Results 1 to 8 of 8

Thread: Evaluate my Network Security

  1. #1
    Advanced Member
    Join Date
    Dec 2001
    Location
    NY
    Posts
    688

    Evaluate my Network Security

    I have been working on securing up my home network as tightly as possible for a while now, and would like some outside opinions on it. First off I will say that I have been working around having two types of PC connect to the network, secure and insecure. Secure would be anything I can and do control 100%, have AV and Windows Updates etc. all current. Insecure will be anything I am not certain about, for example a PC I am repairing for a client. The secure part of the network needs file sharing, tlenet access, and remote desktop capabilities in addition to internet. The insecure PCs will only require internet access.

    I will start with the hardware I am running. I have a PC setup as a Smoothwall for routing and NAT. That is connected to a Cisco 2924 switch for VLANs and VLAN trunking capabilities. I also have a Cisco 1721 router using sub-interfaces to route between the VLANs as needed and to allow fine control through ACLs. I also have a Linksys WAP54G to allow wireless access. DHCP and DNS are provided by my Windows 2003 SBS machine.

    I used the switch and router to create a secure and insecure VLAN. I also have an ACL that allows only internet bound traffic to cross over from the insecure VLAN. So basically if I am on an insecure PC I can connect to the internet no problem. I try to RDC to a secure PC or ping a secure PC, and it is denied, blocked at layer 3 by the router before ever leaving the VLAN.

    Currently I have my WAP on the secure VLAN and use WPA-PSK and MAC filtering. My original intention was to use this as a part of the insecure VLAN, but I changed my mind as I wanted to be able to connect my laptop to the domain so I would work away from my desk when I feel like it. I changed all of the defaults on the WAP, and don't broadcast the SSID. Currently this is my biggest question as far as security goes.

    On the secure VLAN I use the Windows 2003 server capabilites to set access and such to files and shared resources. Only users with valid accounts are able to access any shared resources. No simple file sharing or guest accounts, everything is done with NTFS permissions. All accounts are locked down with passwords.

    On the insecure VLAN I am using a Linux based PDC server for DHCP and DNS. I also have some shares setup for more permanent PCs in that VLAN to store some files. Mostly just for machine I am messing around with and need to have some files easy at hand and don't want to download all the time. Most of the PCs connecting to this part of the network won't be joining that domain or anything, they will be independent PCs.

    The few things I can do to make things more secure off the top of my head are adding port security on the switch so that nobody can switch around cables and get on different VLANs. I suppose I could also go and put the WiFi on the insecure VLAN as it is a bit of a vulnerability. I could also upgarade to a Cisco Aironet WAP, and RADIUS authentication, but think would be expensive. Any other things that come to mind I would love to hear any opinions.

    Thanks in advance, and sorry for the long post.

  2. #2
    Advanced Member
    Join Date
    Dec 2001
    Location
    NY
    Posts
    688
    No takers? Is it just to much to read?

  3. #3
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,955
    It's fairly similar to what I have.....

    Currently (subject to change every few months as I get bored...)
    RV082 router for my cable. Since it's a managed switch...I created 2x VLANs...VLAN1 for my SBS2K3 network, and another, VLAN2 for working on machines that I might suspect as being infected..non-trusted. For those machines that I plug into VLAN2...I manually set an IP for them, since I'm not passing DHCP from VLAN1.

    I have a Linksys wrt54g v1 running DD-WRT..uplinked to VLAN1..running in AP mode. WPA PSK security.

    If you work on other peoples machines a lot...and don't want to infect your network when you plug them in...if you don't have the luxury of a switch that supports VLANs...if you can snag a second router...just make that LAN IP a different range than your primary router...and link to the WAN of this second router to the LAN of your first one. Plug your infected PCs into behind that second router..since it's a different IP range...stuff won't spread.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  4. #4
    Advanced Member
    Join Date
    Dec 2001
    Location
    NY
    Posts
    688
    My network is 192.168.1.x
    Untrusted is 192.168.2.x

    Done through VLANs on the managed switch. Router passes internet bound traffic off to the gateway. Anything destined for any other private address range is cut off at the router on the second VLAN.

    I have a DHCP server and PDC on the secondary VLAN based in Linux. It exists mostly for DHCP, but also because I was bored and wanted to see what I could really do with a non Windows server. So nothing passes from my infected VLAN to the safe VLAN as far as I can tell.

  5. #5
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,955
    Quote Originally Posted by ErikD
    My network is 192.168.1.x
    Untrusted is 192.168.2.x
    So that's two separate networks already..which is certainly fine...I'm running port based VLANs, all are 192.168.69.XXX.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  6. #6
    SG Enthusiast koldchillah's Avatar
    Join Date
    Apr 2002
    Location
    Orlando, FL
    Posts
    4,615
    Nice setup! I want VLAN's at home. I WILL have this switch eventually: Linksys SRW2016 - http://www.linksys.com/servlet/Satel...VisitorWrapper

    I could do as Stonecat mentioned and bust out my old Netgear RT314 and plug it into my RV042, but naaahh... I'll wait. I want 3 VLAN's anyways. One for my main stuff, one for working on boxes, and another for my Vonage phone traffic.
    "Nobody's invincible, no plan is foolproof, We all must meet our moment of truth." - Guru

  7. #7
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,955
    Doesn't the 042 do VLANs?

    BTW, the most recent firmware for the 042 now supports PPTP VPN server.

    (I'm not sure..haven't actually worked on an 042...just a whole buncha 082 and 016 models.

    Did a Webinar with Linksys/Cisco Wednesday, what a VAR bundle they have this month...on some SRW switches..purchase a certain amount (or with some mini GBICs) and get a free SRW.



    Man..just a few months ago I did a nursing home..some fiber runs..I wish I knew back then...I'd have held off the job til this promo..and gotten myself a nice spiff to take home!
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  8. #8
    SG Enthusiast koldchillah's Avatar
    Join Date
    Apr 2002
    Location
    Orlando, FL
    Posts
    4,615
    Quote Originally Posted by YeOldeStonecat
    Doesn't the 042 do VLANs?

    Did a Webinar with Linksys/Cisco Wednesday, what a VAR bundle they have this month...on some SRW switches..purchase a certain amount (or with some mini GBICs) and get a free SRW.

    If it does, I didn't see it anywhere in the web management console. I'll go double-check the user guide when I get home, but I think I would have seen it somewhere.

    I work too much downtown at my main job to get enough side projects going for me to make quota in order to score the VAR bundle. Another reason I can't wait to be the captain of my own ship.
    "Nobody's invincible, no plan is foolproof, We all must meet our moment of truth." - Guru

Similar Threads

  1. Social Security
    By saved in forum General Discussion Board
    Replies: 3
    Last Post: 08-11-04, 08:11 AM
  2. Replies: 2
    Last Post: 01-28-04, 09:55 PM
  3. latest security issues?
    By denolth2 in forum Network Security
    Replies: 1
    Last Post: 02-08-02, 07:56 PM
  4. Question about Win2k vs 98se
    By terrancelam in forum Hardware & Overclocking
    Replies: 10
    Last Post: 07-13-01, 10:14 PM
  5. Network Security Professionals Please Read
    By chimdogger in forum Network Security
    Replies: 0
    Last Post: 03-01-01, 04:24 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •