Mid-LAN router/firewall recommendation

My parents live in the same building as their workplace (a school), and
are having an ethernet cable poked through the wall to their apartment
so they can access the school LAN and internet connection.

They currently have two Windows XP machines and a basic hub. I'm of the
opinion that they should treat the connection to the school LAN as
untrusted, and therefore should use a similar NAT router and firewall to
that commonly used for an ADSL line.

The requirements are:

1) should not allow incoming connections by default
2) should work with standard DHCP from the school LAN
3) should enable the two machines to authenticate against the school's
Windows domain controllers
4) should allow access to the school LAN
5) should allow access to internet via a gateway on the school LAN

Any suggestions for a device to tackle this job?


drew.

"Drew M" <(E-Mail Removed)> wrote in message
news:41c0c0ca$0$112$(E-Mail Removed).. .
> My parents live in the same building as their workplace (a school), and
> are having an ethernet cable poked through the wall to their apartment
> so they can access the school LAN and internet connection.
>
> They currently have two Windows XP machines and a basic hub. I'm of the
> opinion that they should treat the connection to the school LAN as
> untrusted, and therefore should use a similar NAT router and firewall to
> that commonly used for an ADSL line.
>
> The requirements are:
>
> 1) should not allow incoming connections by default
> 2) should work with standard DHCP from the school LAN
> 3) should enable the two machines to authenticate against the school's
> Windows domain controllers
> 4) should allow access to the school LAN
> 5) should allow access to internet via a gateway on the school LAN
>
> Any suggestions for a device to tackle this job?

AFAIK, you're implied requirement for NAT and the requirement for access to
the school LAN are mutually exclusive. If I'm wrong, any cable router will
do the job, but otherwise the simplest solution is a carefully configured
firewall on the machines themselves (plus the hub).

Alex

In MsgID<(E-Mail Removed)> within uk.comp.home-networking,
'Alex Fraser' wrote:

>> The requirements are:
>>
>> 1) should not allow incoming connections by default
>> 2) should work with standard DHCP from the school LAN
>> 3) should enable the two machines to authenticate against the school's
>> Windows domain controllers
>> 4) should allow access to the school LAN
>> 5) should allow access to internet via a gateway on the school LAN
>>
>> Any suggestions for a device to tackle this job?
>
>AFAIK, you're implied requirement for NAT and the requirement for access to
>the school LAN are mutually exclusive. If I'm wrong, any cable router will
>do the job, but otherwise the simplest solution is a carefully configured
>firewall on the machines themselves (plus the hub).

I wonder if you're right there, I cannot see a problem with setting the
private computers up on a different private subnet to the school network,
and natting between the two. As far as the school is concerned all traffic
comes from the external IP of the NAT, with his (Alex's) network hidden
behind it.

You wouldn't use a 'cable' router, you'd use a normal (non-modemed) one.

Local (per-machine s/w) firewalls would still be relevant, as you'd want
outgoing protection from any rougue software.

(To the Orig Poster)

I may well be wrong, but if so I'll be interested to find out how.

The only bit I know nothing about is automatic authentication on the
school's domain controllers, personally I would try to set up a local
machine to do the job exactly as you would if it was the only machine on
the link, the school only sees one IP (the 'external' NAT IP on the
router) so anything sending the right codes will authenticate that IP.
That said, it may well be that there are routers that will do the job for
you.

Hope it's helpful, someone will be along shortly to confirm or refute..

Dave J. (Breaking lurk early)

On Wed, 15 Dec 2004 23:50:24 -0000, "Alex Fraser" <(E-Mail Removed)>
strung together this:

>> The requirements are:
>>
>> 1) should not allow incoming connections by default
>> 2) should work with standard DHCP from the school LAN
>> 3) should enable the two machines to authenticate against the school's
>> Windows domain controllers
>> 4) should allow access to the school LAN
>> 5) should allow access to internet via a gateway on the school LAN
>>
>> Any suggestions for a device to tackle this job?
>
>AFAIK, you're implied requirement for NAT and the requirement for access to
>the school LAN are mutually exclusive. If I'm wrong, any cable router will
>do the job, but otherwise the simplest solution is a carefully configured
>firewall on the machines themselves (plus the hub).
>
I was thinking something similar, 1,2,4+5 seem easy enough with any
decent NAT router but 3 needs a bit of thought.
--

SJW
Please reply to group or use 'usenet' in email subject

On Thu, 16 Dec 2004 09:12:45 +0000, Dave J <(E-Mail Removed)> strung
together this:

>You wouldn't use a 'cable' router, you'd use a normal (non-modemed) one.
>
Same thing.
--

SJW
Please reply to group or use 'usenet' in email subject

"Dave J" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In MsgID<(E-Mail Removed)> within uk.comp.home-networking,
> 'Alex Fraser' wrote:
> >AFAIK, you're implied requirement for NAT and the requirement for access
> >to the school LAN are mutually exclusive. If I'm wrong, any cable router
> >will do the job, but otherwise the simplest solution is a carefully
> >configured firewall on the machines themselves (plus the hub).
>
> I wonder if you're right there, I cannot see a problem with setting the
> private computers up on a different private subnet to the school network,
> and natting between the two.

The suspicion I had in mind was that the school machines (servers) may try
to initiate communication in some circumstances, which NAT would naturally
make impossible unless you configured port forwarding, and even then it
would only work for one machine.

> You wouldn't use a 'cable' router, you'd use a normal (non-modemed) one.

Routers used with cable (ie cable routers) do not have a modem. I should
have been more clear.

> Local (per-machine s/w) firewalls would still be relevant, as you'd want
> outgoing protection from any rougue software.

Yes, good point.

In MsgID<(E-Mail Removed)> within
uk.comp.home-networking, 'Lurch' wrote:

>>> 3) should enable the two machines to authenticate against the school's
>>> Windows domain controllers

>I was thinking something similar, 1,2,4+5 seem easy enough with any
>decent NAT router but 3 needs a bit of thought.

What's the deal with authentication against domain controllers?
If there's a main machine, is there a problem with letting it authenticate
normally via the NAT? Is there a broadcast issue?

--
Dave Johnson - (E-Mail Removed)

Lurch wrote:
> On Wed, 15 Dec 2004 23:50:24 -0000, "Alex Fraser" <(E-Mail Removed)>
> strung together this:
>
>
>>>The requirements are:
>>>
>>>1) should not allow incoming connections by default
>>>2) should work with standard DHCP from the school LAN
>>>3) should enable the two machines to authenticate against the school's
>>>Windows domain controllers
>>>4) should allow access to the school LAN
>>>5) should allow access to internet via a gateway on the school LAN
>>>
>>>Any suggestions for a device to tackle this job?
>>
>>AFAIK, you're implied requirement for NAT and the requirement for access to
>>the school LAN are mutually exclusive. If I'm wrong, any cable router will
>>do the job, but otherwise the simplest solution is a carefully configured
>>firewall on the machines themselves (plus the hub).
>>
>
> I was thinking something similar, 1,2,4+5 seem easy enough with any
> decent NAT router but 3 needs a bit of thought.

I was going to sugest using IPCop but the more I look at it the more
it looks like case for firewalling at pc level, for authentication make
holes that are filtered by IP number protocol and port.