Seperate 2 network segments (on a sheo string)

[PMC1]

Hi,

I have 2 network segments connected hub to hub and both in the same
subnet (192.168.1.0 255.255.255.0). All PC's are Win2k/XP. A PC
(192.168.1.1) in segment 1 provides internet access to all other
systems via ICS. There are 5 other machines in segment 1 (S1) and 5 in
segment 2 (S2)

I want to separate / protect S1 from S2 while still allowing internet
access to S2.

I have 2 ideas:

1. Add a second network adapter to a pc (call the pc PC5) in S1. Remove
the connection between the 2 segments (i.e. between the 2 hubs) and
instead connect the hub in S2 to the second adapter in PC5. Bridge the
network adapters in PC5 then using TCP/IP filtering only allow TCP/UDP
80 inbound on the bridge.

2. I understand there is a registry hack that will allow a WinXP
workstation act as a router. This way I could create 2 seperate subnets
and again restrict inbound connections to Subnet 1 to only allow
inbound connections to port 80.

I like the idea of option 1 but if somebody could tell any reason why
this would not work or if there is something else I might need to do in
this scenario I would appreciate it.

If option 1 is not a runner could somebody give me details or point me
to a site that could explain how option 2 could be done.


Thanks in advance


Paul

 

[Richard G. Harper]

The easiest and cheapest way to do what you want is to add a second router
to your network and then put all the PCs to be segregated on it. This will
allow these PCs to access the Internet but not to access the other network
segment.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[PMC1]

Hi Richard,

Thanks for the reply. I agree a router would be the best solution but
any thoughts on the options mentioned as these would not cost anything
at all?

Paul

The easiest and cheapest way to do what you want is to add a second router
to your network and then put all the PCs to be segregated on it. This will
allow these PCs to access the Internet but not to access the other network
segment.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Hi,

I have 2 network segments connected hub to hub and both in the same
subnet (192.168.1.0 255.255.255.0). All PC's are Win2k/XP. A PC
(192.168.1.1) in segment 1 provides internet access to all other
systems via ICS. There are 5 other machines in segment 1 (S1) and 5 in
segment 2 (S2)

I want to separate / protect S1 from S2 while still allowing internet
access to S2.

I have 2 ideas:

1. Add a second network adapter to a pc (call the pc PC5) in S1. Remove
the connection between the 2 segments (i.e. between the 2 hubs) and
instead connect the hub in S2 to the second adapter in PC5. Bridge the
network adapters in PC5 then using TCP/IP filtering only allow TCP/UDP
80 inbound on the bridge.

2. I understand there is a registry hack that will allow a WinXP
workstation act as a router. This way I could create 2 seperate subnets
and again restrict inbound connections to Subnet 1 to only allow
inbound connections to port 80.

I like the idea of option 1 but if somebody could tell any reason why
this would not work or if there is something else I might need to do in
this scenario I would appreciate it.

If option 1 is not a runner could somebody give me details or point me
to a site that could explain how option 2 could be done.


Thanks in advance


Paul

 

[Doug Sherman [MVP]]

Separating the segments and then reconnecting them by bridging or routing is
kind of self defeating. You can achieve pretty much the same result with
the existing configuration. Use static IP addresses; enable the XP2
firewall; and configure the scope of any exceptions as desired.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

Hi Richard,

Thanks for the reply. I agree a router would be the best solution but
any thoughts on the options mentioned as these would not cost anything
at all?

Paul

The easiest and cheapest way to do what you want is to add a second router
to your network and then put all the PCs to be segregated on it. This will
allow these PCs to access the Internet but not to access the other network
segment.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Hi,

I have 2 network segments connected hub to hub and both in the same
subnet (192.168.1.0 255.255.255.0). All PC's are Win2k/XP. A PC
(192.168.1.1) in segment 1 provides internet access to all other
systems via ICS. There are 5 other machines in segment 1 (S1) and 5 in
segment 2 (S2)

I want to separate / protect S1 from S2 while still allowing internet
access to S2.

I have 2 ideas:

1. Add a second network adapter to a pc (call the pc PC5) in S1. Remove
the connection between the 2 segments (i.e. between the 2 hubs) and
instead connect the hub in S2 to the second adapter in PC5. Bridge the
network adapters in PC5 then using TCP/IP filtering only allow TCP/UDP
80 inbound on the bridge.

2. I understand there is a registry hack that will allow a WinXP
workstation act as a router. This way I could create 2 seperate subnets
and again restrict inbound connections to Subnet 1 to only allow
inbound connections to port 80.

I like the idea of option 1 but if somebody could tell any reason why
this would not work or if there is something else I might need to do in
this scenario I would appreciate it.

If option 1 is not a runner could somebody give me details or point me
to a site that could explain how option 2 could be done.


