How can I create an extra secure area within a home network?

Hi,

Use your Firewall. I am not sure what make is your firewall.

See you can setup a different subnet for your Secure Network (like a DMZ) and set rules in your firewall to restrict any incoming access.

Trust this helps you

Thanks
Nitin Gupta

Hi,

My main router/firewall is a LinkSys WRT54G which doesn't appear to let me create subnets. It's a pretty basic box. There is a DMZ option (turned off) but that just appears to open one IP address everything bad out there!

Is there a better box I could use? Or is there a standalone firewall that would give me what I need?

Regards, Chris

OK but mnore about the actuly threat..

I have a thing about people going over board on these!

Firstly how big is your buisness, and is it really lickly to draw the kind of attention that people would directly make an attack on your systems??

by this i mean if you are microsoft, the "hackers", people who run Dinial of service attacks and virus/malwear authers directly target them. And a directed attack by experts in there field will require a lot of steps to insure a good defence against it.

but this is very different from a simple malwear program that relises on you opening a email to set it running..

I am assuming that you are a small company and so are not going to attract the directed threats, so you jsut worrying about trojons and viruses mostly. now the simplest idea that i woudl do is get a fire wall between your self and the rest of the PC's. (you could use a simple home calbe router for this) I would also make sure the main router is set to drop ICMP packets as this makes it apear invisible to the average "script kiddy"  and many worms. so also reduces the chances of any of the PC's getting infected.


however the fact is that as long as you have good antivirus softwear that is uptodate, and are carefull in what you open you are unlickly to get infected or attacked. I run an open fire wall at home, and just Virus softwear and I have yet to actuly be infected with a virus.

Also back up your data to a removable storage device as often as possible.

I think that setting up the basic settings on a firewall, and using some common sence will protect from 99% of viruses/attacks.

the other 1% are generaly the targated stuff, and if you are getting that kind of attention then you need to think seriously about getting in someone from a security company to look over your set up and suggest what is right for you.

To be fair the risk is there, but its not that great and you being aware it is there and being carefull on your systems, is going to be jsut as important as any firewalls, or network segeration you put in place!

No matter what you do there will always be 'a threat'. But you can make that a very minute one by doing pretty much what you're already doing. Using a firewall like ZoneAlarm is a great way to protect from Intrusions and such - it can also be more annoying than Vista's UAC if you want to set it up that way.

If you want, setup the firewall so that the expendable PC's can't communicate with your business PC's. If you want to copy trusted files accross in a secure way - use a USB stick or CD-R(W).

And of course make regular backups - pretty much re-affirming the above ideas but I know as a questioner it's good when multiple experts agree on stuff like this.

of coure the alternitive is to buy a seperate link to the house, through a company who offer managed security (IE they will set up fire walls and scan data for threats at there end)

however this would be very expensive, and is probable a bit of an over kill.

and like i said and ryan said, what you are already doing will be helping, the fact you are aware and taking procaution will be helping. The only other inhouse solution is to place a physical fire wall between you and the rest of the PC's
 however you will need to know how to set up the fire wall, what ports to open and close. etc etc.

and if you dont set up a fire wall correctly, you can end up with things not working and it being very anoying (even if it is 100%secure) or a fire wall that dosent block the things it needs to.

If you want to go the firewall direction you will need to learn about networking and ports. ITs not always that stright forward to set up correctly so expect to put aside a good few hours (days maybe ) to look in to it, learn about it and work out what you need for you specifice network. By all means install a fire wall with ddefault settings as this will help, but be prepared to cahnge the configeration over time to meet your needs.

(in my view firewalls are both a great security mesure, and a right pain in the backside!)

Thanks all for the advice.

If I wanted to go with putting an additional firewall between me and the rest of the PCs do you have any recommendation of a box that would do this... without breaking the bank..?

Thx, Chris

Hi,

In continutation to my previous suggestion, you mentioned your current Firewall has the DMZ option, though it is disabled.

I would still recommend that you use the Firewall option in that and probably NAT devices in the DMZ that you will put.

It will be a cost effective method with your existing devices. There is no need to spend more moeny when your current resource itself has the capability.

Thanks
Nitin Gupta

What?

Putting a machine in the DMZ moves it outside the protection of the fire wall. to a point where it is completly unprotected.

how will doing this help? A home rtouter generaly NAT all deviced inside of outside the DMZ. Like I say all playing a computer in the DMZ does, is to remove the fire wall protection on it.

You generaly use it for a application that you either want externaly people to be able to access easly (and dont want the hassle of setting up firewall policies) or you have an application (such as lots of game) that all want different ports and settings, and rather than set each one up you  jsut put the PC in the DMZ.

