risoy
asked on
Two separate networks sharing cables
If you configure two networks using different IP ranges and let them share cables, hubs and switches - can they communicate and would that be a security risk?
Say, one configured on 192.168.0.*, and the other on 10.0.0.*. Could viruses or other attacks (eg. Blaster), spread from one network to the other?
And if you have one computer with two NICs, each configured for each range and a software firewall only allowing for communication on port 80. Does this make the net vulnerable?
The motivation for this is to use the same cables for a production network and an administration network, saving some money and not lowering security. The networks must be able to communicate to provide web production reports for the administration.
Say, one configured on 192.168.0.*, and the other on 10.0.0.*. Could viruses or other attacks (eg. Blaster), spread from one network to the other?
And if you have one computer with two NICs, each configured for each range and a software firewall only allowing for communication on port 80. Does this make the net vulnerable?
The motivation for this is to use the same cables for a production network and an administration network, saving some money and not lowering security. The networks must be able to communicate to provide web production reports for the administration.
ASKER
Could you elaborate?
Ill do my best :0)
Your best ption is to physically seperate the two networks and put a firewall inbetween them
OR Move each connection onto a seperate switch and pur a firewall/router between the tow networks.
OR Build VLANS (Virtual LANS) to do this you will need switches that can operae at layer 3 (network layer) usually switches operate at layer 2 (data link layer) if Ive just confused you do a google search on OSI MODEL.
A VLAN splits a physical lan up into two or more virtual LANS, this is usually done to cut down broadcast traffic and make the network more efficient.
In a VLAN enviriment switches are connected together using TRUNKS which carry the VLAN traffic to other switches and keet the traffic seperate.
VLANS were designed to cut down on broadcast traffic, and as such will stop any virus that is propogated in this manner. BUT I would strongly advise goint for option 1 or 2 above, in your case option 2 would work out cheaper
Pete
Your best ption is to physically seperate the two networks and put a firewall inbetween them
OR Move each connection onto a seperate switch and pur a firewall/router between the tow networks.
OR Build VLANS (Virtual LANS) to do this you will need switches that can operae at layer 3 (network layer) usually switches operate at layer 2 (data link layer) if Ive just confused you do a google search on OSI MODEL.
A VLAN splits a physical lan up into two or more virtual LANS, this is usually done to cut down broadcast traffic and make the network more efficient.
In a VLAN enviriment switches are connected together using TRUNKS which carry the VLAN traffic to other switches and keet the traffic seperate.
VLANS were designed to cut down on broadcast traffic, and as such will stop any virus that is propogated in this manner. BUT I would strongly advise goint for option 1 or 2 above, in your case option 2 would work out cheaper
Pete
sheesh my typing is getting worse
PL
PL
It really depends on a lot. For common little hubs, you can have any address you want, and they'll communicate on same wire. For sophisticated switch, it may censor a subnet - does it have address? Does it also route?
Depends. Example, 10.0.0.*. is internal address, not routable, so most attacks for IP address will ignore them as unfindable. However, if you connect to internet, and have a proxy that converts or pretends that the address is routable, then yes, the internet IP attack will find you.
> And if you have one computer with two NICs, each configured for each range
That is a little incomplete, but as-is, it fairly looks like a "routing", or router configuration, which can thus block communicaiton between the twoo subnets unless it is also configured to route, which is often not a very good thing to do, except when you manage it well.
> only allowing for communication on port 80. Does this make the net vulnerable?
Um, shall we say that port 80 is among the top vulnerabilities? That good enough for you?
> and a software firewall
Using SW firewall on each unit is a very good step, if they are not old and very slow PCs. Configure them to block everything, then open up only what you have to.
Your best defense for now btw is to get every piece of SW from Microsoft upgraded to each patch level. No matter what. It is cheap except for the excessive personal and connection time required. But essential, very essential.
Depends. Example, 10.0.0.*. is internal address, not routable, so most attacks for IP address will ignore them as unfindable. However, if you connect to internet, and have a proxy that converts or pretends that the address is routable, then yes, the internet IP attack will find you.
> And if you have one computer with two NICs, each configured for each range
That is a little incomplete, but as-is, it fairly looks like a "routing", or router configuration, which can thus block communicaiton between the twoo subnets unless it is also configured to route, which is often not a very good thing to do, except when you manage it well.
> only allowing for communication on port 80. Does this make the net vulnerable?
Um, shall we say that port 80 is among the top vulnerabilities? That good enough for you?
> and a software firewall
Using SW firewall on each unit is a very good step, if they are not old and very slow PCs. Configure them to block everything, then open up only what you have to.
Your best defense for now btw is to get every piece of SW from Microsoft upgraded to each patch level. No matter what. It is cheap except for the excessive personal and connection time required. But essential, very essential.
>If you configure two networks using different IP ranges and let them share cables, hubs and switches - can they >communicate
As they're on different subnets, TCP/IP traffic would have to pass through a router
You see this sometimes where unplanned expansion required quick addition of a non-contiguous subnet or where admins want to keep snmp or other network management traffic seperate (on the cheap)
>and would that be a security risk?
All one would have to do would be to change their IP address to communicate directly with the other nodes.
