Seperate 2 network segments (on a sheo string)

  • Thread starter Thread starter PMC1
  • Start date Start date
P

PMC1

Hi,

I have 2 network segments connected hub to hub and both in the same
subnet (192.168.1.0 255.255.255.0). All PC's are Win2k/XP. A PC
(192.168.1.1) in segment 1 provides internet access to all other
systems via ICS. There are 5 other machines in segment 1 (S1) and 5 in
segment 2 (S2)

I want to separate / protect S1 from S2 while still allowing internet
access to S2.

I have 2 ideas:

1. Add a second network adapter to a pc (call the pc PC5) in S1. Remove
the connection between the 2 segments (i.e. between the 2 hubs) and
instead connect the hub in S2 to the second adapter in PC5. Bridge the
network adapters in PC5 then using TCP/IP filtering only allow TCP/UDP
80 inbound on the bridge.

2. I understand there is a registry hack that will allow a WinXP
workstation act as a router. This way I could create 2 seperate subnets
and again restrict inbound connections to Subnet 1 to only allow
inbound connections to port 80.

I like the idea of option 1 but if somebody could tell any reason why
this would not work or if there is something else I might need to do in
this scenario I would appreciate it.

If option 1 is not a runner could somebody give me details or point me
to a site that could explain how option 2 could be done.


Thanks in advance


Paul
 
The easiest and cheapest way to do what you want is to add a second router
to your network and then put all the PCs to be segregated on it. This will
allow these PCs to access the Internet but not to access the other network
segment.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm
 
Hi Richard,

Thanks for the reply. I agree a router would be the best solution but
any thoughts on the options mentioned as these would not cost anything
at all?

Paul

Paul said:
The easiest and cheapest way to do what you want is to add a second router
to your network and then put all the PCs to be segregated on it. This will
allow these PCs to access the Internet but not to access the other network
segment.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


PMC1 said:
Hi,

I have 2 network segments connected hub to hub and both in the same
subnet (192.168.1.0 255.255.255.0). All PC's are Win2k/XP. A PC
(192.168.1.1) in segment 1 provides internet access to all other
systems via ICS. There are 5 other machines in segment 1 (S1) and 5 in
segment 2 (S2)

I want to separate / protect S1 from S2 while still allowing internet
access to S2.

I have 2 ideas:

1. Add a second network adapter to a pc (call the pc PC5) in S1. Remove
the connection between the 2 segments (i.e. between the 2 hubs) and
instead connect the hub in S2 to the second adapter in PC5. Bridge the
network adapters in PC5 then using TCP/IP filtering only allow TCP/UDP
80 inbound on the bridge.

2. I understand there is a registry hack that will allow a WinXP
workstation act as a router. This way I could create 2 seperate subnets
and again restrict inbound connections to Subnet 1 to only allow
inbound connections to port 80.

I like the idea of option 1 but if somebody could tell any reason why
this would not work or if there is something else I might need to do in
this scenario I would appreciate it.

If option 1 is not a runner could somebody give me details or point me
to a site that could explain how option 2 could be done.


Thanks in advance


Paul
Click to expand...
Click to expand...
 
Separating the segments and then reconnecting them by bridging or routing is
kind of self defeating. You can achieve pretty much the same result with
the existing configuration. Use static IP addresses; enable the XP2
firewall; and configure the scope of any exceptions as desired.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

PMC1 said:
Hi Richard,

Thanks for the reply. I agree a router would be the best solution but
any thoughts on the options mentioned as these would not cost anything
at all?

Paul

Paul said:
The easiest and cheapest way to do what you want is to add a second router
to your network and then put all the PCs to be segregated on it. This will
allow these PCs to access the Internet but not to access the other network
segment.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


PMC1 said:
Hi,

I have 2 network segments connected hub to hub and both in the same
subnet (192.168.1.0 255.255.255.0). All PC's are Win2k/XP. A PC
(192.168.1.1) in segment 1 provides internet access to all other
systems via ICS. There are 5 other machines in segment 1 (S1) and 5 in
segment 2 (S2)

I want to separate / protect S1 from S2 while still allowing internet
access to S2.

I have 2 ideas:

1. Add a second network adapter to a pc (call the pc PC5) in S1. Remove
the connection between the 2 segments (i.e. between the 2 hubs) and
instead connect the hub in S2 to the second adapter in PC5. Bridge the
network adapters in PC5 then using TCP/IP filtering only allow TCP/UDP
80 inbound on the bridge.

2. I understand there is a registry hack that will allow a WinXP
workstation act as a router. This way I could create 2 seperate subnets
and again restrict inbound connections to Subnet 1 to only allow
inbound connections to port 80.

I like the idea of option 1 but if somebody could tell any reason why
this would not work or if there is something else I might need to do in
this scenario I would appreciate it.

If option 1 is not a runner could somebody give me details or point me
to a site that could explain how option 2 could be done.


Thanks in advance


Paul
Click to expand...
Click to expand...
Click to expand...
 