I am not sure how you could possible use it in this case. IF any thing you would want to put all the other PC's in the DMZ, but as most routers can only place one PC at a time in it, the only way I can see you doing this, is to put the work PC in to the DMZ. But this would incress the risk to it??!!


Personaly Chrwil, I would jsut go with a good softwear fire wall on the PC such as you have now.

however some cable (not ADSL) router can do what you want (if you can set them with a external address and gate way) and you simple set up a subnet of you network. (if your not sure what i mean jsut ask)

or else you can get a transparent firewall. this sits inline and is invisible to the workings of the network. However although I know of onces costing several £1000 pounds, I am not sure what is avalible for the home/small buisness market. You would be best of going to your local computer store and asking them. I havent changed my home router in years now, so I afraid not so upto date on the home front. Sorry

Aaron

Aaron,

That all makes sense. Thanks.

I do need your help with subnets though...

My main router gets its external IP from the cable network but it has an option to set up a static IP address. It's default internal IP address is 192.168.1.1 with subnet 255.255.255.0 as normal.
 
If I use a second identical router to provide the firewall function presumably I would set up its external IP to be 192.168.1.50 (or some such number which is outside the DHCP range of the main router) using the static IP address option. I'd have to put in subnet and gateway IPs. Would I use 255.255.255.0 and 192.168.1.1 respectively for these?

Where I get confused is what I should tell the second router about it's internal IP (ie facing my work servers and PCs).

Should I change the main router to use only part of the 192.168.1.X range (using a different subnet mask and changing the DHCP settings) and then set up the second router to use a second distinct part? Or should I use another private IP address range altogether (eg 192.168.2.X or 10.X.X.X)? If subnets are the way to go then I'd appreciate some examples!

And if I do all this and then want to connect (for example) from a PC on my second router to a shared print server (appliance) on the main router am I going to have problems?

Really appreciate the help here. Thanks.

Regards, Chris

Aaron - "Putting a machine in the DMZ moves it outside the protection of the fire wall. to a point where it is completly unprotected. "

I am surprised at your comment. Sorry to say but it is absolutely wrong and anyone who would read that statement would say the same.



No more comments !!!

Look at your Scenario..........

You have one Firewall that has 3 Network ports.....

1. For Public Network
2. For Internal LAN
3. For DMZ

- Public Network Port is for your Internet Link after the Router Termination , it is taken care of.
- Internal LAN Port - all your Family Network has been set on that
- Now you can use the DMZ port for you other Network (DeMilitarized Zone) that you can use for your confidential Network

All communication between these 3 networks (public/Internal/DMZ) is monitoried and restricited by a Firewall, and you can set rules for what Ports/IP/Apps to allow access between these networks.

Here was the simplest solution........it is upto you now. Whether  you want to spend extra money for additional Firewall.

Thanks
Nitin

Read this entire article........

http://articles.techrepublic.com.com/5100-10878_11-1061732.html

Phewww....!!!!

Hi Nitin,

Re DMZ I'm not sure if we're talking about the same thing. The help page on my LinkSys router has this to say about DMZ:-

"The DMZ hosting feature allows one local user to be exposed to the Internet for use of a special-purpose service such as Internet gaming or videoconferencing. DMZ hosting forwards all the ports at the same time to one PC. DMZ hosting opens all the ports of one computer, exposing the computer so the Internet can see it."
 
This certainly isn't what I want..! But perhaps DMZ does something more useful on different routers...

Rgds, Chris

If you do want to use subnets to separate your business workgroup from the other PCs, then the IP addresses you use will depend on what subnet mask you choose.

Let say you choose to use a subnet mask of 255.255.255.248 with a class C (192.168.x.x) address. That'll give you up to 6 subnetworks with up to 30 PC's in each subnetwork.

So one group of computers would use any IP address between 192.168.1.33 to 192.168.1.62. A second group of computers would have an IP address between 192.168.1.65 to 192.168.1.94.

The first and last 32 addresses are unusable (0-31 and 224-255), also the first and last IP in each subnetwork are unsuable (they're reserved as a network and broadcast address respectively).

If you do want subnet - then you're router which connects these two networks MUST have 3 different interfaces that can each have different IP Addresses. The interface that connects to the 1st group of PCs would have an IP address of 192.168.1.33, the second interface that connects to the other group has an IP of 192.168.1.65 - the third would have an IP address that your ISP gives you and connects to the Internet. Hope this helps a bit.

