Network segregation and general networking questions

[Jibby]

Hi, I've been reading up on "network segregation" at Ezlan. I just have a few questions though... and I don't have that much experience with networks, so please bear with me a little bit.

I'm thinking of going with the following configuration: dsl modem > wireless router (front network) > yet-to-buy wired router (shielded network). I'm planning to connect my laptop (wireless), gaming computer and the family computer to the front network and my work computer to the shielded network (I'll be setting the wired router's firewall to block all ports except for port 80, which should be all I need). The most likely "intrusions" are probably going to happen in the form of malware/spyware on the family computer (less computer-savvy family members) or someone getting on the front network via the wireless connection.

If someone gains (unauthorized) access to the front network, is my work computer going to be adequately protected? It will be behind the wired router's firewall (all ports blocked except for 80), a software firewall and with File Sharing and Client for MS Networks disabled. Can that intruder also discover details like my ISP login name and password from the router?

Can the intruder on the front network "see" the existence of the shielded network? I ask this because of how it was mentioned at Ezlan that the relationship between the shielded network and the front network is similar to the relationship between the internet and the front (unsegregated) network, and AFAIK it is common practice to "stealth" the network in the latter's case.

Is it also possible to have a front network followed by two shielded networks?
e.g. modem > router 1 (front network) > router 2 (shielded), router 3 (shielded)

 

[JackMDS]

As as far as the Front Network is concerned you are in the same situation as millions of people, you have to secure the Wireless with WPA or WPA2, and you probably would be OK.

The segregated Network would be stealth content wise to the front Network if all ports are closed.

I never tried a second level of segregation, but there is no apparent reason to prevent it from working.

As far as most Spyware, and other Junk are concerned, the segregation is not a protection since they are coming through volitionally logged pages and email.

Segregation is not so much a form to add a total overall secure situation from the Internet or Wireless leechers. It is more a form of protecting part of your system?s Resources, and File sharing, and from trouble that might spread if some one on the ?Front? is infected

Braking into a Router and finding ISP info is not of a Big issue.

Even if some one mange to do so. If you are on DSL, it goes through your Tel. line. If someone else has your ID and PW, he cannot use it through his phone.

Cable authenticates by MAC, and will not let two connections with the same authentication.

:sun:

 

[Jibby]

Thanks for the advice, JackMDS.

I understand that a shielded network isn't meant to provide "extra protection" to my work computer but, rather, the aim is to separate it from the front network that has the greater potential to be comprimised (wireless and less computer-savvy family members). What I am trying to avoid is a malware-infected family computer or wireless leecher dumping things on or browsing my work computer.

Thus far, because we have only one router (the wireless one) at the moment, I unplug my work computer from the router whenever anyone is using the family computer, and I connect my work computer to the router when no one else going on the net and when I've switched off the wireless connection. This gets a bit annoying after a while, so I'd like the family computer and my work computer to both be able to go on the net at the same time (and maybe with wireless enabled the whole time too) but without the family computer infecting my work computer if the former does get malware on it, or a wireless leecher accessing my work computer.

About whether the shielded/segregated network will be stealthed to the front network... all ports should be closed by the wired router's firewall to prevent inbound connections by default, shouldn't they? And traffic can be completely blocked (i.e. including outbound) by blocking ports (or "blocked services as listed on my Netgear wireless router) when configuring the router? I'm intending to block all ports on the wired router except for port 80 for internet access. An inbound connection through port 80 should not be possible unless I've forwarded the port to the work computer's network address, right?

Oh, and I do have WPA, btw. And by the two-shielded-networks config, I meant that both shielded networks are connected to the front network, rather than the first shielded network connected to the front network and a second shielded network connected to the first shielded network. It seems like having two shielded networks like that should be possible if wanted...

 

[Jibby]

Just thought I'd post my planned configuration and thoughts about how each network communicates with one another... please check that I got things right.

Planned config:
DSL modem > Netgear WGT624 router (front network, with wireless) > Netgear FR114P router (shielded network, yet to buy)
All computers/laptop will have a software firewall installed.

Reason for network segregation:
- Wireless desired.
- "Unsafe" net-surfing on the family computer.
- Desire the ability to provide net access to the family computer or laptop and my work computer at the same time without fearing that my work computer can be compromised as a direct result of either the family computer or the wireless connection being compromised.

Front network:
- Laptop on wireless, gaming and family computers on wired connections. Crossover cable to connect to shielded network.
- Router firewall set to block (i.e. inbound and outbound) all ports except for those required for net access (inbound connections will be blocked by default, if I understand correctly) and appropriate ports forwarded to the gaming computer for online games (seldom play games online though, so probably won't worry about this for the time being).
- Cannot access the shielded network due to the FR114P router's firewall.
- Will not use my laptop when a family member is using the family computer and will disable wireless connection when not used, to "protect" the laptop and family computer from each other.

