My boss wants me to setup the network...

[gerbiaNem]

So I have the job of setting up a new network at work.. currently we have public ips for every workstation and we have a workgroup. We now want to convert to a nat and a domain.

Here are the problems.. my boss wants to keep his computers with the same public ip range... lets say 1.1.1.1 gateway and his computer is 1.1.1.4. But he also wants to be part of the new subnet (192.168.x.x for example). What's the easiest way to have him part of the domain, but keep his static ip address? Also.. he wants the domain administrator to not have access to his files.. what's the best way to make him happy?

I was thinking that I setup the NAT, then VPN him into the network where he connects to the domain server. I was thinking of doing this with server 2008 built in vpn.

What do the pros here think about my plan? Any comments, suggestions, improvements?

 

[MikeTrike]

First, does your boss have any IT experience?

Now that I got that out of the way...
I know you can add multiple IP's to an interface in windows fairly easily. You may need to specify routes for local and wan traffic, though I've never ran something silly like that before. Any specific reason for keeping the static WAN IP's on the pc's while running on a local subnet?

 

[archivalbackup]

You want to do static NAT entries for the few things that need external access such as web servers, and NAT overload on a small pool of your global addresses for other generic internet traffic (I like to make separate pools for any structure you may have in place such as VLANs, departments, security zones etc).

You also want to only make small exceptions so if your boss expects to have remote desktop access (I am not going to start touch on the security implications of this, because sometimes the boss gets what the boss wants) only forward that specific port through the firewall.

I would highly recommend you put in place a firewall if you do not have one already, and use NAT with static port forwarding, and a few static entries for computers that need to be reachable from the outside. Ideally you would use VPN for any sort of remote access that is beyond the scope of public access such as a web server, ftp server etc. If you have not had a hardware firewall in place I would treat all of your computers as compromised and check the firewall logs very closely to make sure things are clean.

What's your hardware and level of networking ability?

 

[calvinj]

I understand this might be what the boss wants, but is there a real business need for him to have a public ip attached to his machine in any way shape or form? Something just tells me that it's asking for trouble to have anything other than web,email, etc attached to a public ip.

Are all of these pcs at least xp pro? Make a small domain.local and join them all up. With the file permissions you can lock out the specific users from seeing the bosses files. Also just give him a 192.168.x.x address and somehow explain to him the vulnerabilities of a public ip address pointed to his machine. If he has a business need other than he wants it and / or your job depends on it just give it to him.

 

[Oswald_]

First of all firewall the public range of IP's with a transparent hardware firewall if you are currently using built-in OS level firewalls.

If your boss insists on keeping the static range on the current network (no idea why) I would add a second NIC to every workstation to completely separate it from the current network.

How big is this network? This may be a big undertaking, and the boss may not realize the size and scope of splitting the network.

 

[gerbiaNem]

We have about 20 workstations in the company, just big enough to migrate from a workgroup to a domain. I have some networking experience from when I worked at IT at school, and my boss has a working, if not complete understanding of networking.

Our hardware consists of a ridiculously awesome and band new IBM Blade Server with 4x dual amd quads, which I'm getting pretty familiar with. I have pretty much convinced my boss to be included in the LAN, but he wants to make sure that VPN clients have restricted access (only access necessary servers). He's running XP (he wants non-restricted VPN access), so SSTP isn't an option.

I have some experience with VPNs, but I'm not an expert.. What is the best way to group certain parts of the network for certain VPN users?

 

[archivalbackup]

I have some experience with VPNs, but I'm not an expert.. What is the best way to group certain parts of the network for certain VPN users?

If you have a Cisco Router, you can apply ACLs to your different groups. You should be able to do the same thing with a server based VPN, make multiple groups with different IP pools, and add the appropriate firewall rules.

 

[gerbiaNem]

If you have a Cisco Router, you can apply ACLs to your different groups. You should be able to do the same thing with a server based VPN, make multiple groups with different IP pools, and add the appropriate firewall rules.

I only have Server 2008 to work with at the moment, I thought about making restricted groups and using GPOs to limit access.. but now I have more detailed information about why my boss needs static IPs.

Apparently we have an agreement with the DOD which comes with our security status. They need access to 3 specific machines (using some method I'm uninformed of), and so far we've let those machines loose on the WAN.

We can't ask them to VPN in, they need access specifically to those machines. I don't know which ports they use to access them, so I can't forward them or firewall them. But they also need to be part of our domain.. what should I do?

