Solved

multiple IP switching

Posted on 2011-02-17
7
406 Views
Last Modified: 2013-11-16
Hello Experts, we have a customer that has a need, for security reasons, to mask their ip addresses, they which to instigate automatic multiple IP aliases, european based. They are familiar with the traditional proxy sotware outhere, but would like to know if there is a better solution to enable automatic flow and changeover, ie. an ip address is automatically changed and so on for multiple machines perhaps centrally controlled. They have an adsl line and would like up several machines a a time to have access with some sort of automatic masking of their ip addresses. The constraints of the current proxy software is these types of services pull same type of ip addresses, and these proxy services sometimes use international IP addreses.There is currently a SBS server domain controller and the workstations are XP pro. They are getting in a second adsl line, but would already have a dedicated use for this. However if there is a way of spreading the IP range.
Is there a hardware device / service that can handle this?
0
Comment
Question by:unrealone1
7 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 34922193
Most firewall appliances that have an option to alternate the recorded IP on the outgoing packet.

http://blog.khax.net/2009/12/01/multi-gateway-balancing-with-iptables/

Note VPN and SSL type of connection might have issues with such a setup.
0
 
LVL 3

Expert Comment

by:Rick_at_ptscinti
ID: 34928005
If you are trying to "advertise" an address that is not present at your premise you will have to use some sort of off-site proxy.  

You can "spoof" you source address, but that results in a one-way communication path.

I think there may be legality issues with that you are describing as well.....at least in the US.
0
 
LVL 1

Author Comment

by:unrealone1
ID: 34932405
Hi , even from a theoretical angle it would be interesting to know how my question could be achieved. I understand the offsite proxy solution, but is there something more automated, can handle multiple ip masking, if so how could that be done? thaks in advance
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 77

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 34933593
Lets say you have four IPs  Part of the NAT to the outside mapping deals with directing the conversion to choose one of the four IPs for marking the source of the packet.  i.e.
you try to access http://www.experts-exchange.com your router on the way out picks IP1 to stamp as the source for the packet it sends to the web server when the response arrives, the next requests goes out and is now stamped with IP2, etc.
This is not an issue for non-SSL VPN type traffic.  For an SSL/VPN this will force a renegotiation of the connection on every request for the SSL, for a VPN the connection will spend more time down and renegotiating that it will being connected. The additional complexity in VPNs is that all the IPs have to be configured on the other side as a valid peer.


0
 
LVL 1

Author Comment

by:unrealone1
ID: 35068824
Is there not any hardware boxes that can do this?
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35068941
The only box I can think of that may do what you want is a Load Balancer.
One of the best is F5's Big-IP appliances.
http://www.f5.com/products/big-ip/link-controller.html
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 35071078
While F5 are very good and I have not looked at their products recently, the issue the user is looking for is to load balance outgoing traffic not maximize bandwidth for inbound requests.

The IP is the identifying information. whether they have one or twenty, with proper documents, the service from whom the client is getting their connection to the internet will have to disclose the information.

An SSL/VPN connection is established first based on source IP and destination IP. If either side changes, the connection drops and has to be reestablished.
You can have a load balanced VPN i.e. multiple site to site VPNs are up and running. and the connection from LAN1 to remoteLAN2 is routed through VPN1, vpn2, VPN3, VPN4 etc.
In many cases there is an idle timeout on VPN connections such that if the VPN traffic is not load balanced accross the established VPN connections, those that are inactive, will drop and will function as a failover configuration. i.e. the existing VPN drops, and the router on the next access attempt will triffer the negotiation of the VPNs that match the packet destination. You could have the configuration that when a VPN drops, it auto-negotiates/reestablishes the connection.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Header of docx file 17 98
Roguekiller has no option of deleting 19 94
How to boot to CD after logging into McAfee Encryption but below Windows login. 7 60
WAN Site Edge Routers 15 50
When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now