Hiding two PCs on same LAN from eachother

  • Thread starter Thread starter Paul H
  • Start date Start date
P

Paul H

I have two home PCs (WinXP and WinME) sharing a broadband internet
connection via a NAT router. I wan to make each machine completely invisible
to the other. The thinking behind this is, if one machine gets a worm/trojan
etc. the other machine will not get infected because there will be no TCP/IP
communication between them even though they share the same router.

Is there a way to do this without wrestling with IPSec/local security policy
or installing a personal firewall on each machine? I do not want the users
making decisions on what to block/allow etc..

Basically my network will be:

Router 192.168.0.1

Computer_01 192.168.0.2

Computer_02 192.168.0.3

(the IP address above are not set in stone, they're just to illustrate a
possible config)

I just want to set it up so Computer_01 has no possible way of receiving a
single packet from Computer_02 and vice versa, but they both must access the
web.

What is the "easiest" way of doing this?


Thanks,

Paul
 
I have two home PCs (WinXP and WinME) sharing a broadband internet
connection via a NAT router. I wan to make each machine completely invisible
to the other. The thinking behind this is, if one machine gets a worm/trojan
etc. the other machine will not get infected because there will be no TCP/IP
communication between them even though they share the same router.

Is there a way to do this without wrestling with IPSec/local security policy
or installing a personal firewall on each machine? I do not want the users
making decisions on what to block/allow etc..

Basically my network will be:

Router 192.168.0.1

Computer_01 192.168.0.2

Computer_02 192.168.0.3

(the IP address above are not set in stone, they're just to illustrate a
possible config)

I just want to set it up so Computer_01 has no possible way of receiving a
single packet from Computer_02 and vice versa, but they both must access the
web.

What is the "easiest" way of doing this?
Click to expand...

In the dialog for the Ethernet adaptor, turn off "NetBios over TCP/IP"
(or words to that effect).

In the dialog for Windows services, turn off daemons for http, ftp, etc.

Not only easy but cheap!
 
In the dialog for the Ethernet adaptor, turn off "NetBios over TCP/IP"
(or words to that effect).

In the dialog for Windows services, turn off daemons for http, ftp, etc.

Not only easy but cheap!
Click to expand...
That doesn't accomplish what he wants.
 
That doesn't accomplish what he wants.
Click to expand...

I hear what you say, but:-

1) Let him decide if my suggestion is useful.
2) Explain the weakness in my suggestion.
3) Suggest a better way.
 
I hear what you say, but:-

1) Let him decide if my suggestion is useful.
2) Explain the weakness in my suggestion.
3) Suggest a better way.
Click to expand...

Thanks for you help folks, a few questions...

If I disable NetBIOS over TCP/IP will I only be disabling file/printer
sharing and *some* network access but lots of other TCP/IP nasties could
still go from machine to machine?

I have looked in the services.msc of my WinXP machine and see no http, ftp
stuff. What do you mean by "Windows services"? Besides, I am not sure why
you suggest disabling these services because I need internet access.

Please unconfuse me ;O)

Thanks again

Paul
 
I hear what you say, but:-

1) Let him decide if my suggestion is useful.
Click to expand...

Sure, but he (or somebody else reading the thread) might not realize
it's not.
2) Explain the weakness in my suggestion.
Click to expand...

It's easily circumvented by the user; he said he wanted "no possible
way" for a packet to cross the boundary.
3) Suggest a better way.
Click to expand...

I already did in one of the other forums to which he crossposted.
 
CJT said:
I already did in one of the other forums to which he crossposted.
Click to expand...

Well I am following the thread in this forum and would like to know the
answer.

Chris
 
Sure, but he (or somebody else reading the thread) might not realize
it's not.


It's easily circumvented by the user; he said he wanted "no possible
way" for a packet to cross the boundary.
Click to expand...

I am making assumptions about the sophistication of his users. Given
the level of his experience, it seems unlikely that his users will know
enough to find and change his settings.

I am also assuming that he is overestimating the hazard and making an
unnecessarily stringent demand.

I already did in one of the other forums to which he crossposted.
Click to expand...

He suggested that he did not want to mess with firewalls, and I suggest
that is smart thinking. It is too easy for an inexperienced programmer
to inadvertently let malware through.
 
Thanks for you help folks, a few questions...

If I disable NetBIOS over TCP/IP will I only be disabling file/printer
sharing
Click to expand...

That and remote IPC (Inter Process Communication).


and *some* network access but lots of other TCP/IP nasties could
still go from machine to machine?
Click to expand...

I think it is fair to say that all popular malware relies on the help
provided by the standard features of Windows. Remove the standard
features and you reduce the hazard.

Better still, remove Windows.

I have looked in the services.msc of my WinXP machine and see no http, ftp
stuff. What do you mean by "Windows services"? Besides, I am not sure why
you suggest disabling these services because I need internet access.

Please unconfuse me ;O)
Click to expand...

You overlooked the significance of the word daemon (Direct Access Error
Monitor - that's a blast from the past, they do a lot more these days).
Microsoft puts them there so they can remotely control your box. The
Dell boxes I work with have secret user logons to make that even easier.

If you are just surfing the web, then you don't need server software
(daemons) in the background.

Control Panel/administrative tools/Services. I don't have experience of
using these and I don't know which ones are on your system so I cannot
be more specific.

Test your security by pointing your browser to http://grc.com and going
to Shields Up. This will find unlocked windows, but will not help
people who bring the mail (or a cake big enough to conceal a girl, or an
abandoned wooden horse) inside and open it on the kitchen table .
 
I am making assumptions about the sophistication of his users. Given
the level of his experience, it seems unlikely that his users will know
enough to find and change his settings.

I am also assuming that he is overestimating the hazard and making an
unnecessarily stringent demand.



He suggested that he did not want to mess with firewalls, and I suggest
that is smart thinking. It is too easy for an inexperienced programmer
to inadvertently let malware through.
Click to expand...

I would still recommend a simple IPSec Block policy. It really is
very simple and very effective. You can even set the operation mode
of the IPSec driver so that at boot time it will go into a block mode,
so that even before the Policy Agent is runnint the IPSec driver will
block all traffic. A very effective poor man's stateless firewall.

If you are still interested shoot me a mail and I can elaborate.


Nate
EPS - Networking TL
 
Back
Top