 

[archivalbackup]

I only have Server 2008 to work with at the moment, I thought about making restricted groups and using GPOs to limit access.. but now I have more detailed information about why my boss needs static IPs.

Apparently we have an agreement with the DOD which comes with our security status. They need access to 3 specific machines (using some method I'm uninformed of), and so far we've let those machines loose on the WAN.

We can't ask them to VPN in, they need access specifically to those machines. I don't know which ports they use to access them, so I can't forward them or firewall them. But they also need to be part of our domain.. what should I do?

It would be hard to believe that they would not tell you what ports they need open. No way would I allow a machine with full exposure to be a part of my domain, ever. At the very least ask them what IP source addresses they will be accessing the machines from and only allow those outside addresses to touch the 3 machines.

 

[Oswald_]

Apparently we have an agreement with the DOD which comes with our security status. They need access to 3 specific machines (using some method I'm uninformed of), and so far we've let those machines loose on the WAN.

Um, I have worked on many contracts with DOD. Included in the security audits they perform on which systems they will be accessing is also source IP/Username/ACL's/CryptMethods (among many others), typically a 25 page audit questionnaire.

As far as "letting a machine loose on the WAN" that the DOD accesses? Lol?

You need to get alot more information before you go any further, including sitting down and talking with your "network proficient" boss.

 

[calvinj]

You need to get alot more information before you go any further, including sitting down and talking with your "network proficient" boss.

Beat me too it, but agreed. DOD or not. I wouldn't be putting my internet network at risk because they think they need 2-3 machines wide open to the world.

 

[TechieSooner]

Beat me too it, but agreed. DOD or not. I wouldn't be putting my internet network at risk because they think they need 2-3 machines wide open to the world.

I'd fifth or sixth this...

 

[E7130]

why don't you have your router hand out the public IPs to you?

 

[Zlash]

I think you need to bring someone else in to fix this huge huge huge problem!

 

[vischo]

I think you need to bring someone else in to fix this huge huge huge problem!

Agreed.

 

[gerbiaNem]

Let me clear things up along with bring an update.

I was initially going to use the built in Server 2008 DHCP and VPN, but I decided it would be much smarter to just go out and buy a Linksys RVS4000. We only have 20 workstations, a load which it can handle just fine. If our needs ever grow, we have the replacement options ready.

I recently got as much information as I could about the access requested of us as well. Currently we have 3 machines which have access granted to the government. My boss has a software firewall to allow their IP range, and this is our current setup. I was told that they are not very cooperative when it comes to changing the way they access our systems, and that they basically say "hold on" before making us wait indefinitely.

I'm in the process of acquiring the security clearance necessary to speak with them, so unfortunately I have to take his word for it. I'll try to get as much info as I can over time, but for the time being I'm going to need a less secure work around.

We have an access router assigning WAN IPs at the moment, so IP passthrough isn't a problem. The problem arises when I want to join those machines into the domain.

What I'm planning on doing now before I have a better solution is this: Buy an extra network card for each of the accessed machines and have them connected to the subnet and the domain, while still retaining their WAN IPs. I'll leave their software firewalls guarding the WAN IPs while retaining the current range allowances.

Until I get much more information, this seems like the best solution. And I should be capable of fixing this myself, sure it's a big problem, but it is manageable.

 

[TechieSooner]

You can join a machine to the domain and still use static IP addressing. I'd just set a secondary IP on the NICs myself...

But I would definitely move toward a NAT router and just using a 10.10.10.X or 192.168.1.X network internally.

Another thought.You could do it as I suggested assign local IPs) and just set 1:1 NAT for now (until you know what specific ports they need) mapping the WAN IP to the LAN IP. Then in the future, all you've got to do to lock it down is router changes.

 

[gerbiaNem]

You can join a machine to the domain and still use static IP addressing. I'd just set a secondary IP on the NICs myself...

But I would definitely move toward a NAT router and just using a 10.10.10.X or 192.168.1.X network internally.

Another thought.You could do it as I suggested assign local IPs) and just set 1:1 NAT for now (until you know what specific ports they need) mapping the WAN IP to the LAN IP. Then in the future, all you've got to do to lock it down is router changes.

I like these ideas, but I have a few questions I hope you don't mind answering.

What kind of hardware do I need in order to implement static NAT?

My understanding is that a second IP must be within the same subnet as the primary IP, meaning I would need to use static NAT to map the external IPs to the same subnet.

Am I correct?

 

[TechieSooner]

I like these ideas, but I have a few questions I hope you don't mind answering.

