Solved

Routing between two networks

Posted on 2006-11-13
11
6,245 Views
Last Modified: 2013-12-07
We have a network on 192.168.x.0/24 and we have recently set up a separate standalone network.

Whilst the standalone network was being set up it was permissible and indeed necessary to connect to the web and our other network and we connected a switch on each network to one another.  In order to get routing between the networks we manually configured all machines on what would become the standalone network to use 192.168.x... and this worked fine.

We have now completed the set up, the network is in use and it is no longer permissible to connect the standalone network beyond itself. It must remain completely isolated.  We're now using DHCP 192.168.y.0/24 for this network.

If in the future, it is necessary (although I'd be breaking the rules!) to get a connection to our main network I would again connect a switch on each network.  But I would have no routing between them - is this a correct assumption?

1) How would I go about setting up a temporary route that would allow the standalone network to reach outside itself, but not for the outside to reach in?

2) How would I demonstrate that no-one on our main network could detect the presence of the standalone network whilst this routing was in place?

Both networks are domains using W2K3 as DC's.

I'm sure that this is an easy question for somebody, but I think it warrants top points!
0
Comment
Question by:jahboite
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 8

Assisted Solution

by:saw830
saw830 earned 175 total points
ID: 17932692
Hi jahboite,
If I were doing this, I would use a small firewall (appliance or PC with OS and firewall software) to router between the two networks, but shield the special network from the main network.

An appliance that I have done this with is:
http://www.securecomputing.com/index.cfm?skey=1485

But I am currently designing a very similar network setup and expect to use an ordinary PC and this free product:
http://m0n0.ch/wall/  

Hope this helps,
Alan
0
 
LVL 1

Assisted Solution

by:jaysonfranklin
jaysonfranklin earned 75 total points
ID: 17932891
Smoothwall all the way.
0
 
LVL 12

Author Comment

by:jahboite
ID: 17933053
Thank you Alan and jaysonfranklin,

This is a good idea I'd not considered and some kind of hardware firewall could I'm sure be configured to be completely undetectable from one side of it whilst letting certain traffic be initiated from the other.

The thing is, I cannot put a box between the two networks because on a day-to-day basis, they'll be physically separate.  Only on very rare occasions might they need to be connected, but as I said, the rules disallow this.  Therefore I cannot be seen to be putting something in place that makes it secure.

I'm looking for a temporary solution that would not draw attention to itself, but that I could also demonstrate, if necessary, is 100% secure.

Am I perhaps asking for too much? (I usually am!)
0
 
LVL 7

Assisted Solution

by:dlangr
dlangr earned 175 total points
ID: 17933054
connect the networks by the switch, then do the following on the pc you want to have access to the other network:

route add 192.168.y.0 mask 255.255.255.0 192.168.x.z

where z is the last number of ip address of the local network interface wich is connected to the 192.168.x.0/24 network.

Unless the computers on the 192.168.y.0 network are configured with similar routes, they will not know how to reach the 192.168.x.0 network.

You should not leave this in place though and using a router with an firewall like stated above is a better solution.
0
 
LVL 7

Assisted Solution

by:dlangr
dlangr earned 175 total points
ID: 17933113
you can delete the route by either rebooting or typing:

route del 192.168.y.0 mask 255.255.255.0 192.168.x.z

To prove the other network does not see your route, run ping on a machine in the other network to the ip address of the machine you made the route on. It should tell you: network unreachable.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 1

Assisted Solution

by:jaysonfranklin
jaysonfranklin earned 75 total points
ID: 17933149
Well, first of all, it seems that when merging two networks, it is because attention has been drawn to the point where it has become a need to have the networks linked. You're last comment almost sounds shady. Why wouldn't you want anybody to know you connected these two networks? Also, I'll go ahead and tell you, if you do this, whoever is managing the network will more than likely notice the change. I know I would. If you want to connect two remote offices together, use a vpn. it's probably the most secure, and a lot less expensive than leased lines. You would use access-lists to permit exactly what traffic you want going in and out of each network. Let me know if this helps...


and to add something else...most of the time when you want to merge networks, it's because one network needs to use network resources (servers, etc.) on a different network. Are you trying to access the servers on another network? or do you just need access to a specific host on another network? If so, a vpn tunnel to the host would probably be less of a hassle.

There's some good freeware vpn that's pretty good. I use it on my home pc. Get it here....logmein.com
0
 
LVL 7

Assisted Solution

by:dlangr
dlangr earned 175 total points
ID: 17933806
you can also put a second network card in you pc and put in a cable of the other network when you need to access it. Either rely on dhcp for getting an ip address or configure the network card(s) with an static ip wich is outside the ip range. You could then disconnect the default network card while accessing the other network. Both networks won't be able to see each other 100 % guaranteed (because you unplugged it). It would however allow things like virusses present on your pc at the time you switch networks to infect the other network.

