maxpi
asked on
VPN over a LAN
In my SOHO situation I want to set up a two computer system, both machines running Win XP Pro. The idea is to have one computer not connected to the internet and completely invisible from the internet but connected to the second computer via a LAN. The second computer will connect to the internet via a Cisco Router. Security of the Internet connected machine is not a high priority, the intellectual property on the other machine is what I need to protect. I am thinking of using a VPN over a wired LAN to ensure that invisibility and make it hard for a hacker to bridge the networks. Maybe the VPN won't help at all in that but maybe somebody can tell me what I should be doing to make it impossible for somebody on the internet to bridge over to the LAN? Can I run some software on the internet connected machine to make it impossible for a hacker to bridge the networks perhaps?
Max
Max
ASKER
I am not sharing drives or printers, just running a little dll on computer #2 to tell computer #1 what to do occasionally. So you are saying the windows firewall on computer #1 takes care of the situation?
yep. I'd recommend zonealarm if you want more control over who or what can cannot to your pc, M$ firewall doesn't allow you to specify an allowed range of ip address's. You could for example, leave port 3389 open, but the only ip address that can see that is the one you have at work for example. Otherwise, if all you need is a simple firewall to deny ALL, xp's is fine. If you have 2 nic's in pc 1, you'll have 2 firewall's on pc1, and might have to allow something through so that your dll can run, but the nic facing the internet will deny any.
-rich
-rich
ASKER
If I could allow only the dll to talk out from computer #2 on the LAN and only the app that talks to the dll from computer #1 to talk in to computer #2 on the LAN it would be perfect. Can Zone Alarm do that? If so, which computer would I install it on?
Max
Max
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have to set up the LAN to have static IP addresses because the Dll has to have the IP address typed in for it to operate. I guess that I could run the Zone Alarm on one or both machines and do the blocking by denying all apps that I don't want to have access over the LAN rather than anything to do with IP addresses. I have used Zone Alarm for firewalling the WAN before but never the LAN. Does it automatically apply to the LAN's as well or do I have to tell it the LAN IP addresss or otherwise direct it to watch the LAN?
mAX
mAX
ASKER
A quick google answered that last Q. Zone Alarm looks at the LAN. Thank you all for the help. You helped me to formulate the question better and you provided answers. I appreciate the help.
Max
Max
Glad to be of service.
-rich
-rich
The easiest thing to do, espically if you've not done much routing or setup of routers, is to use windows ICS. This will do the masqurading/dnat your looking for. you can use the router as a nice firewall, or not use it at all. if you turning xp's firewall, by default it allows all ports out, and no port's in. It's actually a very good software firewall as far as keeping people out- but it's not very configurable as other software firewalls are. Let's say you set up ICS, and you've got a cross-over cable connecting pc2's nic directly to a second nic in pc1. The first nic in pc1 is connected to your cable modem/dsl router what have you... even if pc1 was "owned" or root'd by hackers, they couldn't get to pc2 because you have the xp firewall on, and it like most firewalls, only allows established connections to send data to it. NAT'ing isn't an established connection (ie ICS) but if you had a mapped drive from pc1 to pc2, they could see that, and if you had a shared drive, then you had to open port 139 or 445 to allow this to happen, and they can scan and get on pc2 this way.
-rich