Jump to content

Secure Network Design


Deathdefyer2002

Recommended Posts

I was given a Zywall 5 by my boss. He wants me to create a VPN link from my home to the office. He also wants me to give him the password on the Zywall 5. Now a VPN from my house to the office might not be that bad, but it also connects to a bunch of customers networks. We basically do wireless internet for apartment complex's and hotels. The way the VPN is going to work is connect me to all of those computers. I am VERY worried about someone staying at one of the hotels or apartments trying to hack into my network via the VPN link.

My idea is to design my home network in such a way that there is NO possible way that anyone connected to the VPN will be able to access my home personal network. My idea was to split my network from the RR modem and run to seperate networks, one for work and one for my personal use. Any ideas on how I should set this up?

Any help would be greatly appreciated as I am very worried about being hacked into.

Link to comment
Share on other sites

If your computer is connected to the VPN (rather than a router) it's not possible to jump from the VPN to your network with out compromising the computer connected to the VPN. That is unless you use the computer to bridge the networks or set up some routing between them.

Link to comment
Share on other sites

Well the VPN link would be on the Zywall 5 Firewall. Having it there would allow any device behind it to be on the VPN and have access to all the computers connected to it.

I am just concerned that people may be able to compromise my system from their end. If their is a VPN connecting my network to theirs, then isnt it the same as if they were directly plugged into my network?

Link to comment
Share on other sites

Sorry, but I'm still not clear on how you are connecting to these remote locations.

If you are connecting to them using a client on a single computer, run a firewall one that computer (windows firewall would do with no exceptions allowed) and your home network is pretty safe (just don't bridge the adapters).

If you are using a router or other network attached box to act as the client then route the necessary traffic through that, the best (and probably cheapest) solution would probably be to put it on the WAN port of a NAT router. You could use a proper hardware firewall, but a NAT router will basically do the same thing.

Link to comment
Share on other sites

If you are using a router or other network attached box to act as the client then route the necessary traffic through that, the best (and probably cheapest) solution would probably be to put it on the WAN port of a NAT router. You could use a proper hardware firewall, but a NAT router will basically do the same thing.

I now realise this will not work.* You need a proper hardware firewall (how would the VPN connection device connect to the VPN server from the WAN side of a NAT router?) or a NAT router that you can install linux and and turn into a firewall.

*If your VPN connection client box has physical 'in' port and 'out' ports. That is to say the 'in' port gives the VPN client box it's internet connection, and the out port is where the VPN'ed traffic goes in and comes out. The NAT router option will work, connect the 'in' port to the internet (normal network) and the out port to the WAN port of a NAT router.

Link to comment
Share on other sites

The VPN Connection:

Hotels ----------> VPN SERVER( 2 Ethernet cards bridged) --------> my home network

Appartments--->

Now On my Home network there would be:

ISP ----> ZyWall5 (maintains the VPN connection) ----> my network

Now how can I secure the VPN connection at my home to keep people from hotels/appartments from accesing my personal computers? like make it Impossible......

Link to comment
Share on other sites

Now how can I secure the VPN connection at my home to keep people from hotels/appartments from accesing my personal computers? like make it Impossible......

It's fairly impossible to make it impossible, short of using a air gap firewall. The best suggestion I can give you is to use a hardware firewall to only allow the VPN client device to access the internet (so it can connect to the VPN server) and block all incoming connections targeted at your networks subnet.

Link to comment
Share on other sites

if the hardware your running will support it I would make 2 networks with a router between them.

1 with your VPN stuff

2 with your home stuff

put an ACL (access control list) on the VPN network so nothing from the VPN box can get anywhere on your home box.

Honestly though from the sound of it I would worry about the people in the rooms hopping around between your customers. I would make a separate vlan for the hotels between rooms and staff stuff. You don't the guests to be able to mess around with the front desk machines and such with credit card/home address/dates on there.

Link to comment
Share on other sites

The most dirt cheap way of doing this would be to put the zytel with its vpn stuff as your main router. This gives you the VPN access you need from any system in your network. Then, take your currently router (with everything thats connected to it) and connect its WAN port to a LAN port on the zytel. All your personal stuff will be behind a NAT firewall which is treating everything it can see on the WAN connection as The Internet, and essentially dangeorus. As long as you use seperate private IP ranges and don't set the linksys to filter private network addresses on the wan side of things you should be ok. You will be able to connect to machines on the remote sites and they will have no ability to connect to any of your stuff as its behind a seperate firewall.

Now, there are far better ways of doing this, but having a 2nd firewall between your WAN stuff and personal LAN should be your first step. Then you can look at more interesting stuff like IDS's, firewalls, acl's etc.

Internet----> [Zytel] <---> [NAT + Firewall] <---> Personal network
                         |
        Laptop on VPN

But realistically your boss should be whilling to setup a cheapo DSL connection for this as its never going to be used for anything heavy.

Link to comment
Share on other sites

  • 2 weeks later...

Thanks for all the suggestions everyone. I think what I am going to do is create two separate networks that way all the traffic will be separated from each other. So Comming in from the ISP there will be a switch which then seperates my work network with my personal network. On the work side, I'm going to have the zywall then an secure AP.. On the personal side, I'm going to have Smoothwall or IPCOP then a gigabit switch.

Link to comment
Share on other sites

Just curious, but are you running a Zywall as your work's firewall (that is, do you have one at each end of the VPN)? If you configure the VPN between the firewalls you can create a couple policies to allow all traffic from your side of the VPN out, but not allow traffic to come in.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...