Hi
Great, I didnt really look at the Config of your Router. You are right the DMZ on your Home Router is actually to open up One PC/Device to Internet.

All said, you can still use the scenario I have mentioned by buying a small Firewall like a Fortinet - http://www.fortinet.com/products/telesoho.html

Thanks
Nitin

http://www.fortinet.com/doc/FGT50_100DS.pdf

http://www.homenethelp.com/web/explain/port-forwarding-dmz.asp

In terms of Corporate enviroments you are correct that a DMZ zone is an entirley seperate network. The Linksys wrt54g allows you to place one PC/ipaddress in to a DMZ. But it dose not offer any firewwall protection to that network.

in a corprate enviroment a DMZ is often used as a buffer between the internal network and the internet. and where you place public facing servers. so generaly you would have your external router in to a fire wall, to your public servers, and then a second firewall between them and your internal network.
But a DMZ means a demilitarized zone. It is generaly lower security tthan the main network. (although dosent have to be the case)
however we are talking about a wrt54g and with these you can only add one PC/IP to the DMZ and it all full access to it from the external network. becasue of this fact at the very lest you need a second router (then you can use the IP address for the DMZ to run a subnet.

wrt54g DMZ setting http://www.informatione.gmxhome.de/DDWRT/Standard/V23final/DMZ.html

People say that linksys use the term DMZ incorrectly for this, however it is a true DMZ, it's just totaly exposed (as it is on most home router) So no on this home router you can't set up two seperate networks with seperate fire wall settigns.

A linksys 54g has a router with two interface. one external and one internal (it is jsut the internal one is hardwired to a four port switch and wireless) but you still cant route on more interfaces than this.

So you are incorrect you dont have 3 firewall ports, you only have two.. the ports on the back of the router are layer 2 port. can't route between them, can't firewall between them..


DMZ-network.jpg

the alternitive is to purcahse a second cable router. These have an ethernet port both sides.

so you can simple set a DMZ on the first router, plug your second router in to the first router and give it the IP address you set for the DMZ.

then set up the inside with a new IP address range for your second network.

Which is basicly what we have all been saying all along. 2 seperate networks. one for you and one for the family. with firewalls inbetween..

waht equipment you use, or exactly how you lay it out dosent actualy matter, but you will need a little understanding of networking. Ryan has given a good overview of what you need to end up with, but it might be worth reading a bit about how IP address and network routign works, if you are not to sure. its easy for us to talk about this network or that network address range.

and be aware that it will take a bit of time to set up and get working correctly the first time. So be prepared to spend some time sorting it out if this is the direction you chose to go.

LOL this is what hapens when you get IT geeks in the same room, we all have our own "best" ways to do things. Generaly they all work, and in there own ways are right. They just never agree ;)

Now I agree with you Aaron 100% :-) !! Also, I had not see the Router/Firewall config hence that lengthy debate...!

We owe Chris a properly documented solution now ... why dont you take the lead :-) !

heres an artical on them

http://www.securityfocus.com/infocus/1737

The transparent firewall certainly sounds like a good way to go. I've done some searching and have found lots of ways to build my own with an old PC and Linux but I havn't been able to find any "appliances" that do the job. Perhaps I'm looking for the wrong thing. Any suggestions?
Alternatively I'll try the second cable router approach. But let me check that I have the steps right for this:-
<> I designate one IP address on the family (main) router (eg 192.168.1.13) as DMZ.
<> I plug my work (second) router into a LAN port on the family router.
<> I tell the work router that its external IP address is 192.168.1.13 and gateway is 192.168.1.1 (the family router).
<> I plug the switch which connects my work network into the work router.

To make this work do I divide the 192.168.1.x range into two subnets (one for the family network and one for the work network) or do I use a completely different IP range on the work router for the work network? Does it matter?

Also, I'm assuming that since the work router/network is plugged into a DMZ port on the family router there will be no way to communicate back to the family network (say for a PC on the work network to connect to a print server on the family network) as the family router would block everything from the DMZ. Is this correct?

What would happen if I didn't designate 192.168.1.13 as DMZ (ie it looked just like any other address on the family network)? Would that still work? Would that solve my ability to connect to the print server?
Thanks, Chris
 

hold on.... ......  nope thats ok you did put in the subnet mask.. (note to self read to end before replying ;) )
rember on the work router you will actuly be setting it up on the WAn interface the 192.168.1.35 address. (asuming its a standered home broandband router.)

the four ports on the back of a router are all on one interface of the router. and there will be a seperate port to plug in to the cable modem. Of course if you have a "true" router then you can assigen different eternet ports IP addresses.