Thanks in advance


Paul

 

[Doug Sherman [MVP]]

Oops - sorry I didn't notice that some of your machines are Win2k - you
would need a third party firewall for those.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

Separating the segments and then reconnecting them by bridging or routing is
kind of self defeating. You can achieve pretty much the same result with
the existing configuration. Use static IP addresses; enable the XP2
firewall; and configure the scope of any exceptions as desired.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

Hi Richard,

Thanks for the reply. I agree a router would be the best solution but
any thoughts on the options mentioned as these would not cost anything
at all?

Paul

The easiest and cheapest way to do what you want is to add a second router
to your network and then put all the PCs to be segregated on it. This will
allow these PCs to access the Internet but not to access the other network
segment.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Hi,

I have 2 network segments connected hub to hub and both in the same
subnet (192.168.1.0 255.255.255.0). All PC's are Win2k/XP. A PC
(192.168.1.1) in segment 1 provides internet access to all other
systems via ICS. There are 5 other machines in segment 1 (S1) and 5 in
segment 2 (S2)

I want to separate / protect S1 from S2 while still allowing internet
access to S2.

I have 2 ideas:

1. Add a second network adapter to a pc (call the pc PC5) in S1. Remove
the connection between the 2 segments (i.e. between the 2 hubs) and
instead connect the hub in S2 to the second adapter in PC5. Bridge the
network adapters in PC5 then using TCP/IP filtering only allow TCP/UDP
80 inbound on the bridge.

2. I understand there is a registry hack that will allow a WinXP
workstation act as a router. This way I could create 2 seperate subnets
and again restrict inbound connections to Subnet 1 to only allow
inbound connections to port 80.

I like the idea of option 1 but if somebody could tell any reason why
this would not work or if there is something else I might need to do in
this scenario I would appreciate it.

If option 1 is not a runner could somebody give me details or point me
to a site that could explain how option 2 could be done.


Thanks in advance


Paul

 

[Richard G. Harper]

The first time it breaks it will cost you more than the price of a cheap
router to fix it.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Kurt]

One easy way to prevent group2 from being able to see group1 in network
neighborhood (and vice versa) is to use a different subnet mask. This
doesn't really separate the networks, but the computers in each group are
the only ones that will appear in "My Network Places". So group1 gets
255.255.255.0 and group 2 gets 255.255.254.0.

....kurt

 

[Guest]

This would be the perfect situation for a vlan capable switch. You put seg1
on vlan1. You put seg2 on vlan2. Port to the router would have both vlans.
They could get to the internet but never to each others segments.

You could do the bridging with ICS on a workstation but you could accomplish
the same thing by loading ZoneAlarm on segment2s pcs and deny access to
segments2's pcs by host name or ipaddress.

I hope this is only part of your plan for keeping your network secure.
Understand that routing alone doesn't protect your workstations from
spyware/virus's/hackers etc. but its the combination of many approaches that
reduce [never eliminate] the risk.

 

[PMC1]

Thanks for all the replies. There's plenty of food for tthought there.

Regards

...pc

 

[Someuser]

I agree. First off, my personal experience leads me to feel that all network
infrastructure (routing, firewall, etc...) should always be hardware based
and in a corporate environment all client / daemon services (dhcp, dns,
etc...) should be software (server) based. This philosophy has provided me
with rock solid networking in the past.

Throughout the branches of this thread, I have heard various configuration
solutions for the various network clients / nodes which is intended to
provide your solution. If the network security is be achieved through the
network worstation configurations then can you really feel sure that the
users can't modify these settings? In addition, what if some user were to
bring in his personal laptop and connect it to the network, this would
bypass most of your efforts right off the bat.

Just my two cents...
James

The first time it breaks it will cost you more than the price of a cheap
router to fix it.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Hi Richard,

Thanks for the reply. I agree a router would be the best solution but
any thoughts on the options mentioned as these would not cost anything
at all?

 

[Someuser]

I would just like to add another comment. I understand your original querry
was for a cost effective solution. Now cost effective is kinda relative to
the context of the situaion. Adding a router involves the cost of the router
and the configuration and installation time vs configuring x number of
machines today. Now is your time worth more than the cost of a router?

What about future problems? Router fails, replace with new unit and
configure vs repairing ICS machine etc.

James

I agree. First off, my personal experience leads me to feel that all
network infrastructure (routing, firewall, etc...) should always be
hardware based and in a corporate environment all client / daemon services
(dhcp, dns, etc...) should be software (server) based. This philosophy has
provided me with rock solid networking in the past.

Throughout the branches of this thread, I have heard various configuration
solutions for the various network clients / nodes which is intended to
provide your solution. If the network security is be achieved through the
network worstation configurations then can you really feel sure that the
users can't modify these settings? In addition, what if some user were to
bring in his personal laptop and connect it to the network, this would
bypass most of your efforts right off the bat.

Just my two cents...
James

The first time it breaks it will cost you more than the price of a cheap
router to fix it.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Hi Richard,

Thanks for the reply. I agree a router would be the best solution but
any thoughts on the options mentioned as these would not cost anything
at all?