Isolating server from wide area network

[mxh]

I have a small network in my office. It connects to the internet via a
Linksys BEFSR411 router (with a cable modem on the WAN port). Given the
faster speeds of Gigabit for transfering files, I have a neatgear Gigabit
switch connected to the uplink port on the Linksys router and have 3
machines connected to the Gigabit switch.

All is well with the network and internet connections.

I wish to add a machine that will contain digital images, mp3s and videos.
This machine will act as a server only and will use XP as its OS. It will
have a video card for set up and a Gigabit NIC. I do not wish to allow this
machine to be accessed from or have access to the internet.

What is the best way to set this up? I thought I would just add an
additional NIC in the machines I will allow to have access to this new
'server', but googling tells me that this can be problematic (and I have yet
to come across a success story).

I know I could filter internet access from the server by filtering, but
that's not the real issue. I really need to prevent access *from* the
internet to this machine, which will have read only shares.

I doubt that I'll really have any trouble, given that I am behind the
router's firewall, but would like to take every precaution, since I will be
'serving' copyrighted content, and also to protect my network.

Any ideas on how I would best accomplish this?

I've cross-posted to relevant NGs because my last post regarding this issue
went unanswered after a few weeks.

Thanks,
mxh

 

[Michael W. Ryder]

I have a small network in my office. It connects to the internet via a
Linksys BEFSR411 router (with a cable modem on the WAN port). Given the
faster speeds of Gigabit for transfering files, I have a neatgear
Gigabit switch connected to the uplink port on the Linksys router and
have 3 machines connected to the Gigabit switch.

All is well with the network and internet connections.

I wish to add a machine that will contain digital images, mp3s and
videos. This machine will act as a server only and will use XP as its
OS. It will have a video card for set up and a Gigabit NIC. I do not
wish to allow this machine to be accessed from or have access to the
internet.

What is the best way to set this up? I thought I would just add an
additional NIC in the machines I will allow to have access to this new
'server', but googling tells me that this can be problematic (and I have
yet to come across a success story).

I know I could filter internet access from the server by filtering, but
that's not the real issue. I really need to prevent access *from* the
internet to this machine, which will have read only shares.

I doubt that I'll really have any trouble, given that I am behind the
router's firewall, but would like to take every precaution, since I will
be 'serving' copyrighted content, and also to protect my network.

Any ideas on how I would best accomplish this?

Two ideas come to mind, both of which I am currently using in our
office. The first is to assign the server a fixed IP address and
restrict that address in the router. The second is to put the server on
a separate subnet.

 

[mxh]

mxh wrote:

Two ideas come to mind, both of which I am currently using in our office.
The first is to assign the server a fixed IP address and restrict that
address in the router. The second is to put the server on a separate
subnet.

Hi Michael,
Thanks for the response. By restricting the address in the router, I assume
you mean filtering that address in the router security tab so that it cannot
access the internet. Is that correct?

Also, I'm not quite sure how I would set up a separate subnet. Could I
impose on you for a brief explanation or a link?

Thanks again,
mxh

 

[Michael W. Ryder]

Hi Michael,
Thanks for the response. By restricting the address in the router, I
assume you mean filtering that address in the router security tab so
that it cannot access the internet. Is that correct?

Yes.


Also, I'm not quite sure how I would set up a separate subnet. Could I
impose on you for a brief explanation or a link?

You would assign it a fixed address on a different subnet than the
router. If the router was 192.196.0.1, for example, you could set the
server up as 192.196.1.1. You would then have to give the machines you
want access to that computer an entry in the gateway entry for those
computers.
I think the first option is probably better for your circumstances. I
used the second option for one server because of software requirements.

 

[mxh]

You would assign it a fixed address on a different subnet than the router.
If the router was 192.196.0.1, for example, you could set the server up as
192.196.1.1. You would then have to give the machines you want access to
that computer an entry in the gateway entry for those computers.

So, to be sure I understand, the 'server' (XP) would get (to use your
example) an IP address of 192.196.1.1 in the TCP/IP properties of the server
(disabling 'obtain address automatically'...would I need to disable DHCP?)
and for each machines that I wish to allow access, place that same address
(192.196.1.1) in the default gateways section of the Advanced TCP/IP
properties (Vista) of each 'access desired' machine?

I think the first option is probably better for your circumstances. I used
the second option for one server because of software requirements.

OK, I'm with you so far, and I prefer to keep it as simple as possible, but
a question: I thought that the filter on the security tab of the router only
prevented the machine from accessing the internet. Does it also provide
security from those who might try to access it from outside my network
(i.e., bad guys)?

Thanks again for your time and patience,
mxh

 

[Michael W. Ryder]

So, to be sure I understand, the 'server' (XP) would get (to use your
example) an IP address of 192.196.1.1 in the TCP/IP properties of the
server (disabling 'obtain address automatically'...would I need to
disable DHCP?) and for each machines that I wish to allow access, place
that same address (192.196.1.1) in the default gateways section of the
Advanced TCP/IP properties (Vista) of each 'access desired' machine?





OK, I'm with you so far, and I prefer to keep it as simple as possible,
but a question: I thought that the filter on the security tab of the
router only prevented the machine from accessing the internet. Does it
also provide security from those who might try to access it from outside
my network (i.e., bad guys)?

Thanks again for your time and patience,
mxh

After looking at the manual for the router, we used to use one of those,
it appears that the default address for the router is 192.168.1.1 and it
uses 100 to 150 for automatically assigning addresses.
For the first option setting the servers address to say 192.168.1.99 and
entering that address in the filtering should stop all traffic between
the server and the Internet.
For the second option where the server is on a second subnet you will
probably just need to change the subnet mask from 255.255.255.0 to
255.255.0.0. This should allow the computer to talk to each other.

 

[Jason Popp [MS]]

You could also implement a basic IPsec policy on the box as follows:
Me < - > Any, SrcPort=Any, DstPort=TCP/80, Block
Me < - > Any, SrcPort=TCP/80, DstPort=Any, Block

This will block all HTTP traffic to/from the system at the local box,
regardless of the external firewall or subnet configuration.

General IPsec Capabilities Overviews
http://www.microsoft.com/technet/community/columns/secmgmt/sm121504.mspx
http://www.microsoft.com/technet/community/columns/secmgmt/sm0105.mspx

General Guide for Using IPsec UI to Lock Down a Server:
https://www.microsoft.com/technet/network/security/ipsecld.mspx

Scripted Port Block Examples (ipseccmd and netsh)
http://support.microsoft.com/kb/813878


Jason