Solved

Block subnet in windows XP

Posted on 2010-09-06
13
658 Views
Last Modified: 2012-05-10
Overall we have three datacenters in our country. We are in the processing of bringing down one datacenter for power maintenance.
One of the BCP requirements is to ensure critical people are moving the other two offices on that day and able to work with the alternative arrangement made.
To simulate the shutdown day scenario we have to block the routing to the subnet (of the datacenter which is going down) at the test users desktop and laptop and ask the user to test their applications. In this scenario we are ensuring that any servers hosted in the targeted datacenter cannot be contacted by the user.
We did that by Symantec firewall rules on laptops, but unfortunately we now have SEP (Symantec end point protection on laptops) which is locked globally for any configuration changes. Even windows firewall is disabled thru policy.
In a nutshell we won’t be able to anything with firewall due to global restrictions, even installing a freeware to block the subnet. With the minimum restrictions we have to set the subnet restriction. Is the anything possible thru “netsh” or “route add” to block the subnet of targeted datacenter for the BCP test?
Appreciate your help in advance.
0
Comment
Question by:moorthy_kulumani
  • 5
  • 2
  • 2
  • +3
13 Comments
 
LVL 6

Expert Comment

by:Hisham_Elkouha
Comment Utility
why don't you disable the restriction of Symantec
0
 
LVL 20

Expert Comment

by:woolnoir
Comment Utility
route add datacentre_network mask whatever_the_mask_is 127.0.0.1 ( which should route the traffic at the loopback interface, thus dropping it) <- that should work in theory.
0
 
LVL 25

Expert Comment

by:Fred Marshall
Comment Utility
Isn't there a router?
Normally the router (which may also be the gateway) is the place to do something like this, rather than on all individual PCs.

Route the "blocked" subnet back to the local LAN so the packets will be dropped.  Something like that.....
0
 
LVL 20

Expert Comment

by:woolnoir
Comment Utility
I suggested the local PC as the original poster mentioned 'test users' assuming thats not a whole subnet, it would be easier to make the changes on a few machines - changing it on a router would be a lot less granular in the users it effects.
0
 
LVL 25

Expert Comment

by:Fred Marshall
Comment Utility
Yes.  If there are only "test users" and not a "test site" then the only reasonable way to do what I suggested would be to put the "test users" in a sub-subnet that would be a subnet of the existing one and then route their traffic at the router.   At least that generally makes the router entries compact and in one place.
0
 
LVL 12

Expert Comment

by:acl-puzz
Comment Utility
Hi

Xp is equipped with IPSEC and you know how much capable it is.
Simply goto run type mmc and add snap-in for IPSEC policy management and then save it and to see how to work on it use this video.

http://www.youtube.com/watch?v=amHaBmOlfgE&feature=related
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 25

Assisted Solution

by:Fred Marshall
Fred Marshall earned 100 total points
Comment Utility
I'm sorry if I missed it but I don't see where you plan to reroute the testers to a new server IP.  That would have to be part of the approach of course- so rather than "blocking" I'd say "rerouting" - because rerouting not only blocks but redirects so to speak.....

But then, it's not very clear what the "alternative arrangement made" is.  

If you have only a few testers and the "alternative arrangement made" is to provide service from another site then I'll just make a wild assumption that it too is on another subnet.  How you get there is unclear but I'll try a scenario or two:

Let's say that the connection is via VPN.  So, you must have an IP address that each application tries to reach.  Your situation is that you want to switch from one site to another for the same service.  That means that you have to point the application to a new IP address.

For example, I have two remote sites connected by VPN.  My local subnets is 10.1.0.0, and the two remote site subnets are 10.2.0.0 and 10.3.0.0.  All /16
And I have a local gateway/router with IP 10.1.0.1 and the VPN device is 10.1.0.199

If I send a packet ot 10.2.0.xxx, it goes to the gateway.
The gateway has a route for 10.2.0.0 /16 pointing to 10.1.0.199 where the packets are put in the tunnel destined for 10.2.zzz.yyy.
Similarly, if I send a packet to 10.3.0.xxx, it goes to the gateway.
The gateway has a route for 10.3.0.0 /16 pointing to 10.1.0.199 where the packets are put in the tunnel destined for 10.3.zzz.yyy.
The packets emerge from the VPN device at the intended site on the LAN.

So, to switch from one site to another means having the packet destinations changed on the client.  And that depends on how you have things set up on the clients is all.

If there's not a VPN but perhaps an interconnecting VLAN then much the same thing applies - the packets have to be addressed to the right place.  Then, "blocking" isn't an issue because the addressing has changed.
0
 
LVL 25

Expert Comment

by:Fred Marshall
Comment Utility
It occurs to me that you might also do something like this: (still don't know your "alternative arrangement made".  I do something like this with a fallback system arrangement.

Set up a backup system using the same IP address(es) or subnet as the system to be replaced.
Route from the test client to the backup system like this:

1) Set up a backup system router/VPN device on a *new or different* local IP.

2) Set up a route on the local test computer that points to this device when packets are destined for the server/application.  (This in lieu of being directed to the "normal" route be it direct to a VPN device or to the LAN gateway).

3) Have the backup system set up with the same IP addresses as the normally targeted system.  

This way only the test machines will access only the backup system and there will be no confusion with the "normal" systems still running.
0
 
LVL 3

Author Comment

by:moorthy_kulumani
Comment Utility
Hi Hisham_Elkouha:
This is possible, but this is length approvals I have to follow, I don’t have time to do that….

Hi woolnoir:
Unable to route add to loopback ip.
route add 110.15.128.0 mask 255.255.128.0 127.0.0.1
The route addition failed: The parameter is incorrect.


Hi fmarshall:
On putting a specific test subnet, I thought about it earlier, Putting a special subnet for test users need to be done with lot of cabling re work etc…and I have more then 80 test users sitting across two buildings…
"Alternative arrangement made" – means some of the system/application going down DR will be invoked from other site. There will not be any VPN or another subnet available on the site which is going down.

acl-puzz:
I will check IP sec and come back..
0
 
LVL 25

Expert Comment

by:Fred Marshall
Comment Utility
Depending on the network topology, you should be able to run multiple subnets on the same wires - not even VLANs are necessary.  As long as the switches are Layer 2 then all should be fine.  It's more the routers/firewalls that I'd be more concerned about.

If there is going to be application service from another site, isn't the subnet there different?

The situation is still pretty unclear to me.
0
 
LVL 6

Accepted Solution

by:
RobArdill earned 400 total points
Comment Utility
Windows XP/Vista does not support reject or blackhole arguments via route. You need to use unused IP address (e.g. 192.168.32.254) must be used as the target gateway:

route add 110.15.128.0 mask 255.255.128.0 <unused address on local segment>

0
 
LVL 6

Expert Comment

by:RobArdill
Comment Utility
Use the -p to make the route permanent.
0
 
LVL 3

Author Closing Comment

by:moorthy_kulumani
Comment Utility
Thanks a lot everyone
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now