What kind of hardware do I need in order to implement static NAT?

My understanding is that a second IP must be within the same subnet as the primary IP, meaning I would need to use static NAT to map the external IPs to the same subnet.

Am I correct?

Well even the basic WRT54G can do NAT, if you want to get nitty gritty

But I'd suggest a full-feature router like a Cisco of some sort, 2901 or something... YeOlde or someone else might be able to suggest a good SMB one that's not as expensive though.

Basically in the configuration you just assign to the WAN interface of the router all of the IPs your ISP has given you (I'd assume just everything that's statically assigned right now).
Then in the configuration you just do a 1:1 NAT (And Firewall entry) to allow 123.123.123.123 map to 192.168.1.2

The DOD won't even know the difference in connecting.
And then once you get the specifics on how they connect, instead of doing 1:1 you just restrict it down to only allow the ports that you specify, and that's a change inside the router, so no configuration changes needed for the client.

Also with an ACL you could specify that just certain IPs could connect into that WAN IP as well.

And also if job duties or contracts change with the DOD, you could re-route the WAN IP to go to a different internal IP too... It's really much easier than screwing with client configs.

 

[vischo]

Fortinet would be a bit cheaper.

 

[gerbiaNem]

Well even the basic WRT54G can do NAT, if you want to get nitty gritty

I like static =-], that way if the DOD uses the same port for each IP, I don't have to make them change their ports.

But I'd suggest a full-feature router like a Cisco of some sort, 2901 or something... YeOlde or someone else might be able to suggest a good SMB one that's not as expensive though.

What could I accomplish with a Cisco 2960G switch?

The DOD won't even know the difference in connecting.
And then once you get the specifics on how they connect, instead of doing 1:1 you just restrict it down to only allow the ports that you specify, and that's a change inside the router, so no configuration changes needed for the client.

Like I mentioned above, if they happened to use the same port to access the machines.. A simple port forward would only work for one of the machines, after which I would have to ask them to change the ports they use and forward them to the correct machines.

Also with an ACL you could specify that just certain IPs could connect into that WAN IP as well.

I got that covered.

And also if job duties or contracts change with the DOD, you could re-route the WAN IP to go to a different internal IP too... It's really much easier than screwing with client configs.

I need a way to configure the Static NAT assignments and all is grand... right?

 

[TechieSooner]

I like static =-], that way if the DOD uses the same port for each IP, I don't have to make them change their ports.

Like I mentioned above, if they happened to use the same port to access the machines.. A simple port forward would only work for one of the machines, after which I would have to ask them to change the ports they use and forward them to the correct machines.

The above is true only if you had one WAN IP. You'd have multiple.
IE, the following table:
123.123.123.120 -> 192.168.1.2
123.123.123.121 -> 192.168.1.3
123.123.123.122 -> 192.168.1.4
123.123.123.123 -> 192.168.1.5
etc
And each of those IPs obviously has a complete range of ports you can control.

Right now, let's say they use 3389 to access a machine. DOD RDPs to 123.123.123.120:3389 and they get to the client.
You'd just be giving them a router inbetween. When they RDP to 123.123.123.120:3389, the IP is actually sitting at the router. The router then looks at NAT and all your ACLs to determine that this request needs to go to client 192.168.1.2. The DOD still gets to the client, but the advantage here is you obviously gain control of your routing. And obviously when you get additional information, you can further restrict their access down to specific ports.

What could I accomplish with a Cisco 2960G switch?

'Tis a switch, not a router.

I got that covered.

You really don't.
The whole issue here is you don't want the clients themselves facing the internet... Thus you'll be doing the ACLs inside the router, not at the client.

I need a way to configure the Static NAT assignments and all is grand... right?

Well you need to do NAT, then firewall, then ACLs, along with all the rest of the basic router capabilities (secondary IPs on the WAN interface, etc).

 

[calvinj]

Why not something like pfsense or untangle? Give the external interfaces all your public ips and i thought you could one to one nat them... All that would require is an extra nic and a decent machine you may have laying around on the shelf. Install the firewall module, set it up and go

 

[gerbiaNem]

The above is true only if you had one WAN IP. You'd have multiple.
IE, the following table:
123.123.123.120 -> 192.168.1.2
123.123.123.121 -> 192.168.1.3
123.123.123.122 -> 192.168.1.4
123.123.123.123 -> 192.168.1.5
etc
And each of those IPs obviously has a complete range of ports you can control.