Shielded network
- Only my work computer on wired connection.
- Router firewall set to block all ports except for 80 (http) and 443 (https). Inbound connections should be blocked by default if I understand correctly.
- Can access the front network (don't need to however in my case).
- Regardless of whether the front network is compromised, this network is as "safe" as if the FR114P router is connected directly into the modem.

 

[JackMDS]

Sounds Good.

Few commend. The FR114P is much more expensive than most wired Router. It is not that safe. They call it VPN but I do not think it is a VPN End Point.

The reason that it is expensive has to do with the included Printer Server. In any case, when it comes to Printer Server you are much better of buying a Network ready Printer. If you do not need this feature, a much cheaper Wired Router will do too.

Look for inexpensive Wireless Cable/DSL Router that let you switch the Wireless Off, and it has WPA-AES. If you use it has the second Router you can use it as your personal Wireless and not be dependent of what is going on the front.

I think that the Netgear might have these features. If I recall well the Netgear let, you assign a Fixed IP within the range of the DHCP, which means that you can leave the computer?s IP on auto and the same IP would be assigned to each computer using the MAC as the filter. It adds up more security since you can enter all your computers MACs into the table, which would make it harder to an intruder to obtain an IP.

Having the same Routers would also make it easy on you to change settings.

:sun:

 

[nweaver]

I think smoothwall can do this, you can have 2 networks behind one live IP. You could also set it up so all connections from "Home" to "Work" are blocked, but "Work" to "Home" are not, so you could still grab files, as long as you initiate the connection from "work"

 

[Zap]

Originally posted by: JackMDS
I never tried a second level of segregation, but there is no apparent reason to prevent it from working.

It works... mostly. If you use any applications that use UPnP to open ports, the request won't make it past your second router to the first one. I've noticed that some sites no longer work with cascaded boradband routers (one behind another). Two examples that I've personally witnessed are logging into Hotmail and Windows Updates. In both cases, kept getting "timed out" errors while most other sites worked. Don't know if it was just the two specific routers causing it (they each worked fine on their own) but that's just my experience.

For the OP, why don't you just get a good software firewall and forget about the second router? Use something good like Zonealarm - should keep out everything.

 

[JackMDS]

Originally posted by: Zap

Originally posted by: JackMDS
I never tried a second level of segregation, but there is no apparent reason to prevent it from working.

Actually, by second level of Segregation we meant a third router daisy chained to a second one, but I do not see any real reason to so.

I am using segregation settings (two Routers) in few places, and it works like a charm.

However I use it for professional settings and thus there is No "Kinky" thingies at the segregation level.

:sun:

 

[Jibby]

Originally posted by: JackMDS
I think that the Netgear might have these features. If I recall well the Netgear let, you assign a Fixed IP within the range of the DHCP, which means that you can leave the computer?s IP on auto and the same IP would be assigned to each computer using the MAC as the filter. It adds up more security since you can enter all your computers MACs into the table, which would make it harder to an intruder to obtain an IP.

Yeah, I think that is the case with the WGT624 from my experiences. I also don't need a printer server, so I think I'll just go with getting another WGT624 then (despite some complaints I've read, it's been working like a charm for me...), and disable the wireless on the shielded router. Thanks again.

Originally posted by: nweaver
I think smoothwall can do this, you can have 2 networks behind one live IP. You could also set it up so all connections from "Home" to "Work" are blocked, but "Work" to "Home" are not, so you could still grab files, as long as you initiate the connection from "work"

Smoothwall has crossed my mind... a friend of mine uses it (or something similar) and has recommended it in passing. I'll be catching up with him again in the not-too-distant future anyway, so I'll ask him about it. At this stage, I'm still leaning towards using two routers since it should be very easy and quick for me to set that up. If I do decide to move to smoothwall in the future, I'll probably just sell one of the WGT624s or give it to my sis. Thanks for the suggestion though!

Originally posted by: Zap
For the OP, why don't you just get a good software firewall and forget about the second router? Use something good like Zonealarm - should keep out everything.

I have been using Norton and ZA firewalls for my computers, and will soon likely make the switch to Outpost Pro (have been trialling it). Having the second router is like a safeguard more than anything, in case I haven't tightened the rules in the software firewall sufficiently or forgot about something, although I test out inbound connections from various online firewall tests like GRC, PC Flank, Sygate etc with the computer plugged straight into the modem. I'm a paranoid freak though.