Date: Wed, 22 Jan 2003 13:36:38 -0500 From: Bill Moran <wmoran@potentialtech.com> To: Martyn Hill <m.hill@stjamessengirls.org.uk> Cc: FreeBSD-questions <freebsd-questions@freebsd.org> Subject: Re: Subnetting or Bridging to secure different dapartments on our School LAN? Message-ID: <3E2EE4B6.2030607@potentialtech.com> References: <000701c2c222$e7439dc0$6f00000a@SJMOBILE11> <3E2EB7BD.9080502@potentialtech.com> <00b101c2c23a$74082de0$6f00000a@SJMOBILE11>
next in thread | previous in thread | raw e-mail | index | archive | help
Martyn Hill wrote: >>>Martyn Hill wrote: >>>Do I use ifconfig to alias the one internal NIC in the present gateway >>>to create virtual sub-nets? >> >>Bill Moran wrote: >>That would be the method I would suggest, however without more details of >>your network it's kind of hard to be sure it's the best method. What you >>could do is: >> >> ADSL router >> | >> FreeBSD BOX >> | >> switch >> / | \ >> / | \ >> / | \ >> hub1 hub2 hub3 >> / | \ >> subnet1 subnet2 subnet3 >> >>The switch will keep traffic from subnet1 off subnet2 & subnet3 (and vise >>versa) The freeBSD box has 2 nics, one to the ADSL, the other to the switch. >>The NIC to the switch has an IP for each subnet and IPFW rules for each IP. >>If the IPFW rules are identical for each subnet, you'll be able to >>consolidate them a good bit. > > Thank you very much for your ideas and time, Bill. > > You mention the use of hub1, 2 etc. Can I assume that some small switches > (we use a few netgear 5 and 8 port switches around the building already) > would do the job, given that the other departments amount to a handful of > workstations each? Sure. Using hubs is (dare I say it) the canonical way. But with switch prices as cheap as they are, there really isn't any reason to not use switches. >>Which one is really best depends a lot on details that you haven't >>yet provided. Like, what traffic _exactly_ do you want to prevent from >>crossing subnets? SMB browse announcements won't cross subnets, for example >>(they'll get stopped at the switch) but cross-network browsing is still >>possible by IP address (or if you use WINS). What this means (from a Windows >>perspective) is that Windows machines on subnet1 won't see Windows machines >>on subnet2 in their network neighborhood, but they will be able to access >>them if the user knows the IP address of the machine he wants to connect >>to. So it depends on whether you want to offer _real_ security or just >>obscurity. (this is dependent on using the method I diagramed above, other >>methods offer different levels of security/obscurity) > > We do use WINS (via Samba-TNG) for our own curriculum/admin network, but the > other departments are supposed to contain themselves to their own > workgroups. The WINS configuration will determine who can see what then. You can set up WINS servers that don't know anything about one another, and they will not cross-propogate browse lists. Or you can coordinate so they all see all computers, it's pretty much up to you. > Obscurity would provide sufficient protection for (from?) most, if not all, > of our user base - I'm not aware of any potential hackers amoungst the > school population, (if I found one, I'll be proud, as I'm the one who > teaches the pupils IT!) I like that: "Protection from user base" I'll start saying that and see if people pick up on it! > My concerns over security are three fold: > Access to SMB fileshares and printers (especially from some newly introduced > Windows XP clients, which seem intent on discovering everything on the > network and adding it to their own browse lists...) Sure, they're trying to automagically do everything for you. You should be able to use WINS/DNS to control what they do and don't see. Keep in mind that WinXP is migrating away from WINS to DNS, so you may have to build your own DNS servers and configure them carefully to keep things sane. So far, however, I've still been able to control things with WINS. > The ability of a virus outbreak to spread rampantly throughout the whole > site. Well, I doubt such a configuration will give you too much power to stop that, but at least they won't be able to arbitrarily connect to shares on another subnet to propogate. > The limiting of adverse network 'noise' from one department affecting the > bandwidth for others, (not really a security issue.) The switch will handle most of that issue. and if you wire things up all with switches, it will handle it even better. > I appreciate the vaugeness of the information, I guess I'm not sure what > traffic I _should_ be filtering out. Any ideas? It seems to be different for every network. Broadcast traffic is one of the most annoying, and a good switch won't pass it from one subnet to another (and the better ones are configurable as to whether they pass it or not) Before you trust in that statement, however, verify the behaviour of the specific switch that you're using. If you choose the solution where you put a different NIC in the FreeBSD box for each subnet, you'll definately be blocking broadcast traffic, and you'll have the option to configure IPFW to block anything else you want. The downfall is: depending on how many subnets you have, PC hardware isn't really designed to have a lot of NICs plugged in, performance may suffer. If you want to have everything controlled through FreeBSD, you may want to have more than one firewall box. At least your ADSL router has multiple ports, so you can plug each firewall directly into it. > Where should I turn next to penetrate the topic of aliasing using ifconfig? The man page for ifconfig was all I needed to figure it out (assuming a sound understanding of IP routing). If you have any specific questions, feel free to ask. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E2EE4B6.2030607>