Solved

Best way to connect to another LAN without the current LAN suffering security flaws

Posted on 2011-02-18
17
513 Views
Last Modified: 2012-05-11
We have 2 LANs, one with segmentation of 198.168.55.xxx and the other LAN with 198.165.44.xxx.  

The 198.168.55.xxx (referred as 55) has no Internet and is a small LAN with 5 computers wired together.  The 198.165.44.xxx (referred as 44) is a larger LAN, a Domain, has Internet access and around 25 computers.

We want the small 55 LAN only to access a shared folder in the large 44 LAN; let's called SHARED folder.

We are thinking of adding a router in the 55 LAN and connect it to the 44 Large LAN.  Then make the share of the single folder in one of the computers in the large 44 LAN.

When setting up the access to the large 44 LAN, we want to make sure that all PC within the small 55 LAN can't access the internet in the large 44 LAN or anything else in that large LAN.

To our understanding when we share a folder, only that folder is being accessed.  However, we would like to advice of the EE group to recommend how to limit the access to the folder in the large 44 LAN.  We don't want other PC from the small 55 LAN to hack that opening and jump out to Internet or other areas in the large LAN.

Our main concern is security.
0
Comment
Question by:rayluvs
  • 5
  • 2
  • 2
  • +4
17 Comments
 
LVL 6

Accepted Solution

by:
rimmena earned 125 total points
ID: 34929776
You need to look at a firewall and leave only the ports open for file sharing, i.e. 445 and block everything else.

Depending on what you purchase you should be able to view anyone attempting breaches of the firewall etc.
0
 
LVL 3

Assisted Solution

by:Rick_at_ptscinti
Rick_at_ptscinti earned 125 total points
ID: 34929831
Any decent router will allow you to build rules to limit or allow traffic and since you are trying to do it by IP network range it's very easy to do.

The specifics on how would depend on the make and model, but the concept is always the same.  If it were larger I would say use VLANs but for the scale you are talking about I would just get a cheap 8 port switch for the 55 network and assign a port on your firewall specific to that network.

For the shared drive you would simply build an allow exception for traffic from anybody at 55 to a specif IP on 44 but only using the file sharing port number.  You just need to make sure you deny other protocols so they can't get onto the file server via telnet or RDP and then relay on from there.  Restricting access to a fixed tcp port(s) will accomplish this.
0
 
LVL 2

Expert Comment

by:hitsotntd
ID: 34930142
This is some of the first questions I am answering on EE and It is amazing that people answer with so little informaton. Maybe I am looking into this in the wrong way or too deeply? LOL I seem to need more information to go off of to give what I think is the best answer. I do apologize if I am off base.  

1. Are these LANS direclty connected or over the internet? You stated that one network does not have Internet. How do you plan or have them phyically connected to each other?
2. Are all the computers in both LANS apart of the same windows DOMAIN? If so, you can just use Active Directory to regulate access.
3. To restrict access to folder, you will need some type of credentials once you have transversed to.

Can you provide more information on how they are currently configured?
0
 

Author Comment

by:rayluvs
ID: 34930317
Thanx all!

hitsotntd:

here are the answers:
1. Only LAN 44 is connected to Internet, 55 s not.  
    As to "How do you plan or have them phyically connected to each other", thats why
    I placed the question.
2. Different Domains
3. LAN 55 is connected via wire and no Internet.  LAN 55 is connected via wire and wireless and
    it has Internet.

I hope I have provided additional information so you can help us.
0
 
LVL 2

Expert Comment

by:hitsotntd
ID: 34930899
I should have been more specific, are lans 44 and 55 at the same location and/ or site?
Is what you are wanting to know, how to connect a branch office to your main office? The reason I ask is because the way you get to your end result depends alot on how you are going to connect the 2 lans.

These are windows domains? You have domain controllers at each LAN?
0
 

Author Comment

by:rayluvs
ID: 34943971
hitsotntd:

  Both LANs 44 & 55 are in the same site/location.  The small LAN (55) has no Domain, the large
  LAN (44) has a Domain.
0
 
LVL 3

Expert Comment

by:Rick_at_ptscinti
ID: 34944804
So what kind of router do you have now?  If it's something decent we should be able to walk you through setting it up.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:rayluvs
ID: 34985122
I don't have the routers model at this time and it can change, so if you can maybe theoretically indicate how can we limit the access to the shared folder we would greatly appreciated your input (we don't want other PC from the small 55 LAN to hack that opening and jump out to Internet or other areas in the large LAN).
0
 
LVL 30

Expert Comment

by:pgm554
ID: 35063264
What type of server OS?

If you have a later version of Windows server,you can set up a Sharepoint portal and share files through a web browser format.
0
 
LVL 28

Assisted Solution

by:bgoering
bgoering earned 250 total points
ID: 35063274
Obtain pretty much any router or firewall (firewall recommended)

For a firewall connect large lan 44 as inside, small lan 55 as outside, then create firewall rules to allow access from outside to inside for the file share.

For a router connect one interface to 44, another interface to 55, then create access list entries to:
open required tcp and udp ports from 55 to your fileserver host on 44 (UDP and TCP 135-139, 445)
deny everything else

Good Luck
0
 
LVL 30

Expert Comment

by:pgm554
ID: 35063280
0
 
LVL 28

Assisted Solution

by:bgoering
bgoering earned 250 total points
ID: 35063284
Note you can also do this with a cheap home internet router - that will work kind of like a firewall and forward the required ports to the file server.

Connect WAN to 55
Connect a LAN port to 44
Create NAT rules to forward tcp and udp 135-139 and 445 to your fileserver, everything else will be denied by default.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35069459
Wow!  Why isn't the obivous being stated here?  Subnets do not "access shares",...users do.  If you have a share then you set permissions on the Share and the File System and that controls the access,..end of story.

Subnet and networks and routers are irrelevant.  If it is all one Domain then the permissions are obvious how to do it,...if it is two diffrerent Forests/Domains then a Trust must be setup first,...then set the permissions the same way.

With there being a total of only 30 machines here there really is not point in having two segments to start with,...I would eliminate one of them.  For every 200 Hosts then create a new segment.
0
 

Author Comment

by:rayluvs
ID: 35069750
Thanx for the info!
0
 

Author Closing Comment

by:rayluvs
ID: 35069798
thanx
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Suggested Solutions

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now