[plug] SOHO security and multiple LANs

Chris Caston caston at arach.net.au
Mon Nov 21 19:11:07 WST 2005


On Mon, 2005-11-21 at 15:10, Adam Hewitt wrote:
>  
> > -----Original Message-----
> > From: plug-bounces at plug.org.au 
> > [mailto:plug-bounces at plug.org.au] On Behalf Of Chris Caston
> > Sent: Monday, 21 November 2005 2:50 PM
> > To: plug at plug.org.au
> > Subject: [plug] SOHO security and multiple LANs
> > 
> > Hello,
> > 
> > I'm interested in comments on the following scheme for a SOHO setup.
> > There is an ADSL modem/router dishing out IPs on 192.168.1.x 
> > and each machine is plugged into this via cat5.
> >  
> > Each machine also has a second nic with the IP statically 
> > assigned in the range of 10.1.1.x. This is for the local LAN 
> > and internal (unexposed to the internet) servers (eg file 
> > servers and local VOIP PABX) and are all connected via a 16 
> > port switch.
> > 
> > Each machine also has a software firewall. I won't go into 
> > details right now but the 192.168.1.x LAN is treated with 
> > much more suspicion than the 10.1.1.x LAN. 
> > 
> > If a interface on the 10.1.1.x LAN starts sending out strange 
> > traffic it may be blocked.
> > 
> > Comments?
> > 
> > It's not a real implementation so if you ask me for more 
> > details I will imagine them up for you ;)
> > 
> > regards,
> > 
> > Chris
> > 
> 
> Personally I think this is mostly useless.
> 
> Firstly you have the PC's nat'ed, which means that unless you do port
> forwarding, these machines are mostly protected from attacks from the
> internet side. Then you have the fact that most attacks will occur from
> clueless users who download a new flash game, inadvertantly installing a
> backdoor to the PC, and click "allow traffic" on the software firewall
> because they think that the traffic is related to the flash game
> install. Once that backdoor has been installed, your entire internal LAN
> network has been comprimised...
> 
> You can't expect your 'secure' internal LAN to be protected by a bunch
> of client computers, regardless of software firewalls.
> 
> Therefore I think you should bail the second ethernet card idea, as it
> provides a false sense of security, and put the internal LAN equipment
> behind another hardware firewall/linux firewall, and make this firewall
> suspiscious of everything (even if it is the same ADSL router / Firewall
> used to connect to the internet, and design the firewall rules
> properly). At least this way you are leaving the security up to a
> trusted, and separate, firewall, as opposed to a users machine.
> 
> Adam.
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au


Thank you and everyone for their responses.

Any internal network can be compromised by a trojan but I do understand
your point about the separate networks giving a false sense of security.
I avoided the firewall because the adsl modem/router/firewall is very
common these days. There are still uses like UPnP exploits and loose
source address routing but *hopefully* stateful packet inspection
addresses this. Also on certain modems the web configuration page can be
accessed from the DSLAM.

I think Sentectus is correct in that it will create to much overhead to
manage.

I would also you to consider a similar setup except that the LAN with
net access is wireless and thus an attacker that manages to break the
WPA key cannot directly access (without hacking another machine) the
internal LAN resources on the other network.

regards,

Chris


 




More information about the plug mailing list