Right now, let's say they use 3389 to access a machine. DOD RDPs to 123.123.123.120:3389 and they get to the client.
You'd just be giving them a router inbetween. When they RDP to 123.123.123.120:3389, the IP is actually sitting at the router. The router then looks at NAT and all your ACLs to determine that this request needs to go to client 192.168.1.2. The DOD still gets to the client, but the advantage here is you obviously gain control of your routing. And obviously when you get additional information, you can further restrict their access down to specific ports.




'Tis a switch, not a router.



You really don't.
The whole issue here is you don't want the clients themselves facing the internet... Thus you'll be doing the ACLs inside the router, not at the client.



Well you need to do NAT, then firewall, then ACLs, along with all the rest of the basic router capabilities (secondary IPs on the WAN interface, etc).

Just to clarify, I understand the concept of static NAT with multiple WAN IPs mapping to their own internal LAN IPs and only those. But my problem arises from getting the hardware capable of doing that. I asked about the 2960 because you mentioned the 2901, which is also a switch.

Can a Cisco 1700 series router be of use for static NAT?

 

[TechieSooner]

Just to clarify, I understand the concept of static NAT with multiple WAN IPs mapping to their own internal LAN IPs and only those. But my problem arises from getting the hardware capable of doing that. I asked about the 2960 because you mentioned the 2901, which is also a switch.

Can a Cisco 1700 series router be of use for static NAT?

I meant a 2801, sorry...

 

[calvinj]

Can a Cisco 1700 series router be of use for static NAT?

As long as it has an interface from the internet to the internal network yes. Most 1700 only came with 1 ethernet interface. So iirc, you would need a t1, isdn, adsl, etc card in them to provide internet.

 

[gerbiaNem]

We have two WIC cards in our 1720 router. I think I should be able to setup Static NAT.. but it's a project..

 

[Zlash]

Another tip...I would suggest getting rid of any mention of any government relationship and not bring a discussion like this to an internet forum. Your not doing your company or the government any favors by posting details of your network. And please bring in some qualified help to get this stuff secured asap.

 

[QwertyJuan]

Another tip...I would suggest getting rid of any mention of any government relationship and not bring a discussion like this to an internet forum. Your not doing your company or the government any favors by posting details of your network. And please bring in some qualified help to get this stuff secured asap.

I don't see where he's divulged ANY pertinent information.

 

[Zlash]

Discussing how his company in jersey has computers that connect to the DoD and the complete lack of security currently isn't pertinent? I'm sure anyone with an interest in finding out more would disagree.

 

[gerbiaNem]

Discussing how his company in jersey has computers that connect to the DoD and the complete lack of security currently isn't pertinent? I'm sure anyone with an interest in finding out more would disagree.

Just because I live in Jersey doesn't mean this company is in Jersey. I don't reveal IPs, the IP I posted from isn't company, and this thread gets deleted in a few days. No big deal.

 

[archivalbackup]

Just because I live in Jersey doesn't mean this company is in Jersey. I don't reveal IPs, the IP I posted from isn't company, and this thread gets deleted in a few days. No big deal.

Security through obscurity is about the worst thing you can do. This page has most likely already been indexed and cached by the internet wayback machine, as well as others. Once on the internet, it lives forever.

 

[TechieSooner]

Yes, this thread will live forever.

But gosh people, he hasn't divulged any information. If you want to argue otherwise then please figure out what his Company's name is and I'll become a believer

 

[Captain Colonoscopy]

Tin Foil Hats for Everyone!!!!

 

[Zlash]

What makes you think this thread gets deleted in a few days? There's over a 1000 pages of threads in this subforum alone. Sorry but there are certain responsibilities that come with a security clearance and talking about how your company connects to the DoD isn't one of them.

Do you really think it would be farfetched for someone to figure out exactly what company?

 

[QwertyJuan]

What makes you think this thread gets deleted in a few days? There's over a 1000 pages of threads in this subforum alone. Sorry but there are certain responsibilities that come with a security clearance and talking about how your company connects to the DoD isn't one of them.

Do you really think it would be farfetched for someone to figure out exactly what company?

Yes.

 

[TechieSooner]

Do you really think it would be farfetched for someone to figure out exactly what company?

There's a little saying.... Put up or shut up.

 

[marley1]

sounds like a shitty network from a few posts i read.

why would he want to be on a public ip and not behind the network? if he needs access to stuff just pop ports......

 

[valve1138]

sounds like a shitty network from a few posts i read.

why would he want to be on a public ip and not behind the network? if he needs access to stuff just pop ports......

So he can DL porn and not get caught.