Jump to content

Connecting 'internet' And 'non-Internet' Networks


Recommended Posts

I'm setting up a network for a small business. Since there is extremely sensitive data on the network, and I want to go the extra mile, I'm dividing the network into two totally separate networks. One will be connected to the Internet. On here will be secretary's computers, computers with non-essential data, and the web server. The private network will have No connection whatsoever to the Internet. I don't wish to incriminate myself, but lets just say the only way I'll feel comfortable saying the private network can't be hacked is if it's physically disconnected from the Internet. My problem is, I need to share files between the networks. I'd like it to be automated, not a sneakernet. At first, I was thinking of a serial connection, running something like ZModem on both ends. I suppose this is still Plan B, but I was hoping for something faster, more modern, and something simpler to deal with (No separate ZModem program). Then, I was thinking of a small NAS that had both a USB and Ethernet connection. However, I've heard you can't use both at the same time. On the one I found where you can, the USB connection is actually a network connection. Now I know I could probably come up with something like this using a managed switch, or maybe a computer with certain protocols disabled, or maybe just a firewall. What I want is something I couldn't hack into, assuming I knew the entire network acrhitecture, and all passwords. If I can configure something to disable access, I can configure it to enable access, right? I can't be the first person who thought of this. How does everyone else share files securely between networks like this?

Link to comment
Share on other sites

You need a DMZ between the two with authentication mechanisms between them, and if possible, VPN access to the inner network fro the outside network. VLANS are one way to help, but they can be hacked and bypassed, but if the two networks need to be able to share data of any kind, you need to setup an inbetween DMZ for bridging the two with heavily controlled firewalls on either side of the DMZ or even more than one DMZ depending on what has to be shared from the back office to the front, you could segment the network even further. One of the machines might need multiple NIC's and setup on more than one subnet, so that it can be seen between the DMZ, and work the rest out from there, because two separate subnets can't see each other without a router or bridge between them. I wish I still had all my cisco stuff and was on top of it, cause I could outline a setup and draw a diagram for you on what I would try, but sadly I haven't touched any of that stuff in YEARS now, and most of its all forgotten for the most part, but basics is:

cloud > firewall > DMZ (secretary, etc) > firewall >DMZ >File server >Firewall >Mail Server and backend storage, shares, etc and have to work all that out, create separate subnets for each part that doesn't need to speak with the others, and map it all out accordingly. If you are using any kind of wireless, I would say go Radius, and that could in some ways help bridge the front Internet capable machines, through a DMZ to the back office, but would need to be heavily monitored and secured properly.

Bottom line, two machines can't talk, if they have no path between them, whether wired or wireless, and personally would avoid wireless unless using radius and certificates with VPN setups for everything that is a necessity. You could even have one file server on the outside that has access to the backside between the DMZ that is the only point of contact between the front and back offices, but that machine would be your single point of failure and you most heavily guarded device since its the middle man between the two sides of the office. If someone breached say a secretaries machine, there is no reason an attacker couldn't just pivot off it to the back office, so how you setup authentication is crucial, and I would not let them have access to the backoffice, but maybe just a single file server on their side that speaks to the back office through a DMZ with firewall and IDS on either side of them.

Edited by digip
Link to comment
Share on other sites

I was thinking of a small NAS that had both a USB and Ethernet connection. However, I've heard you can't use both at the same time.

Correct, you wouldn't be able to use both USB and Ethernet connection at the same time, but if the NAS had two Ethernet ports you could have two separate networks and still share data between them. I would check out that Qnap units, if I were you.

Link to comment
Share on other sites

The hardest part with this sort of setup is that it has to be very easy for people to use. If it isn't then they will just start storing the confidential information on their machines, USB memory sticks, etc. not because they are trying to be insecure but because it is a pain to have to get it moved into a holding location between two networks and then get it from their. In the long run you end up with everything important being stored in the holding area.

