Is it unsecure to have other computers on the same IP as a server?

Hi,

Imagine the following setup:
---------------------------------
- A windows server with a lot of security
- 1 or more win computers at the same static IP adress as the server.
- All behind the same router/firewall.

Is or could that be a security breach?
E.g. if a hacker gets access via an unsecure pc on the same static IP and then from that place could get access to the server?

IF unsecure..:
1) How can it be unsecure/attacked?
2) What is the solution?
loopstudioAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

brettkmCommented:
hihi,

Sounds like you are referring to local IP addresses?  It is not possible to have 2 machines with the same IP in the same network.

If the server and workstations are behind the same router/firewall (is it a decent one?), always kept up to date in terms of Windows patches, and locked down so some spud can't install any malicious software, you shouldn't have much to worry about.
0
dhlevineCommented:
I agree with Brettkm...

If you have servers and workstations, laptops, etc. on the same local subnet behind a router/firewall - its not a big deal. However - make sure this "router/firewall" is maintained, and that it is set to a default deny posture for both incoming and outgoing traffic - open only what you need.

You shoould also make sure the Windows OS'es are kept up to date with Service Packs and patches. Also should have antivirus software on them. Can never be too safe. SOmething I like to do is make sure that the local fileswall is always turned on on each host as well... Windows Server 2003, 2008 each have a built in firewall that can be enabled. As does XP, Vist and 7. Turn it on.... open ports on the servers only for required application / data serving...

Oh - and rule # 1... make sure nobody except required personnel have physical accesss to the server. Logical and network security mean very little if someone can walk up to a system, power it off, throw it in the back of thier car and drive home with it (and then pull the drives, drop them into a USB enclosure and mount it on thier home computer... you know... boom! steak dinner!)....

Have fun...
D
0
loopstudioAuthor Commented:
Thanx both of You.

1) Could You recommend a good AntiVirus for Win 2003?
2) A thought:  What if there allready is malicious / spy / virus on one of the other machines? Can they then spy or in other way make harm to / on the server?
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

dhlevineCommented:
There are some good AV solutions for Win 2003 Server... You can always use Clam AV, or BitDefender... We use TrendMicro OfficeScan Corporate Edition here... but there are myriad good solutions... Symantec, McAfee, Nod32, Sophos, etc.

If one computer on a network is infected by a virus it certainly is possible that the virus will make its way to the server somehow... so it is always a good idea to run AV on all computers, keep firewalls enabled on all endpoints and only allow traffic that is explicitly required.

The solution I usually provide to my friends and family consists of Avast! antivirus (free for home use) and Blue Coat's K9 web filter (free for home use). The combination usually keeps systems clean for the most part, of course nothing is perfect. For business use, again, we use Trend Micro.
0
loopstudioAuthor Commented:
Hi Dhlevine,

Thanx for info..

1) Yes, I also use Avast for private use. Of cause, when it comes to server, there are 2 important things also: a) it should be able to operate without slowing the server too much down and b) normally AV are very expensive, when its made for a server. So a good one in the cheap end would be nice

2) This is exactly what I was afraid of.. and the reason of my original question.
A server normally have very little access from different people and purposes, while laptops & desktops they normally have open for a lot of things, there is done a lot of browsing and emailing.
And my experience is that EVEN You have antivirus and vice versa on a normal computer, there ALLWAYS happen to come some mal/spy/virus sometimes.

So with that in mind..
Couldnt / Wouldnt You say then that its definately NOT recommended to have both server and desktops / laptops behind the same IP / hardware firewall / router ?
They need to have different IP's in order to be secure.. or?
0
brettkmCommented:
You haven't stated the type of environment this question refers to, so I'm assuming it's only a small setup, 1 server + a handful of workstations.

With this in mind, my orignial answer is still the case.

If you've got a massive corporate network to look after (which by the sounds of it you haven't), it's a different story, but as long as you keep your server up to date with patches/updates, your workstations up to date with patches/updates, and lock down the workstations so users don't have the required access to install malicious software, you're fine.

Obvioulsy anti virus/malware software is needed aswell, if the server is a mail server, then software thats scans mail before hitting the mailboxes is also a good idea.
0
dhlevineCommented:
I agree with brettkm again.

Just follow best practice for security on the workstations and servers.

Make sure unauthorized people do not have access to the server console - physically or through remote desktop, vnc, etc.

Make sure users are not setup as administrators on their workstations. Least privilege is key. Make sure antivirus / antimalware software is on all server and workstations. Make sure local firewalls are running on servers and workstations. Only allow traffic to the servers on required ports.

If you have a file server, make sure that share and NTFS permissions are appropriate and not excessive.

If you have a local mail sevrer (Exchange or whatever) make sure you have an AV / Antispam solution for that, and make sure you don't allow open relaying.

Make sure all systems are automatically updating themselves with security patches. For a small network, that can be done individually. Or you can use WSUS if you want to have more control. Its free and pretty good for small environments.

There is no problem with servers and workstations being on the same network segment / subnet / vlan. Just follow these basic pricipals and you should be ok.

0
loopstudioAuthor Commented:
allright thanx again.. both of You

Do I here You say that: Even if 1 of the desktops have spy & virus, it cannot come to the server, if the servers win firewall only allows port 80 ?
0
dhlevineCommented:
If you have a desktop that is infected with a virus or spyware, it is possible for it to propagate across the network - it depends on the type of virus or spyware it is.

There are viruses (worms) that can propagate through windows file sharing, etc. But - if you have the servers' firewall enabled and you are only allowing port 80 to the server then your attack surface is greatly reduced and you should be safe.

Aside from some worms, most malware can only do stuff if you execute it. Point being... don't do stuff on the server... don't surf the web from it, etc.

You should be safe. (as safe as any networked computer can be)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
loopstudioAuthor Commented:
Thanx both of You :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.