[plug] SOHO security and multiple LANs

Adam Hewitt adam.h at staff.iinet.net.au
Mon Nov 21 15:10:01 WST 2005 

 

> -----Original Message-----
> From: plug-bounces at plug.org.au 
> [mailto:plug-bounces at plug.org.au] On Behalf Of Chris Caston
> Sent: Monday, 21 November 2005 2:50 PM
> To: plug at plug.org.au
> Subject: [plug] SOHO security and multiple LANs
> 
> Hello,
> 
> I'm interested in comments on the following scheme for a SOHO setup.
> There is an ADSL modem/router dishing out IPs on 192.168.1.x 
> and each machine is plugged into this via cat5.
>  
> Each machine also has a second nic with the IP statically 
> assigned in the range of 10.1.1.x. This is for the local LAN 
> and internal (unexposed to the internet) servers (eg file 
> servers and local VOIP PABX) and are all connected via a 16 
> port switch.
> 
> Each machine also has a software firewall. I won't go into 
> details right now but the 192.168.1.x LAN is treated with 
> much more suspicion than the 10.1.1.x LAN. 
> 
> If a interface on the 10.1.1.x LAN starts sending out strange 
> traffic it may be blocked.
> 
> Comments?
> 
> It's not a real implementation so if you ask me for more 
> details I will imagine them up for you ;)
> 
> regards,
> 
> Chris
> 

Personally I think this is mostly useless.

Firstly you have the PC's nat'ed, which means that unless you do port
forwarding, these machines are mostly protected from attacks from the
internet side. Then you have the fact that most attacks will occur from
clueless users who download a new flash game, inadvertantly installing a
backdoor to the PC, and click "allow traffic" on the software firewall
because they think that the traffic is related to the flash game
install. Once that backdoor has been installed, your entire internal LAN
network has been comprimised...

You can't expect your 'secure' internal LAN to be protected by a bunch
of client computers, regardless of software firewalls.

Therefore I think you should bail the second ethernet card idea, as it
provides a false sense of security, and put the internal LAN equipment
behind another hardware firewall/linux firewall, and make this firewall
suspiscious of everything (even if it is the same ADSL router / Firewall
used to connect to the internet, and design the firewall rules
properly). At least this way you are leaving the security up to a
trusted, and separate, firewall, as opposed to a users machine.

Adam.

More information about the plug mailing list