulnerable?

Um, shall we say that port 80 is among the top vulnerabilities? That good enough for you?

> and a software firewall

Using SW firewall on each unit is a very good step, if they are not old and very slow PCs.  Configure them to block everything, then open up only what you have to.

Your best defense for now btw is to get every piece of SW from Microsoft upgraded to each patch level. No matter what. It is cheap except for the excessive personal and connection time required. But essential, very essential.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9855645
>If you configure two networks using different IP ranges and let them share cables, hubs and switches - can they >communicate
As they're on different subnets, TCP/IP traffic would have to pass through a router
You see this sometimes where unplanned expansion required quick addition of a non-contiguous subnet or where admins want to keep snmp or other network management traffic seperate (on the cheap)

>and would that be a security risk?
All one would have to do would be to change their IP address to communicate directly with the other nodes.
Broadcast traffic, IPX, netbios and layer 2 would also be passed.
Short answer - it ain't good.

>Say, one configured on 192.168.0.*, and the other on 10.0.0.*.
>Could viruses or other attacks (eg. Blaster), spread from one network to the other?
Exploits using TCP/IP would have to pass through the router. Layer 2 exploits would not.

>And if you have one computer with two NICs, each configured for each range and a software firewall only >allowing for communication on port 80.
You're describing a router or firewall, it it was properly configured it would mitigate exposure.
> Does this make the net vulnerable?
It depends on if what's listening on port 80 has vulnerabilities

>The motivation for this is to use the same cables for a production network and an administration network, saving >some money and not lowering security. The networks must be able to communicate to provide web production >reports for the administration.
Unless you're using coax, you're in a star or extended star environment.
Recabling, if you're using hubs or low end switches, routing or VLANs are a more standard and secure method of segregating traffic.
 
0
 

Author Comment

by:risoy
ID: 9856856
In the network setup I described there would be no routers apart from maybe the one (very secure, fully patched :-) webserver connected to both subnets, but it will only allow for port 80 access towards the administation network. So, in reality, there is no need for any other communication between the two subnets.

I understand this is not a secure setup for deliberate attacks, but for most viruses/worms etc. spread across the administration network - I can't really see how it could leap across from one subnet to the other? Remember, there must be at least one computer (database+webserver) connected to both networks even with separate cabeling.

Let's say that having them (production and administration) on the same subnet is 0% secure, could we say that separating (two subnets) them is 95% secure? But in order to be completely secure we either must lay separate cables or set up two VLANs?

Thanks for many good replies so far.
0
Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

 
LVL 18

Expert Comment

by:chicagoan
ID: 9857133
> could we say that separating (two subnets) them is 95% secure?
it's still 0% secure as there is direct access at layer 2
It's better in the sense there'd be no casual discovery or TCP/IP access.


 >But in order to be completely secure we either must lay separate cables or set up two VLANs?
You already have seperate cables, it's just a matter of patching things in the wiring closets to seperate hubs.
Nothing is completely secure, but they would be completely seperated

0
 

Author Comment

by:risoy
ID: 9857723
> It's better in the sense there'd be no casual discovery or TCP/IP access.

What if the network only uses TCP/IP?

You see, I still don't understand how, for example Blaster, if it affects one network (the admin one) can spead over to the production one - even if there is access between them at layer 2. There is no routing between the nets. Never any communication. No domain controllers or the like on the production net.
0
 
LVL 18

Accepted Solution

by:
chicagoan earned 250 total points
ID: 9858012
The network is a composite of
cable - which can carry anything from netbui over ethernet to a lightning strike
hubs - which simply repeat layer 2 traffic
switches - which span capabilities ranging from simple spanning tree port forwarding to layer 3 routing
network interface cards - which can simply be an ethernet tranceiver or can incorporate ipsec
Protocol Stacks - the software operating systems use to communicate with each other

You can focus on Blaster or other malware with TCP/IP specific transport methods and, yes, this scheme will reduce the propagation between the subnets (if intercommunication at the router/firewall level is adequate).
Take another example:Let's say one machine (a laptop brought from home) comes in with a worm. While you may not  have any vulnerable machines, that laptop can bring down both networks with traffic that, while it is not intended as a denial of service attack, saturates the network.

Yours is not a bad idea per se, and could provide some protection from casual browsing and TCP/IP born threats. I just don't want you to have any illusions about there being a real seperation of traffic on such a network. As a security analyst I'd say put the effort into policy development, education, general patching, server access control and auditing. Those are highly effective industry standard practices demonstative of due dilligence.

My other point is that even in a an environment where you're unable to VLAN, you generally have home runs from each machine and could physically seperate these networks in the wiring closet without much cost or effort. At that point you've not only divided the traffic but can concentrate your efforts on a zero-based communication model and open routes and ports on a protocol level.


0
 

Author Comment

by:risoy
ID: 9865074
Could we conclude that viruses and data spread via TCP/IP would stay within one subnet - if there are no routes between them. But, there will be no protection for other protocols and the net will still be prone to Denial of Service attacks?
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9865939
that about sums it up
0
 

Author Comment

by:risoy
ID: 9866204
Thank you. You have been very helpfull.

Can I quote you on this and do you have a company name for reference?
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9866477
see my profile
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
How important is it to take extra precautions to protect your online business? These are some steps you can take to make sure you're free of any cyber crime.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now