How add Wev server to LAN safely?

I have a beginners question. I have a small network behind a NAT
router. I need to add a PC that will function as a low volume Web
server. I think that the safest way to do this to to place the Web
server behind a NAT router and have the rest of the network behind a
second NAT rounter.

The configuration would be:

Connect the DSL line to the first router.
Connect the Web server to the first router.
Connect the first router to the second router.
Have all other PCs connected to the second router.

Is this a good solution? If not what should I do?

--
..Bill.

It would be simpler and cheaper to put the webserver PC in the DMZ of the
(only) router. That way, any compromise of it would not permit
cross-contamination of the other PCs behind the same router (at least as I
understand things). The introduction of an additional router doesn't add
much to the equation in the configuration you are suggesting. You may also
want to go here and read this information (which may help):

http://www.grc.com/nat/nat.htm

and an associated page: http://www.grc.com/nat/nats.htm

HTH



"Bill" <(E-Mail Removed)> wrote in message
news:O1Zxj.9$(E-Mail Removed)...
>I have a beginners question. I have a small network behind a NAT
> router. I need to add a PC that will function as a low volume Web
> server. I think that the safest way to do this to to place the Web
> server behind a NAT router and have the rest of the network behind a
> second NAT rounter.
>
> The configuration would be:
>
> Connect the DSL line to the first router.
> Connect the Web server to the first router.
> Connect the first router to the second router.
> Have all other PCs connected to the second router.
>
> Is this a good solution? If not what should I do?
>
> --
> .Bill.

Kerry Liles wrote:

> It would be simpler and cheaper to put the webserver PC in the DMZ of
> the (only) router. That way, any compromise of it would not permit
> cross-contamination of the other PCs behind the same router (at least

FYI, that is exactly the opposite of what the article at
http://www.grc.com/nat/nat.htm say. The machine in the DMZ has the same
access to the internal network as any other machine on the internal
network and is, therefore, a major security hole.

> as I understand things). The introduction of an additional router
> doesn't add much to the equation in the configuration you are
> suggesting. You may also want to go here and read this information
> (which may help):

The articles are excellent. Many thanks. They show exactly how to do
what I need using two NAT routers to isolate the Web server from the
Internet, except for the ports that are forwarded to it, and isolate
the other machines on the internal LAN from the Web server in case it
is compromised.

--
..Bill.

mea culpa. I guess I should read what I recommend!
My apologies and kudos to you for reading carefully... I dont know what I
was thinking (likely nothing at all)

"comprehension isn't all that it is hyped to be..."

"Bill" <(E-Mail Removed)> wrote in message
news:zPZxj.11$(E-Mail Removed)...
> Kerry Liles wrote:
>
>> It would be simpler and cheaper to put the webserver PC in the DMZ of
>> the (only) router. That way, any compromise of it would not permit
>> cross-contamination of the other PCs behind the same router (at least
>
> FYI, that is exactly the opposite of what the article at
> http://www.grc.com/nat/nat.htm say. The machine in the DMZ has the same
> access to the internal network as any other machine on the internal
> network and is, therefore, a major security hole.
>
>> as I understand things). The introduction of an additional router
>> doesn't add much to the equation in the configuration you are
>> suggesting. You may also want to go here and read this information
>> (which may help):
>
> The articles are excellent. Many thanks. They show exactly how to do
> what I need using two NAT routers to isolate the Web server from the
> Internet, except for the ports that are forwarded to it, and isolate
> the other machines on the internal LAN from the Web server in case it
> is compromised.
>
> --
> .Bill.

From: "Bill" <(E-Mail Removed)>

| Kerry Liles wrote:
|
>> It would be simpler and cheaper to put the webserver PC in the DMZ of
>> the (only) router. That way, any compromise of it would not permit
>> cross-contamination of the other PCs behind the same router (at least
|
| FYI, that is exactly the opposite of what the article at
| http://www.grc.com/nat/nat.htm say. The machine in the DMZ has the same
| access to the internal network as any other machine on the internal
| network and is, therefore, a major security hole.
|
>> as I understand things). The introduction of an additional router
>> doesn't add much to the equation in the configuration you are
>> suggesting. You may also want to go here and read this information
>> (which may help):
|
| The articles are excellent. Many thanks. They show exactly how to do
| what I need using two NAT routers to isolate the Web server from the
| Internet, except for the ports that are forwarded to it, and isolate
| the other machines on the internal LAN from the Web server in case it
| is compromised.
|

I don't see a need for two Routers.

One Router is all thats needed. If it is a standard HTTP server forward TCP port 80 to the
Web Server. If it also uses SSL, port forward TCP port 443 to the web server IP address as
well. Make the Web Server a static address.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman wrote:

> I don't see a need for two Routers.
>
> One Router is all thats needed. If it is a standard HTTP server
> forward TCP port 80 to the Web Server. If it also uses SSL, port
> forward TCP port 443 to the web server IP address as well. Make the
> Web Server a static address.

Are you saying that there is no way that a hacker could hack into the
Web server PC if port 80 is forwarded? If so, that is great.

--
..Bill.

