Solved

Security with office sharing internet

Posted on 2004-09-22
16
438 Views
Last Modified: 2010-04-10
I am located in a large building.  My company owns one side of the building while other small companies own the other side.  My CEO wanted to sell some of the smaller companies our internet service since we have a full T-1 coming into our side and only about 50 users using it.  

To set them up, I basically had them purchase a rounter and I plugged the router into my switch.  They ended up purchasing a Linksys router since it was the cheapest one.  The linksys external IP address matches my ip scheme (10.10.20.X), the internal IP address is 192.168.1.X.  The router realeses DHCP for their computers.  I also enabled NAT translation on my firewall so that they could have an external IP address.  I just pointed the external IP address to the internal one that I gave the Linksys router.

My question is how secure is this set up?
What can I do to make it more secure?

Thanks for the help.
0
Comment
Question by:mmedici1
  • 5
  • 4
  • 3
  • +2
16 Comments
 
LVL 5

Expert Comment

by:netspec01
ID: 12122752
You are going to be extremely limited on what you can do with a Linksys router.  You other tenants have full access to your LAN!  This is not a good thing.  WIth a Linksys router there is only a limited capability to develop a security policy that would restrict/prevent any access to your LAN.

You may want to look at using Cisco PIX low-end firewalls to provide the security.  PIX 501 (10-user) can be had for around $350US and 50-user for around $550US.
0
 
LVL 2

Expert Comment

by:RHenningsgard
ID: 12122972
##WARNING
##This post has been edited at the request of RHenningsgard to point out
##that it is incorrect.  Please read the entire thread carefully.
##majorwoo, EE Page Editor

<<You other tenants have full access to your LAN!>>

Uh... no.  That's true only if; a) The Linksys router improperly routs packets in the non-routable address range of 10.x.x.x, or; b) if the small company's Ethernet is interconnected to the large one with a hub or some other type of bridge, allowing packets from the small company's LAN to circulate directly on to the large company's LAN.

So long as the WAN port on the Linksys router is the only one that connects to your large company's LAN, you're in pretty good shape, security-wise, IMO.

In my opinion, the worst security risk posed by the Linksys router is the fact that its internal OS is Linux.  Depending on its firmware revision, there has been at least one demonstrated buffer overflow exploit which allowed the execution of arbitrary code inside the router's CPU.  I think it's only a matter of time before more overflow exploits are discovered there, which is a very scary prospect indeed, given the number of such routers currently connected to the internet.

As to the Cisco PIX 501, I'm sure netspec01 knows 100x more about that solution than I do.  If you're truly worried about the security of your setup, I recommend you take his advice.

Rob---
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12123040
My question is does the LinkSYS has a built-in Firewall? If yes than you can configure it to basicly protect your site.

Now fo the big question; how important is your data? is it classified? if yes than a LinkSYS is not the propper solution and netspec01 answered that question properly. In order to build good security schematics you will need to take in mind a few things:
1. For most is your budget.
2. How important is your data?
3. How important it is to the desigion making personnels?
4. Your current architecture?
5. Do you have mobile users?
6. What are your futuristic plans?

If you can answer me part of those questions I may be able to assemble you a nice security plan. Etherway, take in mind the points here.
The PIX 501 is a great firewall but does it accomedate your site? You may take in-mind ISA Server 2004 (which is a great Firewall vs its previos versions)... there are so many possibilities...

Cyber
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12123060
Didnt refresh so, sorry if there are any already covered issues...

:)

Cyber
0
 
LVL 2

Expert Comment

by:RHenningsgard
ID: 12123126
I forgot to mention that my comment about security applies if and only if the Linksys is one of the models which does NAT, like their wireless cable/DSL routers, and which by default does no port mapping.  My comments would apply to models BEFW1154, WRT54G, and the like.

Rob---
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12123169
The 10.10.20.0 network which is on the WAN side is treated as the public network.  The Linksys doesn't know te concept of non-routable addresses and the 10.0.0.0 network considered just like any other network.  

To secure this network from the tenants network, a policy such as "deny any <tenant network> <10.10.20.0 network> must be in place as well as allowing all other traffic.
0
 
LVL 2

Expert Comment

by:RHenningsgard
ID: 12123296
<<The 10.10.20.0 network which is on the WAN side is treated as the public network.>>

Yikes!  I'm going to go test that right now!  I was under precisely the opposite impression.  Will test that today and report results back to this thread, lest I perpetrate a dangerous, uncorrected falsehood here on EE.  netspec, thanks for that one!

Rob---
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 79

Expert Comment

by:lrmoore
ID: 12123348
Agree with netspec01. The 192.168.1.x network has full access to your 10.10.20.x network to do anything they want, yet you have no acces to theirs. Not the best scenario. Some Linksys products give you the option to setup access restrictions, but it is not granular enough to restrict by IP subnet to not permit access to your subnet, yet still permit Internet access.
I'm also a big fan of the Cisco PIX, and the 501 is an excellent choice for this application. It will easily do exactly what you need it to do.
0
 
LVL 2

Expert Comment

by:RHenningsgard
ID: 12123472
Netspec01 and lrmoore, you are, as you know, absolutely correct.  I am flabbergasted by this obvious misbehavior of those routers, routing packets from one designated LAN subnet to another.  I'm going to touch base with customer service to either strike my errant comment, or edit it to put a warning of some kind on it so it doesn't misinform anyone.  How embarrassing (but I guess getting educated sometimes is).

0
 
LVL 2

Expert Comment

by:RHenningsgard
ID: 12124520
Thanks majorwoo for editing my post to warn about its inaccuracy on the non-routing issue.

(On the other hand, I discovered _another_ overflow crash in the older of my Linksys routers this morning, so my comment about Linux on consumer-market routers stands).
0
 
LVL 8

Accepted Solution

by:
holger12345 earned 500 total points
ID: 12128780
There is solution for your task with a third router

LAN1 ---Router1
                |
             LAN3 --- Router3 --- Internet
                |
LAN2 ---Router2

Create an intermediate LAN (LAN3) and NAT both of your LANs to it... route that LAN3 to the internet... is that too simple?

i.e. use 192.168.1.0/24 for LAN1 ("/24" means "subnet is 255.255.255.0")
use 192.168.2.0/24 for LAN2
use 192.168.3.0/24 for LAN3

Hope that helps
Holger
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12129748
I would advise not to mess around with a limited capability NAT device like Linksys for this application.  In fact at the low price that Cisco is charging for the PIX and all of its capabilities I would never put in a Linksys for a firewall for a business.   My 2 cents!
0
 
LVL 8

Expert Comment

by:holger12345
ID: 12138063
netspec: even though you're right... advices to buy more professional equipement is often and quick done... but my solution is to point out how it works with few unprofessional equipement... perhaps that's, what he/she wanted ?!
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12139542
Well we've given you a few options here and pointed out some security precautions along the way.  Take a look at some of the design considerations that Cyber-Dude and other have put forth and make your choice.  Hope all of us have helped you!
0
 
LVL 8

Expert Comment

by:holger12345
ID: 12220982
Thx for the A (yet i even don't know what it's worth in this community) ;-))
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Join & Write a Comment

Lets look at the default installation and configuration of FreeProxy 4.10 REQUIREMENTS 1. FreeProxy 4.10 Application - Can be downloaded here (http://www.handcraftedsoftware.org/index.php?page=download) 2. Ensure that you disable the windows fi…
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now