Like all security it comes down to finding the best compromise for the situation. If your confidential information is life threatening (nuclear launch codes, medical records, witness protection database, etc.) then yes you would be wanting to have the hardest security to break. Of course in these situations you also have a lot of training time to drill the procedures into each user and new users will have to go through the training as well.

On the other hand if your security is financially confidential (bank account details, credit card details, etc) then your procedures and setup is fixed as you should be following the security guidelines set up by the banking association or credit card processor you are dealing with.

If it is confidential because if another company got their hands on it then they would be able to undercut your bids and win customers. Well it is less likely that they would hack your network to get that information when they could simply give a bag of cash to an employee to get them copies of any information they want.

Link to comment
Share on other sites

  • 3 months later...

In regards to Cisco, I'm actually somewhat current on it. No, I don't have a CCNA, but I use it daily. Here's my idea in a nutshell. You use a router that allows for a primary and secondary gateway, restrict access using ACL, advertise one network, do not advertise the other, and the computers that need public access get 2 IPs.

I know that you can put a secondary gateway on a Cisco router and Layer 3 switch. One network is a public network that is advertised through OSPF, EIGRP, RIPv2, etc. The other network is the "secure" network (say, a 192.168.x.x network just for ease) is the secondary gateway. The idea is that the router has a leg in each network, with only one being seen on the outside (the unsecure network). The server or NAS goes on the secure network. The few computers that need to get to both networks get 2 statically assigned IP addresses, primary is unsecured, the additional is an address on the "secure" network. Using ACL, restrict access incoming to the secure network. I cannot speak for the security of this setup, but I'm sure it would work.

Router(config)#interface fa0/0

Router(config-if)#ip address 10.0.0.1 255.255.255.0

Router(config-if)#ip address 192.168.10.1 255.255.255.0 secondary

Router(config-if)#exit

Router(config)#router ospf 21

Router(config-router)#network 10.0.0.0 0.0.0.255 area 0

Router(config-router)#exit

Could I please get some feedback on this idea. I'm sure it's full of security holes and I would love to learn them. Thank you.

Edited by Random_N00b
Link to comment
Share on other sites

Only way I see one nic getting two IP addresses is virtualized or VPN, or you'd need two nics in one machine to have more than one IP on the same NIC. Otherwise the OS would need a virtual NIC like Vmware sharing it, or a VPN interface that uses the same nic, I don't see how each PC can have two IP's without 2 physical nics. I could be wrong though. Someone chime in and school us.

Link to comment
Share on other sites

Only way I see one nic getting two IP addresses is virtualized or VPN, or you'd need two nics in one machine to have more than one IP on the same NIC. Otherwise the OS would need a virtual NIC like Vmware sharing it, or a VPN interface that uses the same nic, I don't see how each PC can have two IP's without 2 physical nics. I could be wrong though. Someone chime in and school us.

I know a few versions of Windows (Windows 7 and Server 2008, maybe more), allow you to add multiple addresses to one interface. If you go to the interface properties -> IPv4 Settings -> Advanced there is an option to add more addresses. I'm kind of making an assumption that in this particular business environment they are running some version of Windows.

Link to comment
Share on other sites

I know a few versions of Windows (Windows 7 and Server 2008, maybe more), allow you to add multiple addresses to one interface. If you go to the interface properties -> IPv4 Settings -> Advanced there is an option to add more addresses. I'm kind of making an assumption that in this particular business environment they are running some version of Windows.

Good point. Have not tried that before. I've setup manual static routes through the command line before, but never through the GUI to add a second IP, just subnet routing via command line, but only when the router in question, had dual IP's set on one interface reaching the workstation and we wanted to route to other subnets via a single gateway that had access to both subnets. Every other setup we did without static routing, we used dual nics, so I'll keep that in mine next time I have more than one subnet and router to play with and see how it works out.
Link to comment
Share on other sites

if the NAS has vlan tagging you could trunk a port and have two VLAN IDs with two network addresses.