From: "Bill" <(E-Mail Removed)>

| David H. Lipman wrote:
|
>> I don't see a need for two Routers.
>>
>> One Router is all thats needed. If it is a standard HTTP server
>> forward TCP port 80 to the Web Server. If it also uses SSL, port
>> forward TCP port 443 to the web server IP address as well. Make the
>> Web Server a static address.
|
| Are you saying that there is no way that a hacker could hack into the
| Web server PC if port 80 is forwarded? If so, that is great.
|

Well if you have a vulnerability on said server and the miscreant uses TCP port 80 then
yes... it could still be hacked. But that would be the case in any other solution noted as
well.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman wrote:

> Well if you have a vulnerability on said server and the miscreant
> uses TCP port 80 then yes... it could still be hacked. But that
> would be the case in any other solution noted as well.

If I understand the two papers on the Gibson Research site referenced
in Kerry Liles' earlier post, using two NAT routers with the Web server
between the two and the rest of the computers behind the second router
makes it impossible for the Web server to access the rest of the
computers on the network. It is impossible for a computer on the WAN
side of a NAT router to access computers on the LAN side of the NAT
router. OTOH, computers on the LAN side can access the computer on the
WAN side (the Web server). For the $30 cost of a second NAT router it
seems like very cheap insurance.

--
..Bill.

From: "Bill" <(E-Mail Removed)>

| David H. Lipman wrote:
|
>> Well if you have a vulnerability on said server and the miscreant
>> uses TCP port 80 then yes... it could still be hacked. But that
>> would be the case in any other solution noted as well.
|
| If I understand the two papers on the Gibson Research site referenced
| in Kerry Liles' earlier post, using two NAT routers with the Web server
| between the two and the rest of the computers behind the second router
| makes it impossible for the Web server to access the rest of the
| computers on the network. It is impossible for a computer on the WAN
| side of a NAT router to access computers on the LAN side of the NAT
| router. OTOH, computers on the LAN side can access the computer on the
| WAN side (the Web server). For the $30 cost of a second NAT router it
| seems like very cheap insurance.
|

Insurance ? from what ?

I don't see a problem or a need for two NAT Routers.

So the web server can be seen by LAN side nodes and vice versa. What's the problem ?

Remember SOHO Routers have high latency. Two NAT Routers means you effectively double the
latency.

BTW: GRC -- what a laugh.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Hi...

I've read some of the other replies, and there is a lot of good ideas
there. Let me relate what I ended up doing, and sort of 'why'.

Originally I put my server on port 80, and set my router to forward any
inbound port 80 traffic to it. Seemed to be a straight forward
approach. I tried to lock that computer down as tightly as possible so
hackers wouldn't be able to easily break into it. That does require the
router knows the ip address for the computer you are forwarding to! The
Netgear router I use will reserve IP addresses for specific MAC
addresses within the dynamic range it hands out. So any time the server
computer is booted, it would request an IP via DHCP, and the router
would always hand it the same address. If you want to used static IP
addresses, I see nothing wrong with that -- I guess a computer that is
only a server really doesn't need to know where DNS servers are, and so
on.

Watching the activity on the server, I was surprised at the number of
connection attempts to it. Large numbers of attempts to connect, and
for each packet in, I was responding with several replies. That is
normal in a TCP handshake situation, until a connection is established
-- but that should almost immediate. And what got me even more
concerned, some of the attempts to connect to my server were from ip
addresses on the web that would never be trying to connect.

Keep in mind a connection can be made by a user either using a URL, or
an IP address. My friends were given the URL, but anyone who knew the
IP could use it directly.

I am on a DSL line, and, like many broadband residential services, the
IP address can change -- it is a dynamic IP rather than a static address
that never changes. So, I used a redirection service. The one I use is
DynDNS.org, but there other ones out there that do the same. For low
volume users, they are free. I supply them with my IP address, and they
supply me with a URL that gets linked to it. My router even has the
ability to automatically update the IP with them, should it change.

When I realized what was going on, I moved my server off of port 80 to
an unused port number. I also changed the port forwarding in the router
to forward the new address rather than 80. Now port 80 is not responded
to. I'm sure you've seen some URLs that have port numbers tacked on
(like :8080). Now, anyone who knew the URL and the port number could
still connect, but the casual bad guy scanning IP addresses would not
find it.

Obviously, the need for that port number on a URL isn't the greatest!
At DynDNS they have another feature where a URL on port 80 can get
forwarded to another URL using a different port. So, now I use for the
public URL one at DynDNS that doesn't require a port number, and it gets
forwarded to whatever IP address I happen to have at the time and at the
port I have set up for the server.

Actually, I have a couple of very low volume servers here, and this
allows me to have both on one DSL line with no problems.

I hope I haven't made this sound too complicated! It really turns out
to be straight forward!

....Bob

(For reference only, the original message follows)



Bill wrote:
>
> I have a beginners question. I have a small network behind a NAT
> router. I need to add a PC that will function as a low volume Web
> server. I think that the safest way to do this to to place the Web
> server behind a NAT router and have the rest of the network behind a
> second NAT rounter.
>
> The configuration would be:
>
> Connect the DSL line to the first router.
> Connect the Web server to the first router.
> Connect the first router to the second router.
> Have all other PCs connected to the second router.
>
> Is this a good solution? If not what should I do?
>
> --
> .Bill.

--
The FROM: email address has been set up for receiving SPAM.
Don't bother using it -- email to it won't be read.
Right now, you can use: posts01 [at-sign] kesters [DOT] org
(Until the scumbags figure that one out.)