Network Topology

To talk on Icrontic, just register!

It only takes 30 seconds.

Have an account? Sign in:

Reply to Discussion

Options

a2jfreak

madasiemanym

3,351 Posts

20 Jul 2003, 6:33am

I need to setup a system that is completely isolated from the rest of the network, but it still needs to have internet access. This machine needs to have ports open to the rest of the Internet for web, email and DNS. Since it will have ports open and the rest of the computers on the network should be protected from incoming connections I believe this computer should be behind a router that forwards only the ports for HTTP (80), email (25, I believe) and DNS (51 I believe). I will have to double check the ports, but that's a bit irrelevant right now.

To keep the rest of the network isolated so that this machine (if compromised) cannot access the rest of the network I believe I would need a second router to block all incoming connections. The second router's gateway would be the first router's IP.

Here's a diagram to better explain what I tried to put into words.

My question: Is this the best way to go about keeping computer 1 completely isolated from the rest of the computers on the network, while still allowing them to all share the same connection? This is not a high-budget job, obviously, so these routers are not going to be Cisco or anything exotic.

// Edit: Forgot. I also think I could put computer 1 on its own subnet, 10.x.x.x and the rest of the network on 192.x.x.x just to help keep things as best isolated as possible. Would this matter?

Attached Thumbnails

Click image for larger version

Name: topology.gif
Views: 47
Size: 2.7 KB
ID: 1575

__________________

One thing kids like is to be tricked. For instance, I was going to take my little nephew to Disneyland, but instead I drove him to an old burned-out warehouse. "Oh, no," I said. "Disneyland burned down." He cried and cried, but I think that deep down, he thought it was a pretty good joke. I started to drive over to the real Disneyland, but it was getting pretty late. Jack Handey
[folding_sig1]	Child Search Ministries. A Christian Charity for Missing Children.

Reply with Quote

a2jfreak edited : 20 Jul 2003 at 6:37am .

mmonnin

Veteran Icrontian

10,545 Posts

20 Jul 2003, 6:41am

These systems all have log in's correct? With limited rights? Just dont share anything. Lock it down. Not sure you need to have the extra router and switch.

Make it a different workgroup so the one cant see the others. There should be some way to do it w/o the extra hardware.

__________________ Stanford Team Stats_____________Team Short-Media
Statsman Team Stats______________EOC Team Stats

Reply with Quote

a2jfreak

madasiemanym

3,351 Posts

20 Jul 2003, 6:55am

They have log-ins as stand-alone machines, not as members of a domain.

There are shared drives, as 1 of the systems is a file/database server that is independent of the web and it is imperative that system not be breached, but funds don't allow for two separate connections to the Internet--1 for the web/email/DNS server and one for the rest of the network where all incoming connections are blocked.

I'm not positive I need the second router/switch, but I think it is probably the easiest and most secure way to guarantee no unwanted access will occur. The few extra dollars for a second router and switch is not a concern. When I meant low-budget I meant not $5K on a Cisco router, not that $150 couldn't be spent for some extra hardware.

mmonnin said
These systems all have log in's correct? With limited rights? Just dont share anything. Lock it down. Not sure you need to have the extra router and switch.

Make it a different workgroup so the one cant see the others. There should be some way to do it w/o the extra hardware.

Reply with Quote

		Icrontic Forums > Tech: Software > Networking & Security
Network Topology

Jump to

This Thread	Search this Thread
Print Email	Search this Thread: Advanced Search

Username
Password	Forgot?
Remember me