security question

If i am using 4 LAn computers with ADSL connection and all 4 of them connects to internet trough router(router you recommend it :) How can i best protect one LAn computer which is very important for me regarding the security from other 3 LAn computers which i would not watch alot to be clean from viruses ,Trojans etc. Is the threat that comes from my 3 LAn computers bigger than internet threat?

Reply to
sinisa
Loading thread data ...

Install a second router, connect it's WAN connection to the LAN connection on the first router, then connect the important computer to the second routers LAN. This will allow the important computer to get internet access and to reach the other computers, but it won't allow the first three computers to reach the important one because NAT would block it.

Reply to
Leythos

Waste of money. You can properly configure your computer's firewall to block internal machines, even most routers now have firewall functionality built in.

Reply to
sil

Sorry, but you're wrong. The Windows firewall can be changed by programs running under an admin account, the windows firewall opens file/printer sharing by default in some setups.

A NAT Router is not going to expose those OS flaws.

$50 to protect a machine without the user having to constantly check the Windows Firewall Exceptions.... Well, it's painless and works.

Reply to
Leythos

Very nice idea. Maybe i should point out that important LAN comp would not need any file sharing with other 3 The question now is should i do what you told me or what sil propose about soft firewall be enough

Reply to
sinisa

So what about the time at boot and login, when the personal FW cannot be started first before anything else? It can be like the TCP connection is started and other machines on the LAN with malware can access the machine, because the FW was not made available before TCP was started on the machine and was available.

Routers do segregation of networks even in a home environment. The router doesn't have to be booted and started, unlike a host based solution running on a computer, which will not allow a machine to be attacked behind a router because it's never down or booted like what would happen on a host based solution.

If I want total separations of machines in a LAN situation, I would be doing it with a two router solution.

You can get a second good router on sale for about $20.

Duane :)

.
Reply to
Duane Arnold

Ok great so another router is the way to go BTW i dont care about spending 20-200$ if that is the best solution . What second router should i use ,what is best known for good firewall and security performance?

Reply to
sinisa

----- Original Message ----- From: "sinisa" Newsgroups: comp.security.firewalls Sent: Saturday, October 07, 2006 9:41 AM Subject: Re: security question

I'll put it do you this way. A standalone device solution, in your case, such as a second router if you want absolute protection from the other machines on the LAN is the best solution. .

The security is in the separation of the two networks, in your case, where as, the machine you're trying to protect will not receive any unsolicited inbound traffic not only from the Internet but from other machines on your LAN. The second router is going to flat-out stop that from happening.

The second router is only going to allow inbound traffic back to the machine that the machine has sent outbound traffic to it whether that be outbound traffic is to a remote IP on the Internet or to another machine on the LAN. You put that second router in play and the machine will not be able to talk to other machines in a LAN situation connected to another router. Nor will the other machine connected to the other router will be able to talk to the machine that has been segregated.

The router you need to make sure that it has all the bells and whistles on it you want is the gateway router that's connected to the modem and is the Internet facing router. The router that's doing network segregation behind the gateway router can be an el-cheap-o of anything you want. It doesn't make a difference.

I saw a guy in another NG post that he got a Linksys for $10 at Best Buy.

Duane :)

Reply to
Duane Arnold

Ok,so first gateway router that is connected to modem should be the good one Can you recommend which one with all the bells and whistles should i buy then,because i think i have el-cheap-o right now My old d-link 604 is maybe best to use for network segregation (second router)

Reply to
sinisa

There are two things to consider in the two solutions:

1) Hardware solution provide a fixed means of protection that can't be screwed up if you screw up your OS or soft firewall. 2) Soft-firewall will work, but, if you screw up the firewall or if there is a exploit or if any number of unknown applications punch an exception in the Windows firewall, well, you're not really protected or isolated.

So, if you want something that work, but it does cost about $50, then you use Hardware to isolate the important machine from the others and then it doesn't matter about exploits in the OS/Apps.

I have customers that have labs (where the hold classes) and each lab is separated by a NAT appliance that is connected to a DMZ network - this means that all of the labs can reach the internet, some can route traffic back to the labs from the public side (we won't go into that here), but none of the labs can reach into the other labs. While you could TRY and do that with Native Windows XP, it would be a mess and could easily be compromised.

Reply to
Leythos

----- Original Message ----- From: "sinisa" Newsgroups: comp.security.firewalls Sent: Saturday, October 07, 2006 10:39 AM Subject: Re: security question

I think any router that's ICSA certified will do the job for you. Netgear makes one and I am sure there are other FW routers.

You should get a newwork FW solution that meets the specs in the link for

*what does a FW do*.

formatting link
You should get one that uses Wallwatcher.

Leythos makes mention of a D-link model that may meet your needs.

Duane :)

Reply to
Duane Arnold

I am definetly picking this choice Glad to see there are smart people willing to help.

Reply to
sinisa

I design secure networks and infrastructure for a living, it's what I based on company on and how I keep making a living.

Just about any NAT Router (often called a firewall by the misinformed) will do what you want. Key thing to remember, both routers MUST HAVE DIFFERENT PRIVATE NETWORK RANGES.

Router 1 (your internet router) 192.168.3.1/24 Router 2 (your protected one) 192.168.4.1/24

It would also be best if you can assign the WAN address for router 2 with a fixed IP in Router 1's LAN (like 192.168.3.2) - but this also means that you need to know your ISP's DNS numbers and such.

Reply to
Leythos

For now i am going to copy paste this what you wrote so i can read later(few months later because i didnt even buy my secure PC yet but i will dont worry i didnt waste your time for nothing ;-) I know my ISP's DNS numbers but where and how to configure what you just told me i hope to figure that out myself or expect me coming back later on this group to bother you again :-)

Reply to
sinisa

I, as well as many of the others, will still be here when you need help. Most NAT Appliances have a web interface that is easy to understand and simple to use.

I like the D-Link and Netgear lines, and have mostly given up on Linksys and NEVER buy Belkin (for residential NAT appliances).

Reply to
Leythos

I decide to buy Router 1 (internet router) NETGEAR ProSafe Firewall Router w/parallel-port Print Server 4 x 10/100Mbps Switch /FR114PGE 100$

Router 2 (protected one) My old D-link 604

I think this two should work together fine , if you agree i am going to order netgear FR114PGE on monday

Reply to
sinisa

It will work as you've selected, and if you setup the printers correctly you can print to them from the protected network also - by IP.

Reply to
Leythos

Why have you given up on Linksys?

Later....

David S>

Reply to
David Smith

I've found their quality and features lacking over the last couple years and that as other vendors increase quality and features, Linksys has dropped it in areas that make a difference to me.

Reply to
Leythos

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.