Link to home
Start Free TrialLog in
Avatar of maxpi
maxpi

asked on

VPN over a LAN

In my SOHO situation I want to set up a two computer system, both machines running Win XP Pro. The idea is to have one computer not connected to the internet and completely invisible from the internet but connected to the second computer via a LAN. The second computer will connect to the internet via a Cisco Router. Security of the Internet connected machine is not a high priority, the intellectual property on the other machine is what I need to protect. I am thinking of using a VPN over a wired LAN to ensure that invisibility and make it hard for a hacker to bridge the networks. Maybe the VPN won't help at all in that but maybe somebody can tell me what I should be doing to make it impossible for somebody on the internet to bridge over to the LAN? Can I run some software on the internet connected machine to make it impossible for a hacker to bridge the networks perhaps?

Max
Avatar of Rich Rumble
Rich Rumble
Flag of United States of America image

It's called dynamic nat. With dynamic nat, (aka masqurading) you tell the router that an ip of x.x.x.x wanting to go to the public internet (meaning a subne not on RFC 1918) give them the public address. With dynamic nat, your going to be making "established" connections, meaning that the router will be keeping track of where your wanting to go, and allowing those places to send you data back. however, if there is data that is not from an established connection wanting in, it will not go to the second pc, because you did not request data from that source. A static nat is different, your hard coding a public ip to a private ip, so that all data that is permitted throught the access list, will always go to the private ip computer you specifited. There is also PAT, where you can tell the firewall that sources trying to connect to port 25 of the pub ip, will go to the second pc, this is static PAT.

The easiest thing to do, espically if you've not done much routing or setup of routers, is to use windows ICS. This will do the masqurading/dnat your looking for. you can use the router as a nice firewall, or not use it at all. if you turning xp's firewall, by default it allows all ports out, and no port's in. It's actually a very good software firewall as far as keeping people out- but it's not very configurable as other software firewalls are. Let's say you set up ICS, and you've got a cross-over cable connecting pc2's nic directly to a second nic in pc1. The first nic in pc1 is connected to your cable modem/dsl router what have you... even if pc1 was "owned" or root'd by hackers, they couldn't get to pc2 because you have the xp firewall on, and it like most firewalls, only allows established connections to send data to it. NAT'ing isn't an established connection (ie ICS) but if you had a mapped drive from pc1 to pc2, they could see that, and if you had a shared drive, then you had to open port 139 or 445 to allow this to happen, and they can scan and get on pc2 this way.
-rich
Avatar of maxpi
maxpi

ASKER

I am not sharing drives or printers, just running a little dll on computer #2 to tell computer #1 what to do occasionally. So you are saying the windows firewall on computer #1 takes care of the situation?
yep. I'd recommend zonealarm if you want more control over who or what can cannot to your pc, M$ firewall doesn't allow you to specify an allowed range of ip address's. You could for example, leave port 3389 open, but the only ip address that can see that is the one you have at work for example. Otherwise, if all you need is a simple firewall to deny ALL, xp's is fine. If you have 2 nic's in pc 1, you'll have 2 firewall's on pc1, and might have to allow something through so that your dll can run, but the nic facing the internet will deny any.
-rich
Avatar of maxpi

ASKER

If I could allow only the dll to talk out from computer #2 on the LAN and only the app that talks to the dll from computer #1 to talk in to computer #2 on the LAN it would be perfect. Can Zone Alarm do that? If so, which computer would I install it on?

Max
ASKER CERTIFIED SOLUTION
Avatar of Rich Rumble
Rich Rumble
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of maxpi

ASKER

I have to set up the LAN to have static IP addresses because the Dll has to have the IP address typed in for it to operate. I guess that I could run the Zone Alarm on one or both machines and do the blocking by denying all apps that I don't want to have access over the LAN rather than anything to do with IP addresses. I have used Zone Alarm for firewalling the WAN before  but never the LAN. Does it automatically apply to the LAN's as well or do I have to tell it the LAN IP addresss or otherwise direct it to watch the LAN?

mAX

Avatar of maxpi

ASKER

A quick google answered that last Q. Zone Alarm looks at the LAN. Thank you all for the help. You helped me to formulate the question better and you provided answers. I appreciate the help.

Max
Glad to be of service.
-rich