Ryan your not quite right you need 3 subnets. we are running a DMZ in effect. where the public interface of the works router is actuly part of the family network. so the home network is both serving as the family PC subnet, and the router - router subnet. so the ethernet port on the main router only has one ipaddress (tahts all you can set) and both the family PC's and the Work router both have the same default gateway/net hop. as 192.168.1.33. (this is in effect waht a DMZ is, the area between two routers that normaly does not have any clients connected in it. By setting it up like this you in effect are simple placing the machines in this gap.

So the settigns change to.

Main router
WAN Interface: (whatever your ISP assigns - ie 54.17.234.23)
Eth 0: 192.168.1.33 (subnet 2) - connects to family network / work router net hop address

Family Network PC's
IP Addresses: 192.168.1.36 to 192.168.1.62 (subnet 2)
Default Gateway: 192.168.1.33

Work Router
Eth 0: 192.168.1.35 (subnet 2) - connects to main router
Eth 1: 192.168.1.65 (subnet 3) - connects to work network
Default Gateway/Next Hop - 192.168.1.33

Work PC's
IP Address: 192.168.1.66 to 192.168.1.95 (subnet 3)
Default Gateway: 192.168.1.65

for this to work you have to be careful as any work PC's will only be seen as a single IP adress to the rest of the network. so to talk between them you would need to set up port forwarding on the work router!

You may also be able to set up a static route on the main router that points all traffic to the work subnet, towards 192.168.1.35. this would all communication between the two network. so a pc on the home network that sends data to a work pc, will first send it to the default gate way (as destination is a seperate subnet) and then the home router/defaultgate way, will direct it back to the work router.........

however I can't be sure this will work. A router should in theroy once it recives data on a specific routing port, send it to the correct port out.. however with home routers they often have limitation that means it dosent always work correctly.

As you can see with a set up like this networking soon becomes quite complex!

But Ryans Ideas are correct, and the address and ranges are right. You may just have to play around a bit to get it working correctly.

It might be better if you have a bit of cash, to invest in a 4+ port router/firewall. This would allow you to much more simply set up the seperate networks and insure you have the correct communication between them.

Question is how important is your work?? and if you have good back ups, is the work involved to remove this security risk going to be worth it? Thats the question only you can answer :)

Hope we have managed to help a bit :)

Aaron

Yay - my old networking teacher would be so proud - hehe

I was thinking you'd need the 3 routers, but decided to err on the side of saving money to buy a third router just in case - I knew one of you would tell me if I slipped up somewhere  :o)


Still, in my opinion I'd settle for good security software, proper router settings and common sense instead of going to all the trouble of subnetting, unless you like that sort of thing.

This is great - thanks guys.

Sounds like a job for the weekend to play around with this and see if I can make it work. I'll let you know how I get on. It'll be good for my education if nothing else :)

One final question for now...

"It might be better ... to invest in a 4+ port router/firewall"

Can you give me some examples. I've googled for this but end up only getting routers with an integrated LAN hub/switch which clearly isn't want you mean. Is this the realm of Cisco and the like or do the more "accessible" vendors (LinkSys, D-Link, Netgear, etc) make something like this..?

Thanks, Chris

Well I belive some home routers will do this. but yes you are starting to look towards the corporate enviroment.

I am not sure of a model as I havent purchased the kind of think you would be looking for.

However Linksys is very good (owned by cisco) and they do have a small buisness department. droppiing them a mail wont hurt and they are generaly good customer services. tell them you need 4+ routed interfaces and see waht they come back with. telling them you want 3 seperate networks might help as well. I will have a look for you but I cant promice much.

For a simple solution you might want to look at IPCop at ipcop.org. It is a single cd distro that is really easy to setup and configure. (By my standards anyways.) You just need a dedicated machine to act as the firewall, router, etc. I have it running at home on a junker of a box (2Ghz, 256 Mb mem... etc). It can all be ran from web interface, and I have not had any problems thus far.
Just a thought.

One of the biggest threat- when PC used with "administrative" account privileges.
Simply creating "user" account will prevent you from most of the crap to be installed, as well from accidental screwing up.
Every time, you need install something, you simply "right click"- "run as.." and switch to administrative account, or do it directly from administrative account.
Usually people dont like this, but this would be very secure, on top routers firewall.

yep Dkarpekin has a very good point. And its the first security mesure to take. Don't run as default in Admin account.
Many viruses and malweare depend on being run by a user with amin privilagies. running as a guest user means that you have a big chunk of extra security at no cost and very little setting up.