You can also do this with 1 network card, but if you do not use dhcp on one of the networks you would have to reconfigure the interface every time.

Disclamer: none of my posts should be used to circumvent security policy's on networks you are not the admin of. note that tinkering with a secured network is almost always noticed by the admins responsible for securing them.
0
 
LVL 13

Assisted Solution

by:prashsax
prashsax earned 75 total points
ID: 17934072
If you need only temporary solution then you can use Windows RRAS service.

With this only second network can reach the main network and not vice versa.

This reason that main network cannot reach the second network is that you will be using NAT for second network.

Here is how you configure it.

Take any machine with Windows 2003 install on it. It should also have two NIC cards as well.

First NIC would be connected to second network and other to main network.

Now, configure RRAS as NAT server.(Same option with which Internet Access is given)
This only difference is that you are giving access to main network and not internet.
Here is the link to configure it.
http://www.windowsnetworking.com/articles_tutorials/Configuring-Windows-Server-2003-act-NAT-router.html

Let me know if you have any confusion.



0
 
LVL 12

Author Comment

by:jahboite
ID: 17934419
dlangr - this looks like just the ticket and I've been playing around with this command at home with the aim of simulating two nets:

I've got a router with a pc and a laptop on wired lan. The router is 192.168.1.1 and PC 192.168.1.11.
When all three boxes are on the same subnet I can ping each machine from each other.

I've then configured the laptop to 192.168.2.1 and added a route to 192.168.1.0.
I can't then ping across the subnets from any of the three machines.
I've added routes to 192.168.2.0 on the other two boxes and I can now ping from laptop to PC and the other way round, but the router still won't ping across the subnets. (doesn't matter because I'm pretending it's just a switch, but I cannot explain this - can you?)
And I can browse by IP address from laptop to PC and vice versa.  Good.

Now then I've proved to my satisfaction that having only a route on the PC to the Laptop means I can't get an echo back from the laptop which is nice and safe. Good.
But at the same time neither machine will talk to each other because only one of them knows a route to the other!

So I have to ask - is this expected and if so, what bloody use is that? (I'm giggling to myself because I think I should have seen this coming, no?)

But I would be right in saying, would I not, that by adding a route from a specific machine to another specific machine in both directions will allow them to talk to each other?

Would this traffic manage to pass between the two switches in question?

I really have a lot to learn about networking!

Jaysonfranklin - Without going in to any detail, there's nothing shady about this at all and I'm not trying to cover any tracks. There is a very real restriction on connecting this network beyond itself and I must be absolutely certain that I wouldn't expose it to any risk of intrusion which is why the main network must not know of the connection - for instance the standalone domain name showing up in Microsoft Windows Network!!!
A firewall would have to be documented and I can't document something that isn't supposed to be needed!


Just to note that I am the admin for the networks - god help them!


prashax - thanks for that, I could use the RRAS and I'll look into the possibility.  I do have 2 NIC's but they're teamed so this may be a bit of a farce, but investigate it I will!
0
 
LVL 8

Accepted Solution

by:
saw830 earned 175 total points
ID: 17934670
Keep in mind that any connection between the networks that doesn't have some type of firewall in place could not be demostratred as secure.  Simply connecting two networks together with a jumper will effectively supernet your networks.  By defining an alternate IP address, or simply changing the IP address, on a machine in one network I will gain access to the machines in the other network.

To keep it secure one, or both, networks must consider the other network hostile and put protection in place.  The unltimate firewall is a disconnected cable, hence the no-connect rule.

Just something to think about...
Alan
0
 
LVL 12

Author Comment

by:jahboite
ID: 17934822
That's true Alan, I hadn't thought of the IP change from that angle.
It's a good job we've based our security on total isolation!
I had wanted to demonstrate a readiness to cope with the possible requirement of connecting the networks - even if only briefly (it's not like our main network is insecure because it most certainly is not), but having read the collective input here I'm coming to the conclusion that I should refuse the temptation and, should it be necessary, find another way to deal with any issue that could be solved by a connection.

We have one issue right now and it's a good example of why I might have been tempted:
We have an Enterprise AV product installed (on both networks actually) and I've already demonstrated that we can perform application, engine and signature updates using the main network and then transfer the same packages to the standalone network using a removable device.
That's all lovely except that we've discovered that the AV calls a webserver to check it's license periodically and after a number of days of being unable to do so, it reports it's license as expired and will not allow any signature updates! Can you effing believe it?

Anyway I'm going to split the points 4 ways.  Thank you all for your wise words.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now