G
Guest
First of all let me say that i'm no expert in networking so please forgive my ignorance on some matters. I have an issue concerning routing to which i have found a solution but i don't know how good it is security-wise.
Here is the situation. I have a Windows 2000 Pro PC used as internet proxy/firewall. On it, i have installed a proxy server and Symantec NIS 2003. I've setup a dialup connection to my provider. I've also installed 2 network cards. The first card (NIC1) has a non-public IP (172.x.x.x) and the second card (NIC2) has a public IP address that has been reserved for my company (i.e. 212.x.x.x). The reason for that is simple: i want local users to have internet access from my local network (172.x.x.x through the proxy server only) and at the same time, i want internet users to have access to some public servers (placed in the 212 subnet). I have also enabled IP routing (HKLM\...\IPEnableRouter setting in registry). I have done some tests with this setup and it seems to work fine.
NIS2003 has offered a fair level of protection on my local network so far but i have the following security concerns with the new setup (enabling IP routing and the second NIC with the 212 subnet):
1. Will enabling IP routing somehow make my local net accessible from the internet? Will it open any hidden ports?
2. Will NIS provide adequate protection to all of the 212 subnet PCs? Please note that NIS will exist only on the proxy/firewall PC, not on each 212-subnet PCs.
3. Is there a change (since the 212 net will be accessible from the internet) some inet user takes advantage of a security hole on a PC in the 212 subnet and gains access to my localnet (172.x)? Please note that with the current setup, when i try from a 212-subnet pc to ping an 172-subnet pc, i get a timeout which probably means that the 212-subnet has no access to the 172-subnet (which seems logical, 172 is reserved for localnets only).
4. I intend to set the IP of NIC2 as a gateway on all PCs of 212-subnet because i want them to be directly accessible from the internet. However, the PCs on the 172 subnet must have internet access only though the proxy, not directly. Will enabling IP routing allow them to bypass the proxy and access the internet directly by setting NIC1 as gateway? If yes, is there a way to disable IPRouting for NIC1 only?
5. We will be upgrading our connection to DSL in the near future. This means that a router will be introduced after the upgrade. It will (probably) be inserted between the provider and the proxy/firewall PC. If the router contains a firewall, will it be safer to connect the 212 network directly to the router or leave it connected to NIC2 of the PC?
Thanks in advance for any answers on the matter. If anyone has a better solution to what i'm trying to acomplish (not too expensive though) or can provide links to any related documentation, it will be greatly appreciated.
Here is the situation. I have a Windows 2000 Pro PC used as internet proxy/firewall. On it, i have installed a proxy server and Symantec NIS 2003. I've setup a dialup connection to my provider. I've also installed 2 network cards. The first card (NIC1) has a non-public IP (172.x.x.x) and the second card (NIC2) has a public IP address that has been reserved for my company (i.e. 212.x.x.x). The reason for that is simple: i want local users to have internet access from my local network (172.x.x.x through the proxy server only) and at the same time, i want internet users to have access to some public servers (placed in the 212 subnet). I have also enabled IP routing (HKLM\...\IPEnableRouter setting in registry). I have done some tests with this setup and it seems to work fine.
NIS2003 has offered a fair level of protection on my local network so far but i have the following security concerns with the new setup (enabling IP routing and the second NIC with the 212 subnet):
1. Will enabling IP routing somehow make my local net accessible from the internet? Will it open any hidden ports?
2. Will NIS provide adequate protection to all of the 212 subnet PCs? Please note that NIS will exist only on the proxy/firewall PC, not on each 212-subnet PCs.
3. Is there a change (since the 212 net will be accessible from the internet) some inet user takes advantage of a security hole on a PC in the 212 subnet and gains access to my localnet (172.x)? Please note that with the current setup, when i try from a 212-subnet pc to ping an 172-subnet pc, i get a timeout which probably means that the 212-subnet has no access to the 172-subnet (which seems logical, 172 is reserved for localnets only).
4. I intend to set the IP of NIC2 as a gateway on all PCs of 212-subnet because i want them to be directly accessible from the internet. However, the PCs on the 172 subnet must have internet access only though the proxy, not directly. Will enabling IP routing allow them to bypass the proxy and access the internet directly by setting NIC1 as gateway? If yes, is there a way to disable IPRouting for NIC1 only?
5. We will be upgrading our connection to DSL in the near future. This means that a router will be introduced after the upgrade. It will (probably) be inserted between the provider and the proxy/firewall PC. If the router contains a firewall, will it be safer to connect the 212 network directly to the router or leave it connected to NIC2 of the PC?
Thanks in advance for any answers on the matter. If anyone has a better solution to what i'm trying to acomplish (not too expensive though) or can provide links to any related documentation, it will be greatly appreciated.