Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Best way to connect to another LAN without the current LAN suffering security flaws

Posted on 2011-02-18
17
Medium Priority
?
552 Views
Last Modified: 2012-05-11
We have 2 LANs, one with segmentation of 198.168.55.xxx and the other LAN with 198.165.44.xxx.  

The 198.168.55.xxx (referred as 55) has no Internet and is a small LAN with 5 computers wired together.  The 198.165.44.xxx (referred as 44) is a larger LAN, a Domain, has Internet access and around 25 computers.

We want the small 55 LAN only to access a shared folder in the large 44 LAN; let's called SHARED folder.

We are thinking of adding a router in the 55 LAN and connect it to the 44 Large LAN.  Then make the share of the single folder in one of the computers in the large 44 LAN.

When setting up the access to the large 44 LAN, we want to make sure that all PC within the small 55 LAN can't access the internet in the large 44 LAN or anything else in that large LAN.

To our understanding when we share a folder, only that folder is being accessed.  However, we would like to advice of the EE group to recommend how to limit the access to the folder in the large 44 LAN.  We don't want other PC from the small 55 LAN to hack that opening and jump out to Internet or other areas in the large LAN.

Our main concern is security.
0
Comment
Question by:rayluvs
  • 5
  • 2
  • 2
  • +4
15 Comments
 
LVL 6

Accepted Solution

by:
rimmena earned 500 total points
ID: 34929776
You need to look at a firewall and leave only the ports open for file sharing, i.e. 445 and block everything else.

Depending on what you purchase you should be able to view anyone attempting breaches of the firewall etc.
0
 
LVL 3

Assisted Solution

by:Rick_at_ptscinti
Rick_at_ptscinti earned 500 total points
ID: 34929831
Any decent router will allow you to build rules to limit or allow traffic and since you are trying to do it by IP network range it's very easy to do.

The specifics on how would depend on the make and model, but the concept is always the same.  If it were larger I would say use VLANs but for the scale you are talking about I would just get a cheap 8 port switch for the 55 network and assign a port on your firewall specific to that network.

For the shared drive you would simply build an allow exception for traffic from anybody at 55 to a specif IP on 44 but only using the file sharing port number.  You just need to make sure you deny other protocols so they can't get onto the file server via telnet or RDP and then relay on from there.  Restricting access to a fixed tcp port(s) will accomplish this.
0
 
LVL 2

Expert Comment

by:hitsotntd
ID: 34930142
This is some of the first questions I am answering on EE and It is amazing that people answer with so little informaton. Maybe I am looking into this in the wrong way or too deeply? LOL I seem to need more information to go off of to give what I think is the best answer. I do apologize if I am off base.  

1. Are these LANS direclty connected or over the internet? You stated that one network does not have Internet. How do you plan or have them phyically connected to each other?
2. Are all the computers in both LANS apart of the same windows DOMAIN? If so, you can just use Active Directory to regulate access.
3. To restrict access to folder, you will need some type of credentials once you have transversed to.

Can you provide more information on how they are currently configured?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:rayluvs
ID: 34930317
Thanx all!

hitsotntd:

here are the answers:
1. Only LAN 44 is connected to Internet, 55 s not.  
    As to "How do you plan or have them phyically connected to each other", thats why
    I placed the question.
2. Different Domains
3. LAN 55 is connected via wire and no Internet.  LAN 55 is connected via wire and wireless and
    it has Internet.

I hope I have provided additional information so you can help us.
0
 
LVL 2

Expert Comment

by:hitsotntd
ID: 34930899
I should have been more specific, are lans 44 and 55 at the same location and/ or site?
Is what you are wanting to know, how to connect a branch office to your main office? The reason I ask is because the way you get to your end result depends alot on how you are going to connect the 2 lans.

These are windows domains? You have domain controllers at each LAN?
0
 

Author Comment

by:rayluvs
ID: 34943971
hitsotntd:

  Both LANs 44 & 55 are in the same site/location.  The small LAN (55) has no Domain, the large
  LAN (44) has a Domain.
0
 
LVL 3

Expert Comment

by:Rick_at_ptscinti
ID: 34944804
So what kind of router do you have now?  If it's something decent we should be able to walk you through setting it up.
0
 

Author Comment

by:rayluvs
ID: 34985122
I don't have the routers model at this time and it can change, so if you can maybe theoretically indicate how can we limit the access to the shared folder we would greatly appreciated your input (we don't want other PC from the small 55 LAN to hack that opening and jump out to Internet or other areas in the large LAN).
0
 
LVL 30

Expert Comment

by:pgm554
ID: 35063264
What type of server OS?

If you have a later version of Windows server,you can set up a Sharepoint portal and share files through a web browser format.
0
 
LVL 28

Assisted Solution

by:bgoering
bgoering earned 1000 total points
ID: 35063274
Obtain pretty much any router or firewall (firewall recommended)

For a firewall connect large lan 44 as inside, small lan 55 as outside, then create firewall rules to allow access from outside to inside for the file share.

For a router connect one interface to 44, another interface to 55, then create access list entries to:
open required tcp and udp ports from 55 to your fileserver host on 44 (UDP and TCP 135-139, 445)
deny everything else

Good Luck
0
 
LVL 30

Expert Comment

by:pgm554
ID: 35063280
0
 
LVL 28

Assisted Solution

by:bgoering
bgoering earned 1000 total points
ID: 35063284
Note you can also do this with a cheap home internet router - that will work kind of like a firewall and forward the required ports to the file server.

Connect WAN to 55
Connect a LAN port to 44
Create NAT rules to forward tcp and udp 135-139 and 445 to your fileserver, everything else will be denied by default.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35069459
Wow!  Why isn't the obivous being stated here?  Subnets do not "access shares",...users do.  If you have a share then you set permissions on the Share and the File System and that controls the access,..end of story.

Subnet and networks and routers are irrelevant.  If it is all one Domain then the permissions are obvious how to do it,...if it is two diffrerent Forests/Domains then a Trust must be setup first,...then set the permissions the same way.

With there being a total of only 30 machines here there really is not point in having two segments to start with,...I would eliminate one of them.  For every 200 Hosts then create a new segment.
0
 

Author Comment

by:rayluvs
ID: 35069750
Thanx for the info!
0
 

Author Closing Comment

by:rayluvs
ID: 35069798
thanx
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question