Windows XP Router

[Patrickm]

If I had a Windows XP Pro workstation with 2 networks cards in it, each one
on a separate physical network, can I use that workstation to route traffic
between the two networks. This is an existing situation on my network and
I'm trying to prove that it's a security risk. The workstation is connected
a 172.20.x.x network and a 192.168.1.x network. If I'm at any workstation on
the 172 network I can ping the 192 interface on the workstation in question
but I can't go beyond that workstation. The same holds true if I'm on the
192 network, I can ping the 172 interface of the workstation in question but
not beyond that. What has to happen on the dual interface pc to route
between the networks. I tried putting in static routes in the route table
using the "route add from DOS but that didn't seem to do it. I've been told
this is very simple.

Thanks

 

[Doug Sherman [MVP]]

What you are experiencing is the expected behavior. You can modify this to
allow routing. On an XP machine this is done by editing the registry:

click Start/Run regedit ENTER
navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
In the right pane double click on IPEnableRouter and change its value to 1.

You are correct that machines on the respective networks will either need
static routes, or they could point to the XP machine's respective IPs as a
default gateway, or some other default gateway could be configured with
static routes.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

 

[Kurt]

And I might add that unless you make these changes, having a workstation
multihomed on two networks does not present a security risk other than the
added possibility of being corrupted by a virus or something from one side
and spreading to the other. Even if routing were enabled, computers on both
networks would need routes to the other network via the workstation's IP
address, which constitutes some risk if the networks aren't supposed to be
able to access each other. Multihoming servers is pretty standard practice
when two LANS both need access to a SQL database or something. You can
prevent users from exchanging files by making sure both sides don't have r/w
access to the same shares.

.....kurt

 

[Patrickm]

I guess I'm looking at worst case scenarios. And this is purrely for sake of
argument with management "The fact that this PC is PHYSICALLY connected to
both networks, it IS POSSSIBLE for someone to hack to the other network"
Here is my ridiculous situation: We have 2 networks, we spend $$,$$$,$$$.00
to make sure they are isolated to the point of where each has thier own set
of switches in separate wiring closets, each has it own fiber optic runs to
and fro the closets and server room, each has it own separate servers, kept
in a separate server room, there is NO physical connectivity at the server
and switch level, YET 500+ of the 1000+ company desktops have dual network
cards in them for connectivity to both networks?!?!?!?!?! They don't see a
desktop PC connected to both networks as physical connection between the 2
networks. Now I'm trying to prove to them that yes one of these pc's could
theoretically be turned into a router between the 2 networks. Maybe I'm
wasting my time, but I can find better things to spend my money on, not to
mention time spent supporting the two "separate" networks. Anyway, I still
can't get the PC to actually route between the two networks for some reason,
any help would be greatly appreciated.