You bring up a good point about VLANs and 802.1q trunking. However, with the equipment I use you can only assign one "acess" vlan to a port. Now, with what I was saying about assigning two IPs to a single NIC on a computer running certain versions of Windows, you could put the NAS on the same data network but give it an IP in it's own unique network and not have to do anything with the router. For example, let's say that your data network is running 192.168.10.x /24. You could give the NAS an ip of 10.10.10.10 /24, put it on the same network, and give those computers you wanted to access the NAS two IP addresses. In the case of VLANs, the NAS would be on the same VLAN as your data network. If you wanted the NAS to be on its own VLAN, say VLAN 20, you would have to configure the port on the switch for VLAN 20, and then make that VLAN routable in your router with a subinterface. However, I feel that step may be unnecessary.

Edited by Random_N00b
Link to comment
Share on other sites

You bring up a good point about VLANs and 802.1q trunking. However, with the equipment I use you can only assign one "acess" vlan to a port. Now, with what I was saying about assigning two IPs to a single NIC on a computer running certain versions of Windows, you could put the NAS on the same data network but give it an IP in it's own unique network and not have to do anything with the router. For example, let's say that your data network is running 192.168.10.x /24. You could give the NAS an ip of 10.10.10.10 /24, put it on the same network, and give those computers you wanted to access the NAS two IP addresses. In the case of VLANs, the NAS would be on the same VLAN as your data network. If you wanted the NAS to be on its own VLAN, say VLAN 20, you would have to configure the port on the switch for VLAN 20, and then make that VLAN routable in your router with a subinterface. However, I feel that step may be unnecessary.

The only thing I see with this is that the main gateway you connect to would need to have a subnet interface connected to both of the networks you want to reach via both IP's you are setting. Switches don't do routing unless they are layer 3 switches, so even adding the second gateway and second IP manually, still only works if your main gateway has route to the second network or an interface and routing table to reach it, or like you mentioned above, OSPF, etc, exchanging routing tables to know where the other lan is.

Link to comment
Share on other sites

I don't think so. I have a piece of eqipment on my network right now that has an IP different than any other IP on my network sitting on my management VLAN. Let's just say my management range is 192.168.2.0 /24. Now, this device's management IP is, say, 10.10.10.1 /24. My management computer is running Windows Server 2008. The management computer has two IPs for it's one NIC, one for both networks. Now, that random odd management IP I can still get to despite not having a gateway for it on my router. In fact, none of my devices even make a hint to the 10.10.10.0 /24 netowrk. There's no need to make that network routable.

Now, I don't want to sound like a dick. That's not my intent. I understand I'm still new here. However, I'm speaking from what I know from active networks.

Link to comment
Share on other sites

I don't think so. I have a piece of eqipment on my network right now that has an IP different than any other IP on my network sitting on my management VLAN. Let's just say my management range is 192.168.2.0 /24. Now, this device's management IP is, say, 10.10.10.1 /24. My management computer is running Windows Server 2008. The management computer has two IPs for it's one NIC, one for both networks. Now, that random odd management IP I can still get to despite not having a gateway for it on my router. In fact, none of my devices even make a hint to the 10.10.10.0 /24 netowrk. There's no need to make that network routable.

Now, I don't want to sound like a dick. That's not my intent. I understand I'm still new here. However, I'm speaking from what I know from active networks.

No worries, I didn't take any offense or anything. Just trying to picture your topology for the network and how they see each other over what device.

What device connects the two separate subnets that is in common with each end device on the separate subnets? Is it just a switch connected to both subnets and no router? I assume a router is in the mix somewhere, or at a minimum, a layer 3 switch that is aware of both subnets and how to reach each (which most home consumer brand routers are all in one sort of switch/router combo) which knows both networks and how to reach them. Can you describe for me how your two subnets see each other and what is between them? in my head, I'm only seeing it possible if they each share a common gateway with an interface on both the subnets, or a switch that also has layer 3 capabilities.

Edited by digip
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...