?
Solved

VPN over a LAN

Posted on 2005-03-15
8
Medium Priority
?
1,186 Views
Last Modified: 2013-12-04
In my SOHO situation I want to set up a two computer system, both machines running Win XP Pro. The idea is to have one computer not connected to the internet and completely invisible from the internet but connected to the second computer via a LAN. The second computer will connect to the internet via a Cisco Router. Security of the Internet connected machine is not a high priority, the intellectual property on the other machine is what I need to protect. I am thinking of using a VPN over a wired LAN to ensure that invisibility and make it hard for a hacker to bridge the networks. Maybe the VPN won't help at all in that but maybe somebody can tell me what I should be doing to make it impossible for somebody on the internet to bridge over to the LAN? Can I run some software on the internet connected machine to make it impossible for a hacker to bridge the networks perhaps?

Max
0
Comment
Question by:maxpi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13555051
It's called dynamic nat. With dynamic nat, (aka masqurading) you tell the router that an ip of x.x.x.x wanting to go to the public internet (meaning a subne not on RFC 1918) give them the public address. With dynamic nat, your going to be making "established" connections, meaning that the router will be keeping track of where your wanting to go, and allowing those places to send you data back. however, if there is data that is not from an established connection wanting in, it will not go to the second pc, because you did not request data from that source. A static nat is different, your hard coding a public ip to a private ip, so that all data that is permitted throught the access list, will always go to the private ip computer you specifited. There is also PAT, where you can tell the firewall that sources trying to connect to port 25 of the pub ip, will go to the second pc, this is static PAT.

The easiest thing to do, espically if you've not done much routing or setup of routers, is to use windows ICS. This will do the masqurading/dnat your looking for. you can use the router as a nice firewall, or not use it at all. if you turning xp's firewall, by default it allows all ports out, and no port's in. It's actually a very good software firewall as far as keeping people out- but it's not very configurable as other software firewalls are. Let's say you set up ICS, and you've got a cross-over cable connecting pc2's nic directly to a second nic in pc1. The first nic in pc1 is connected to your cable modem/dsl router what have you... even if pc1 was "owned" or root'd by hackers, they couldn't get to pc2 because you have the xp firewall on, and it like most firewalls, only allows established connections to send data to it. NAT'ing isn't an established connection (ie ICS) but if you had a mapped drive from pc1 to pc2, they could see that, and if you had a shared drive, then you had to open port 139 or 445 to allow this to happen, and they can scan and get on pc2 this way.
-rich
0
 

Author Comment

by:maxpi
ID: 13562453
I am not sharing drives or printers, just running a little dll on computer #2 to tell computer #1 what to do occasionally. So you are saying the windows firewall on computer #1 takes care of the situation?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13564478
yep. I'd recommend zonealarm if you want more control over who or what can cannot to your pc, M$ firewall doesn't allow you to specify an allowed range of ip address's. You could for example, leave port 3389 open, but the only ip address that can see that is the one you have at work for example. Otherwise, if all you need is a simple firewall to deny ALL, xp's is fine. If you have 2 nic's in pc 1, you'll have 2 firewall's on pc1, and might have to allow something through so that your dll can run, but the nic facing the internet will deny any.
-rich
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:maxpi
ID: 13568058
If I could allow only the dll to talk out from computer #2 on the LAN and only the app that talks to the dll from computer #1 to talk in to computer #2 on the LAN it would be perfect. Can Zone Alarm do that? If so, which computer would I install it on?

Max
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 1000 total points
ID: 13568154
ZoneAlarm PRO can, it's  pay version. You can allow x.x.x.x to x.x.x.x and deny everything else. There are free firewalls out there also that might do this, but I am not fimilar with them.
http://www.tinysoftware.com/home/tiny2?la=EN (oops... they used to be free)
http://smb.sygate.com/products/spf_standard.htm lot's of people like this one
-rich
0
 

Author Comment

by:maxpi
ID: 13568935
I have to set up the LAN to have static IP addresses because the Dll has to have the IP address typed in for it to operate. I guess that I could run the Zone Alarm on one or both machines and do the blocking by denying all apps that I don't want to have access over the LAN rather than anything to do with IP addresses. I have used Zone Alarm for firewalling the WAN before  but never the LAN. Does it automatically apply to the LAN's as well or do I have to tell it the LAN IP addresss or otherwise direct it to watch the LAN?

mAX

0
 

Author Comment

by:maxpi
ID: 13570006
A quick google answered that last Q. Zone Alarm looks at the LAN. Thank you all for the help. You helped me to formulate the question better and you provided answers. I appreciate the help.

Max
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13570934
Glad to be of service.
-rich
0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question