** Vic <lug@???> [2011-05-09 16:44]:
> > If you connect the 'internet'
> > side to the ADSL router you effectively put anything connected directly to
> > the
> > ADSL router into a sort of DMZ (sort of since it is still firewalled as
> > normal,
> > so not really a proper DMZ) with a separate IP address range that is
> > firewalled
> > off from the rest of the network by the cable router.
>
> Errr - I'm not so sure about that.
Well it may not be the most technically elegant solution, but it would work
quite happily.
> What is behind the cable router has the usual NAT blackhole, but what is
> hanging off the ADSL router is entirely unprotected from what is behind
> the cable router.
>
> So if the untrusted box is the one behind the cable router, all the
> trusted boxes are still subject to attack from the "problem" box. And that
> box has essentially unfettered Internet access, so it has no protection
> from PEBKAC either.
>
> You could, of course, have it the other way round - but that means
> reconfiguring everything currently on the network, means that those boxes
> will have to deal with double-NAT (which may or may not be a problem), and
> still offers no firewall filtering for the hostile box.
The untrusted box is behind the ADSL router only, so has exactly the same
protection as it currently has [1]. You then treat this internal network as if
it was the internet and put another cable router in between the rest of the
clients and the ADSL router. It is double-NAT, but I've run with that for a few
years in the past when I didn't fully trust the ADSL router I had (and it
lacked some features I needed too) and used a Smoothwall / IPCop box behind it.
I have also worked with customers who have had double-NAT'd networks because
their ISP provides a private network to their ADSL line and then uses it's own
firewalls and proxies to give them access to the internet proper. Cable routers
have exactly the same firewall / routing features as their ADSL siblings, so
there is the same protection for this new network from the untrusted box as
there would be from any machine on the internet.
The main issues would be if the untrusted box needed access to one of the other
machines for a network share or printer (which I am assuming not), or if the
problem it had consumed masses of bandwidth (in which case you'd want to get it
sorted quickly anyway!).
As for the hassle of reconfiguring on the current network, I was assuming that
the network re-jig would require that anyway. For a small network it isn't that
much hassle to re-address machines, particularly if you are using DHCP (and
local DNS if needed), but if you use the existing private addresses and give
the new address structure to the untrusted box then there's little or nothing
to change. iirc they were on separate ADSL lines before, so could easily be
using different private addresses anyway.
> So I don't think I agree with you...
Well there are technically better solutions, but it will work. Actually one
solution that would work very nicely is a particular model of USR ADSL modem I
worked with once. That had two separate ethernet interfaces that could run two
totally separate networks off the same ADSL line, with as much or as little
interaction as youn configured. You could also create this setup using a custom
PC with twin NICs and a PCI ADSL card.
** end quote [Vic]
[1] I'm making the assumption here that the standard setup is simply to have
clients directly behind the ADSL router as used by the majority of default ISP
configurations these days.
--
Paul Tansom | Aptanet Ltd. |
http://www.aptanet.com/ | 023 9238 0001
======================================================================
Registered in England | Company No: 4905028 | Registered Office:
Crawford House, Hambledon Road, Denmead, Waterlooville, Hants, PO7 6NU
