Re: [cobalt-security] Might be off topic. Are computers with 168.192.x.x safe from Internet?

[shimi <shimi@xxxxxxxxxxxxxxxx>]

On Sat, 2 Jun 2001, jwk at Zone Alpha wrote:

> Hi,
> 
> Sorry if this is somewhat of an off-topic for this list.  But I just couldn't think of any place else to get a quality answer as this list.
> 
> I have been keeping my office's internal LAN and web servers completely disconnected in order to be absolutely sure that internal LAN segments are safe from hacking or cracking attempts. (The network cables physically do not connect between these two segments.)  This worked great from security perspective.  
> 
> Due to obvious drawbacks with this set up, I am now attempting to patch a line between the router to the multi-port switch serving the NT 4 based internal LAN.  Of course all internal machines will only be assigned the private network IPs starting with 168.192.  I am hoping that the machines with private network IPs will be completely inaccessible from outside.  My big question is:  Is this that simple?  Or am I missing something?  Can someone access a Internet-connected machine such as web or ftp server THEN somehow reach into internal machines using some type of Windows share?
> 
> Any comments would be greatly appreciated.  Thanks all in advance.  
> 
> James Kim
> 

Good that you're asking. Normally, according to the "Internet Rules" -
your ISP's routers should block ALL the packets arriving to him that are
not with his range of assigned IPs - wether it happens eventually or
not... depends on the ISP.

TO MAKE SURE, you have to set YOUR ROUTER, that is, the one plugged to the
switch, to accept all packets destinated to you (or, to even block some of
them, for instance Netbios and stuff) - and all the others to be dropped.

That way you can ensure that no packets will arrive to your 192.168 boxes.

HTH,

- shimi.