Broadcast traffic, IPX, netbios and layer 2 would also be passed.
Short answer - it ain't good.
>Say, one configured on 192.168.0.*, and the other on 10.0.0.*.
>Could viruses or other attacks (eg. Blaster), spread from one network to the other?
Exploits using TCP/IP would have to pass through the router. Layer 2 exploits would not.
>And if you have one computer with two NICs, each configured for each range and a software firewall only >allowing for communication on port 80.
You're describing a router or firewall, it it was properly configured it would mitigate exposure.
> Does this make the net vulnerable?
It depends on if what's listening on port 80 has vulnerabilities
>The motivation for this is to use the same cables for a production network and an administration network, saving >some money and not lowering security. The networks must be able to communicate to provide web production >reports for the administration.
Unless you're using coax, you're in a star or extended star environment.
Recabling, if you're using hubs or low end switches, routing or VLANs are a more standard and secure method of segregating traffic.
As they're on different subnets, TCP/IP traffic would have to pass through a router
You see this sometimes where unplanned expansion required quick addition of a non-contiguous subnet or where admins want to keep snmp or other network management traffic seperate (on the cheap)
>and would that be a security risk?
All one would have to do would be to change their IP address to communicate directly with the other nodes.
Broadcast traffic, IPX, netbios and layer 2 would also be passed.
Short answer - it ain't good.
>Say, one configured on 192.168.0.*, and the other on 10.0.0.*.
>Could viruses or other attacks (eg. Blaster), spread from one network to the other?
Exploits using TCP/IP would have to pass through the router. Layer 2 exploits would not.
>And if you have one computer with two NICs, each configured for each range and a software firewall only >allowing for communication on port 80.
You're describing a router or firewall, it it was properly configured it would mitigate exposure.
> Does this make the net vulnerable?
It depends on if what's listening on port 80 has vulnerabilities
>The motivation for this is to use the same cables for a production network and an administration network, saving >some money and not lowering security. The networks must be able to communicate to provide web production >reports for the administration.
Unless you're using coax, you're in a star or extended star environment.
Recabling, if you're using hubs or low end switches, routing or VLANs are a more standard and secure method of segregating traffic.
ASKER
In the network setup I described there would be no routers apart from maybe the one (very secure, fully patched :-) webserver connected to both subnets, but it will only allow for port 80 access towards the administation network. So, in reality, there is no need for any other communication between the two subnets.
I understand this is not a secure setup for deliberate attacks, but for most viruses/worms etc. spread across the administration network - I can't really see how it could leap across from one subnet to the other? Remember, there must be at least one computer (database+webserver) connected to both networks even with separate cabeling.
Let's say that having them (production and administration) on the same subnet is 0% secure, could we say that separating (two subnets) them is 95% secure? But in order to be completely secure we either must lay separate cables or set up two VLANs?
Thanks for many good replies so far.
I understand this is not a secure setup for deliberate attacks, but for most viruses/worms etc. spread across the administration network - I can't really see how it could leap across from one subnet to the other? Remember, there must be at least one computer (database+webserver) connected to both networks even with separate cabeling.
Let's say that having them (production and administration) on the same subnet is 0% secure, could we say that separating (two subnets) them is 95% secure? But in order to be completely secure we either must lay separate cables or set up two VLANs?
Thanks for many good replies so far.
> could we say that separating (two subnets) them is 95% secure?
it's still 0% secure as there is direct access at layer 2
It's better in the sense there'd be no casual discovery or TCP/IP access.
>But in order to be completely secure we either must lay separate cables or set up two VLANs?
You already have seperate cables, it's just a matter of patching things in the wiring closets to seperate hubs.
Nothing is completely secure, but they would be completely seperated
it's still 0% secure as there is direct access at layer 2
It's better in the sense there'd be no casual discovery or TCP/IP access.
>But in order to be completely secure we either must lay separate cables or set up two VLANs?
You already have seperate cables, it's just a matter of patching things in the wiring closets to seperate hubs.
Nothing is completely secure, but they would be completely seperated
ASKER
> It's better in the sense there'd be no casual discovery or TCP/IP access.
What if the network only uses TCP/IP?
You see, I still don't understand how, for example Blaster, if it affects one network (the admin one) can spead over to the production one - even if there is access between them at layer 2. There is no routing between the nets. Never any communication. No domain controllers or the like on the production net.
What if the network only uses TCP/IP?
You see, I still don't understand how, for example Blaster, if it affects one network (the admin one) can spead over to the production one - even if there is access between them at layer 2. There is no routing between the nets. Never any communication. No domain controllers or the like on the production net.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Could we conclude that viruses and data spread via TCP/IP would stay within one subnet - if there are no routes between them. But, there will be no protection for other protocols and the net will still be prone to Denial of Service attacks?
that about sums it up
ASKER
Thank you. You have been very helpfull.
Can I quote you on this and do you have a company name for reference?
Can I quote you on this and do you have a company name for reference?
see my profile
Mmm yes and no if the two networks were on seperate VLANS then the broadcast traffic that spreads viri would be stopped, to do this you would need switching at layer 3 and trunking protocols, or a LOT of routers
PeteL