I wonder if anyone can help me. I have a little network at home with 4
computers connected to a router (netgear) and I have an adsl-connection.
What I want is to make the network as secure as possible. I want one of
the
computers to be the maincomputer.
I will assume "maincomputer" means to act as a file/web/mail server for the
other computers in your network as well as for public Internet access into
your network.
I plan to have a http-server, a ftp-server and maybe a smtp-server in my
network. I am using no-ip.
I know that "no-ip" (
http://www.no-ip.com) is an organization that
essentially circumvents the problems with having only a dynamically assigned
pubic IP on your home system (rather than static) but still wanting to
access it from the public sector. Therefore, I will assume that you are
looking to have all the server processes (web/mail) available to both your
home network and from public access.
I also wonder if anyone know what I do to make the other computers in the
network connect to the http-server with the external IP?
Here, I think you mean other computers from the outside (public Internet).
But even if you mean from inside your LAN, the solution is the same; proper
DNS configuration (Domain Name Service). Thus far it seems you've been
limited to getting name resolution from the hosts file.
Now I need to use the internal IP. I have changed so I can use
the external IP with the computer where I have the http-server.
I did that in the hostfile where I wrote 127.0.0.1 and the domain-name.
Although I'm not sure exactly what you mean here, I assume it is a form of
workaround you have developed due to not having a properly configured public
DNS entry pointing to your dynamically assigned public IP with the proper
port forwarding through your router.
I hope you understand what I mean since english isn't my natural language.
Well, more explanation would help. But, working from the above assumptions,
I will offer the following comments/advice.
I see from no-ip's web page that they offer DNS services as well as mail
services. You need to take advantage of at least the DNS services.
DNS is most likely your main problem. You need to have a domain name
associated with your dynamically assigned IP address. This is so outsiders
(from the public Internet) can type your domain name into their browser and
find your "maincomputer" web server (and mail server if applicable). Mail
and web can be the same IP, no problem.
So, make sure no-ip has set up DNS to point your registered domain name to
your dynamic public IP (this is probably the WAN IP (outside interface) of
your adsl modem and/or Netgear router, depending on how you have them
configured). Once this is done, you need to configure your adsl modem (or
Netgear router, again depending on your current config) to forward the
appropriate ports to your maincomputer/server.
That said, here's a few more comments. If you are using a workstation class
OS on your server (XP for example), you will be limited on the number of
connections. I'm not sure of the number of connections possible from the
outside, it is 10 from the inside. Public access to your web server might
be limited to either 1 connection or 10 connections at a time. I'm not sure
which. I'm sure others on his newsgroup will know (I'd like to know that
answer too).
Now, I haven't even mentioned security yet, your original question. All I
can say is that as soon as you allow public access to your system over the
Internet (web and mail servers) you are sacrificing security for
functionality. This is the classic dilemma. Security and access have an
inversely proportional relationship. If one goes up the other goes down.
Your NAT router is a huge benefit here since none of your internal machines
will be visible to the outside with the sole exception of the one serving as
your web/email server. And that one will be limited to only ports 80 for
web and 25 for email (maybe 110 for POP email). That's not too bad. I would
recommend installing at least a personal firewall on the computer you use as
a server. A network firewall would be better, but expensive (I paid about
400USD for mine to support 10 client licenses).
Hmm, with all these assumptions, perhaps you can think about all this and
re-post any clarification and questions.
-Frank
