[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Might be off topic. Are computers with 168.192.x.x safe from Internet?

jwk at Zone Alpha wrote:
> 
> Hi,
> 
> Sorry if this is somewhat of an off-topic for this list.  But I just
> couldn't think of any place else to get a quality answer as this list.
> 
> I have been keeping my office's internal LAN and web servers
> completely disconnected in order to be absolutely sure that internal
> LAN segments are safe from hacking or cracking attempts. (The network
> cables physically do not connect between these two segments.)  This
> worked great from security perspective.
> 
> Due to obvious drawbacks with this set up, I am now attempting to
> patch a line between the router to the multi-port switch serving the
> NT 4 based internal LAN.  Of course all internal machines will only be
> assigned the private network IPs starting with 168.192.  I am hoping
> that the machines with private network IPs will be completely
> inaccessible from outside.  My big question is:  Is this that simple?
> Or am I missing something?  Can someone access a Internet-connected
> machine such as web or ftp server THEN somehow reach into internal
> machines using some type of Windows share?
> 
> Any comments would be greatly appreciated.  Thanks all in advance.
> 
> James Kim


James,

You should setup a firewall for your network, then "DMZ" your web, ftp,
and email services on the firewall. Provide Internet services by using
NAT at a single source on your network. This is also known as Internet
Sharing, or IP Masquerading where you use single IP that is connected to
your Internet Service Provider. This single point then shares the
internet connection by NAT (Network Address Translation). This will
allow internet access to your public servers and your LAN will also be
able to access these servers, while they can also access the internet. 


-- 
Bill Irwin