Oops - sorry I didn't notice that some of your machines are Win2k - you
would need a third party firewall for those.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

Doug Sherman said:
Separating the segments and then reconnecting them by bridging or routing is
kind of self defeating. You can achieve pretty much the same result with
the existing configuration. Use static IP addresses; enable the XP2
firewall; and configure the scope of any exceptions as desired.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

PMC1 said:
Hi Richard,

Thanks for the reply. I agree a router would be the best solution but
any thoughts on the options mentioned as these would not cost anything
at all?

Paul

Paul said:
The easiest and cheapest way to do what you want is to add a second router
to your network and then put all the PCs to be segregated on it. This will
allow these PCs to access the Internet but not to access the other network
segment.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Hi,

I have 2 network segments connected hub to hub and both in the same
subnet (192.168.1.0 255.255.255.0). All PC's are Win2k/XP. A PC
(192.168.1.1) in segment 1 provides internet access to all other
systems via ICS. There are 5 other machines in segment 1 (S1) and 5 in
segment 2 (S2)

I want to separate / protect S1 from S2 while still allowing internet
access to S2.

I have 2 ideas:

1. Add a second network adapter to a pc (call the pc PC5) in S1. Remove
the connection between the 2 segments (i.e. between the 2 hubs) and
instead connect the hub in S2 to the second adapter in PC5. Bridge the
network adapters in PC5 then using TCP/IP filtering only allow TCP/UDP
80 inbound on the bridge.

2. I understand there is a registry hack that will allow a WinXP
workstation act as a router. This way I could create 2 seperate subnets
and again restrict inbound connections to Subnet 1 to only allow
inbound connections to port 80.

I like the idea of option 1 but if somebody could tell any reason why
this would not work or if there is something else I might need to do in
this scenario I would appreciate it.

If option 1 is not a runner could somebody give me details or point me
to a site that could explain how option 2 could be done.


Thanks in advance


Paul
Click to expand...
Click to expand...
Click to expand...
 
The first time it breaks it will cost you more than the price of a cheap
router to fix it.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm
 
One easy way to prevent group2 from being able to see group1 in network
neighborhood (and vice versa) is to use a different subnet mask. This
doesn't really separate the networks, but the computers in each group are
the only ones that will appear in "My Network Places". So group1 gets
255.255.255.0 and group 2 gets 255.255.254.0.

....kurt
 
This would be the perfect situation for a vlan capable switch. You put seg1
on vlan1. You put seg2 on vlan2. Port to the router would have both vlans.
They could get to the internet but never to each others segments.

You could do the bridging with ICS on a workstation but you could accomplish
the same thing by loading ZoneAlarm on segment2s pcs and deny access to
segments2's pcs by host name or ipaddress.

I hope this is only part of your plan for keeping your network secure.
Understand that routing alone doesn't protect your workstations from
spyware/virus's/hackers etc. but its the combination of many approaches that
reduce [never eliminate] the risk.
 
I agree. First off, my personal experience leads me to feel that all network
infrastructure (routing, firewall, etc...) should always be hardware based
and in a corporate environment all client / daemon services (dhcp, dns,
etc...) should be software (server) based. This philosophy has provided me
with rock solid networking in the past.

Throughout the branches of this thread, I have heard various configuration
solutions for the various network clients / nodes which is intended to
provide your solution. If the network security is be achieved through the
network worstation configurations then can you really feel sure that the
users can't modify these settings? In addition, what if some user were to
bring in his personal laptop and connect it to the network, this would
bypass most of your efforts right off the bat.

Just my two cents...
James



Richard G. Harper said:
The first time it breaks it will cost you more than the price of a cheap
router to fix it.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


PMC1 said:
Hi Richard,

Thanks for the reply. I agree a router would be the best solution but
any thoughts on the options mentioned as these would not cost anything
at all?
Click to expand...
Click to expand...
 
I would just like to add another comment. I understand your original querry
was for a cost effective solution. Now cost effective is kinda relative to
the context of the situaion. Adding a router involves the cost of the router
and the configuration and installation time vs configuring x number of
machines today. Now is your time worth more than the cost of a router?

What about future problems? Router fails, replace with new unit and
configure vs repairing ICS machine etc.

James


Someuser said:
I agree. First off, my personal experience leads me to feel that all
network infrastructure (routing, firewall, etc...) should always be
hardware based and in a corporate environment all client / daemon services
(dhcp, dns, etc...) should be software (server) based. This philosophy has
provided me with rock solid networking in the past.

Throughout the branches of this thread, I have heard various configuration
solutions for the various network clients / nodes which is intended to
provide your solution. If the network security is be achieved through the
network worstation configurations then can you really feel sure that the
users can't modify these settings? In addition, what if some user were to
bring in his personal laptop and connect it to the network, this would
bypass most of your efforts right off the bat.

Just my two cents...
James



Richard G. Harper said:
The first time it breaks it will cost you more than the price of a cheap
router to fix it.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


PMC1 said:
Hi Richard,

Thanks for the reply. I agree a router would be the best solution but
any thoughts on the options mentioned as these would not cost anything
at all?
Click to expand...
Click to expand...
Click to expand...
 
Back
Top