Office network secuirity w/ remote access

[dxkj]

Now I'm sure this has been covered somewhere, so if I just need referred to another thread, that's fine.

Here's the situation:
Small office wireless lan - we have aDSL -> Modem -> Linksys wireless AP (model BEFW11S4) -> (via XP Pro ICS) Our PCs.
This of course is fairly secure for file sharing and such, as none of us have direct IP connections to the internet. However, we also cannot run remote login programs such as VNC.

Before today, we had a dynamic IP that pissed everyone off because we had to keep updating tables for our secure servers with our new IP range every time it reset itself. That is now fixed and we have a static IP for our router. In addition to that, we have permission to use the wireless AP as a hub instead of a router and all individually have static IPs.

My question is this: if we go the way of a hub instead of a router, is our internal traffic/file sharing going to be open to the public as well? And if so, is there an easy way around it? Or does the remote desktop with WinXP Pro handle our current sitation?

I'm sorry that I am so shamefully ignorant - I've just never had the need before now.

Thanks in advance for the input.

 

[mboy]

The 1st thing I would do is try and figure out why you think this is remotely secure in the 1st place. No offense, but in no way is that ANYWHERE near secure (let me count the ways) for a business environment.
What is your budget? 1st thing I would do is get yourself a good Firewall appliance. You can get a mid range Snap Gear or Zywall in the $200-300 range. Put that behind your DSL modem and you have a REAL firewal which you can creat in/out ACL's, content filter AND create Endpoint VPN tunnels (which is what you want to use if you are remotely controlling PC"s over the WAN connection.
Are you saying your PC's are ALL wifi connected? if so, then you are EXTREMELY insecure right now.
Read Soybombs thread about IPsec encrytping Wifi in the office.

I would drop the hub idea as all your PC's will have (or need) publicly accessible Ip's if nothing is used to at least NAT them (provided you are thinking of dropping ICS altogether (which is a good idea in itself as ICS BLOWS).

 

[Boscoh]

Get a good firewall like a SonicWall or a Netscreen (I cant recommend any of the previously mentioned products above, never used them) or a Cisco PIX if you have the know-how and can afford it. Dont use a hub and give up NAT, NAT does provide some security against the outside world in itself. In any good firewall you should be able to create one-to-one static NAT mappings which maps your static external IP to a static internal IP, you can then open up whatever ports you need for remote control. You shouldnt think of getting a range of static external IP's as a replacement to NAT, you should think of it in terms of now you can just use static one-to-one mappings where each PC has its own static internal address which is mapped to its own external address instead of just pumping all your users through one global external IP that changes all the time.

 

[mboy]

Having used Netscreen, Sonicwall, etc I HIGHLY reco a Snapgear for your needs. If you have the budget, by all means go for a PIX, but you will have to spend 3xs as much on it as you would this:
SME 550

If anyone is NOT familiar with this product, give it a good look over. Can't tell you how happy I am with mine. Even have a NICE 3DES Ipsec tunnel to my Sonicwall Pro 200 @ work.

 

[Boscoh]

Doh.

Now that I re-read my post, I have to say that I wouldnt open any ports to any PC's on the firewall or create static one-to-one mappings. Just assign all your external IP's into one pool and let the firewall dynamically assign them. If you need to do any remote control stuff, configure VPN on the firewall and VPN in, once you are in with VPN you can do anything as if you were sitting up at the office.

Is your wireless access point a router as well? I dont use any linksys crap anymore, but I suspect it probably is. If so and you can turn off the router portion of the box and just the leave the wireless AP active that would be the best thing to do. Let your firewall handle all the routing and DHCP stuff.


mboy: that snapgear box looks really nice. But I like my PIX 501 better :evil:

 

[mboy]

No that I don't like the PIX myself, but I like paying $375 delivered for 500 VPN tunnels, unlimted users, free lifetime Firmware upgrades SSH v2, DNS proxy and NTP serving vs $1000 for a comperably equipped PIX

Throwing that wireless in their without securing it properly totally craps out any security you might have for the LAN. Hence the smoothwall box I am setting up for 3DES Ipsec for wireless I am going to add to my Lan at work (still deciding best way for home as in previous post).

Take a look at the snapgear if you ever get the chance, might just convert you from the PIX if you ever have a tighter budget

Oh yeah, almost forgot the traffic shaping, content filtering and serial connect for modem failover (or modem dial in access to enter LAN or configure the Snap Gear

 

[mboy]

Oh, if the original poster just has to use public Ip's for all his LAN PC's, then I would run whatever firewall I was using in bridged mode with a router in front.
Altho their is no reason you couldn't assign static public Ip's to all of your LAN boxes and lock them down with the bridged firewall). BUt why go to all ther trouble.
I still say buy a real firewall and NAT your LAN boxes behind them, if serving anything to the public, then make sure to get a firewall with a 3rd interface for the DMZ and host them there. And still use VPN tunnels to connect Lans to remote control PC's/servers.