Routing between two networks
We have a network on 192.168.x.0/24 and we have recently set up a separate standalone network.
Whilst the standalone network was being set up it was permissible and indeed necessary to connect to the web and our other network and we connected a switch on each network to one another. In order to get routing between the networks we manually configured all machines on what would become the standalone network to use 192.168.x... and this worked fine.
We have now completed the set up, the network is in use and it is no longer permissible to connect the standalone network beyond itself. It must remain completely isolated. We're now using DHCP 192.168.y.0/24 for this network.
If in the future, it is necessary (although I'd be breaking the rules!) to get a connection to our main network I would again connect a switch on each network. But I would have no routing between them - is this a correct assumption?
1) How would I go about setting up a temporary route that would allow the standalone network to reach outside itself, but not for the outside to reach in?
2) How would I demonstrate that no-one on our main network could detect the presence of the standalone network whilst this routing was in place?
Both networks are domains using W2K3 as DC's.
I'm sure that this is an easy question for somebody, but I think it warrants top points!
Whilst the standalone network was being set up it was permissible and indeed necessary to connect to the web and our other network and we connected a switch on each network to one another. In order to get routing between the networks we manually configured all machines on what would become the standalone network to use 192.168.x... and this worked fine.
We have now completed the set up, the network is in use and it is no longer permissible to connect the standalone network beyond itself. It must remain completely isolated. We're now using DHCP 192.168.y.0/24 for this network.
If in the future, it is necessary (although I'd be breaking the rules!) to get a connection to our main network I would again connect a switch on each network. But I would have no routing between them - is this a correct assumption?
1) How would I go about setting up a temporary route that would allow the standalone network to reach outside itself, but not for the outside to reach in?
2) How would I demonstrate that no-one on our main network could detect the presence of the standalone network whilst this routing was in place?
Both networks are domains using W2K3 as DC's.
I'm sure that this is an easy question for somebody, but I think it warrants top points!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
dlangr - this looks like just the ticket and I've been playing around with this command at home with the aim of simulating two nets:
I've got a router with a pc and a laptop on wired lan. The router is 192.168.1.1 and PC 192.168.1.11.
When all three boxes are on the same subnet I can ping each machine from each other.
I've then configured the laptop to 192.168.2.1 and added a route to 192.168.1.0.
I can't then ping across the subnets from any of the three machines.
I've added routes to 192.168.2.0 on the other two boxes and I can now ping from laptop to PC and the other way round, but the router still won't ping across the subnets. (doesn't matter because I'm pretending it's just a switch, but I cannot explain this - can you?)
And I can browse by IP address from laptop to PC and vice versa. Good.
Now then I've proved to my satisfaction that having only a route on the PC to the Laptop means I can't get an echo back from the laptop which is nice and safe. Good.
But at the same time neither machine will talk to each other because only one of them knows a route to the other!
So I have to ask - is this expected and if so, what bloody use is that? (I'm giggling to myself because I think I should have seen this coming, no?)
But I would be right in saying, would I not, that by adding a route from a specific machine to another specific machine in both directions will allow them to talk to each other?
Would this traffic manage to pass between the two switches in question?
I really have a lot to learn about networking!
Jaysonfranklin - Without going in to any detail, there's nothing shady about this at all and I'm not trying to cover any tracks. There is a very real restriction on connecting this network beyond itself and I must be absolutely certain that I wouldn't expose it to any risk of intrusion which is why the main network must not know of the connection - for instance the standalone domain name showing up in Microsoft Windows Network!!!
A firewall would have to be documented and I can't document something that isn't supposed to be needed!
Just to note that I am the admin for the networks - god help them!
prashax - thanks for that, I could use the RRAS and I'll look into the possibility. I do have 2 NIC's but they're teamed so this may be a bit of a farce, but investigate it I will!
I've got a router with a pc and a laptop on wired lan. The router is 192.168.1.1 and PC 192.168.1.11.
When all three boxes are on the same subnet I can ping each machine from each other.
