Solved

Security with office sharing internet

Posted on 2004-09-22
16
443 Views
Last Modified: 2010-04-10
I am located in a large building.  My company owns one side of the building while other small companies own the other side.  My CEO wanted to sell some of the smaller companies our internet service since we have a full T-1 coming into our side and only about 50 users using it.  

To set them up, I basically had them purchase a rounter and I plugged the router into my switch.  They ended up purchasing a Linksys router since it was the cheapest one.  The linksys external IP address matches my ip scheme (10.10.20.X), the internal IP address is 192.168.1.X.  The router realeses DHCP for their computers.  I also enabled NAT translation on my firewall so that they could have an external IP address.  I just pointed the external IP address to the internal one that I gave the Linksys router.

My question is how secure is this set up?
What can I do to make it more secure?

Thanks for the help.
0
Comment
Question by:mmedici1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +2
16 Comments
 
LVL 5

Expert Comment

by:netspec01
ID: 12122752
You are going to be extremely limited on what you can do with a Linksys router.  You other tenants have full access to your LAN!  This is not a good thing.  WIth a Linksys router there is only a limited capability to develop a security policy that would restrict/prevent any access to your LAN.

You may want to look at using Cisco PIX low-end firewalls to provide the security.  PIX 501 (10-user) can be had for around $350US and 50-user for around $550US.
0
 
LVL 2

Expert Comment

by:RHenningsgard
ID: 12122972
##WARNING
##This post has been edited at the request of RHenningsgard to point out
##that it is incorrect.  Please read the entire thread carefully.
##majorwoo, EE Page Editor

<<You other tenants have full access to your LAN!>>

Uh... no.  That's true only if; a) The Linksys router improperly routs packets in the non-routable address range of 10.x.x.x, or; b) if the small company's Ethernet is interconnected to the large one with a hub or some other type of bridge, allowing packets from the small company's LAN to circulate directly on to the large company's LAN.

So long as the WAN port on the Linksys router is the only one that connects to your large company's LAN, you're in pretty good shape, security-wise, IMO.

In my opinion, the worst security risk posed by the Linksys router is the fact that its internal OS is Linux.  Depending on its firmware revision, there has been at least one demonstrated buffer overflow exploit which allowed the execution of arbitrary code inside the router's CPU.  I think it's only a matter of time before more overflow exploits are discovered there, which is a very scary prospect indeed, given the number of such routers currently connected to the internet.

As to the Cisco PIX 501, I'm sure netspec01 knows 100x more about that solution than I do.  If you're truly worried about the security of your setup, I recommend you take his advice.

Rob---
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12123040
My question is does the LinkSYS has a built-in Firewall? If yes than you can configure it to basicly protect your site.

Now fo the big question; how important is your data? is it classified? if yes than a LinkSYS is not the propper solution and netspec01 answered that question properly. In order to build good security schematics you will need to take in mind a few things:
1. For most is your budget.
2. How important is your data?
3. How important it is to the desigion making personnels?
4. Your current architecture?
5. Do you have mobile users?
6. What are your futuristic plans?

If you can answer me part of those questions I may be able to assemble you a nice security plan. Etherway, take in mind the points here.
The PIX 501 is a great firewall but does it accomedate your site? You may take in-mind ISA Server 2004 (which is a great Firewall vs its previos versions)... there are so many possibilities...

Cyber
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12123060
Didnt refresh so, sorry if there are any already covered issues...

:)

Cyber
0
 
LVL 2

Expert Comment

by:RHenningsgard
ID: 12123126
I forgot to mention that my comment about security applies if and only if the Linksys is one of the models which does NAT, like their wireless cable/DSL routers, and which by default does no port mapping.  My comments would apply to models BEFW1154, WRT54G, and the like.

Rob---
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12123169
The 10.10.20.0 network which is on the WAN side is treated as the public network.  The Linksys doesn't know te concept of non-routable addresses and the 10.0.0.0 network considered just like any other network.  

To secure this network from the tenants network, a policy such as "deny any <tenant network> <10.10.20.0 network> must be in place as well as allowing all other traffic.
0
 
LVL 2

Expert Comment

by:RHenningsgard
ID: 12123296
<<The 10.10.20.0 network which is on the WAN side is treated as the public network.>>

Yikes!  I'm going to go test that right now!  I was under precisely the opposite impression.  Will test that today and report results back to this thread, lest I perpetrate a dangerous, uncorrected falsehood here on EE.  netspec, thanks for that one!

Rob---
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12123348
Agree with netspec01. The 192.168.1.x network has full access to your 10.10.20.x network to do anything they want, yet you have no acces to theirs. Not the best scenario. Some Linksys products give you the option to setup access restrictions, but it is not granular enough to restrict by IP subnet to not permit access to your subnet, yet still permit Internet access.
I'm also a big fan of the Cisco PIX, and the 501 is an excellent choice for this application. It will easily do exactly what you need it to do.
0
 
LVL 2

Expert Comment

by:RHenningsgard
ID: 12123472
Netspec01 and lrmoore, you are, as you know, absolutely correct.  I am flabbergasted by this obvious misbehavior of those routers, routing packets from one designated LAN subnet to another.  I'm going to touch base with customer service to either strike my errant comment, or edit it to put a warning of some kind on it so it doesn't misinform anyone.  How embarrassing (but I guess getting educated sometimes is).

0
 
LVL 2

Expert Comment

by:RHenningsgard
ID: 12124520
Thanks majorwoo for editing my post to warn about its inaccuracy on the non-routing issue.

(On the other hand, I discovered _another_ overflow crash in the older of my Linksys routers this morning, so my comment about Linux on consumer-market routers stands).
0
 
LVL 8

Accepted Solution

by:
holger12345 earned 500 total points
ID: 12128780
There is solution for your task with a third router

LAN1 ---Router1
                |
             LAN3 --- Router3 --- Internet
                |
LAN2 ---Router2

Create an intermediate LAN (LAN3) and NAT both of your LANs to it... route that LAN3 to the internet... is that too simple?

i.e. use 192.168.1.0/24 for LAN1 ("/24" means "subnet is 255.255.255.0")
use 192.168.2.0/24 for LAN2
use 192.168.3.0/24 for LAN3

Hope that helps
Holger
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12129748
I would advise not to mess around with a limited capability NAT device like Linksys for this application.  In fact at the low price that Cisco is charging for the PIX and all of its capabilities I would never put in a Linksys for a firewall for a business.   My 2 cents!
0
 
LVL 8

Expert Comment

by:holger12345
ID: 12138063
netspec: even though you're right... advices to buy more professional equipement is often and quick done... but my solution is to point out how it works with few unprofessional equipement... perhaps that's, what he/she wanted ?!
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12139542
Well we've given you a few options here and pointed out some security precautions along the way.  Take a look at some of the design considerations that Cyber-Dude and other have put forth and make your choice.  Hope all of us have helped you!
0
 
LVL 8

Expert Comment

by:holger12345
ID: 12220982
Thx for the A (yet i even don't know what it's worth in this community) ;-))
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question