I've then configured the laptop to 192.168.2.1 and added a route to 192.168.1.0.
I can't then ping across the subnets from any of the three machines.
I've added routes to 192.168.2.0 on the other two boxes and I can now ping from laptop to PC and the other way round, but the router still won't ping across the subnets. (doesn't matter because I'm pretending it's just a switch, but I cannot explain this - can you?)
And I can browse by IP address from laptop to PC and vice versa. Good.
Now then I've proved to my satisfaction that having only a route on the PC to the Laptop means I can't get an echo back from the laptop which is nice and safe. Good.
But at the same time neither machine will talk to each other because only one of them knows a route to the other!
So I have to ask - is this expected and if so, what bloody use is that? (I'm giggling to myself because I think I should have seen this coming, no?)
But I would be right in saying, would I not, that by adding a route from a specific machine to another specific machine in both directions will allow them to talk to each other?
Would this traffic manage to pass between the two switches in question?
I really have a lot to learn about networking!
Jaysonfranklin - Without going in to any detail, there's nothing shady about this at all and I'm not trying to cover any tracks. There is a very real restriction on connecting this network beyond itself and I must be absolutely certain that I wouldn't expose it to any risk of intrusion which is why the main network must not know of the connection - for instance the standalone domain name showing up in Microsoft Windows Network!!!
A firewall would have to be documented and I can't document something that isn't supposed to be needed!
Just to note that I am the admin for the networks - god help them!
prashax - thanks for that, I could use the RRAS and I'll look into the possibility. I do have 2 NIC's but they're teamed so this may be a bit of a farce, but investigate it I will!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That's true Alan, I hadn't thought of the IP change from that angle.
It's a good job we've based our security on total isolation!
I had wanted to demonstrate a readiness to cope with the possible requirement of connecting the networks - even if only briefly (it's not like our main network is insecure because it most certainly is not), but having read the collective input here I'm coming to the conclusion that I should refuse the temptation and, should it be necessary, find another way to deal with any issue that could be solved by a connection.
We have one issue right now and it's a good example of why I might have been tempted:
We have an Enterprise AV product installed (on both networks actually) and I've already demonstrated that we can perform application, engine and signature updates using the main network and then transfer the same packages to the standalone network using a removable device.
That's all lovely except that we've discovered that the AV calls a webserver to check it's license periodically and after a number of days of being unable to do so, it reports it's license as expired and will not allow any signature updates! Can you effing believe it?
Anyway I'm going to split the points 4 ways. Thank you all for your wise words.
It's a good job we've based our security on total isolation!
I had wanted to demonstrate a readiness to cope with the possible requirement of connecting the networks - even if only briefly (it's not like our main network is insecure because it most certainly is not), but having read the collective input here I'm coming to the conclusion that I should refuse the temptation and, should it be necessary, find another way to deal with any issue that could be solved by a connection.
We have one issue right now and it's a good example of why I might have been tempted:
We have an Enterprise AV product installed (on both networks actually) and I've already demonstrated that we can perform application, engine and signature updates using the main network and then transfer the same packages to the standalone network using a removable device.
That's all lovely except that we've discovered that the AV calls a webserver to check it's license periodically and after a number of days of being unable to do so, it reports it's license as expired and will not allow any signature updates! Can you effing believe it?
Anyway I'm going to split the points 4 ways. Thank you all for your wise words.
ASKER
This is a good idea I'd not considered and some kind of hardware firewall could I'm sure be configured to be completely undetectable from one side of it whilst letting certain traffic be initiated from the other.
The thing is, I cannot put a box between the two networks because on a day-to-day basis, they'll be physically separate. Only on very rare occasions might they need to be connected, but as I said, the rules disallow this. Therefore I cannot be seen to be putting something in place that makes it secure.
I'm looking for a temporary solution that would not draw attention to itself, but that I could also demonstrate, if necessary, is 100% secure.
Am I perhaps asking for too much? (I usually am!)