network isolation device?

Discussion in 'Linux Networking' started by Bill Grzanich, Jun 26, 2003.

  1. Hi, All.

    I'm looking for some sort of "network isolation device". By that, I mean
    a hardware device, probably with relays, that will disconnect the
    Ethernet connection from one NIC and connect another, possibly under
    software (user) control. The idea is this: we have a LAN, but only dial-
    up Internet access is currently allowed, and we have a "mini-firewall"
    from Computer Peripheral Systems that automatically disconnects the
    Ethernet whenever the modem goes off-hook. (The owner of the company is
    a bit on the paranoid side when it comes to network security.) We'd like
    to have a broadband connection to the Internet, and we're prepared to run
    a second Ethernet cable and a second NIC to those PCs that require
    access, but that allows for the possibility of Internet traffic on our
    LAN. In ASCII art, what I'm looking for is something like this:

    +------+
    | PC | +---------+ +----------+
    | NIC1 |------| Mystery |-----------------| Internet |
    | | | Box | +-----+ +----------+
    | NIC2 |------| |------| LAN |
    +------+ +---------+ +-----+

    When the user wishes to access the Internet, the local network connection
    is automatically severed. Granted, we could (and do) use software
    firewalls (ZoneAlarm), but that's not sufficient to bring peace of mind
    to the owner, because ZoneAlarm can be turned off or otherwise easily
    disabled. A hardware solution would be less likely to be defeated by a
    casual user. Does such a device exist?

    It may be that such a device is impractical as it would be constantly
    tripped by wayward packets, or far too expensive, as equipping each PC
    with it's own firewall. I have tried convincing the owner that a good
    firewall/router will provide considerable protection to the LAN as a
    whole, but he's unwilling to take the risk of outside intrusion, however
    small. A device that physically disconnects the PC from the local
    network while on the Internet appeals to his sense of security.

    Thanks in advance for any comments.

    -Bill
     
    Bill Grzanich, Jun 26, 2003
    #1
    1. Advertisements

  2. I may be wrong here, but I don't think a device like you describe has ever
    been conceived. Not to mention the cost in running extra cable and
    secondary nics. I think your best bet is to sit your boss down and explain
    to him the birds and bee's of TCP/IP networking, he seems to me to be one
    of those people who either know enough to be dangerous, or have seen
    wargames and Hackers to many times. Just my opinion.
     
    Circuit Burnout, Jun 26, 2003
    #2
    1. Advertisements

  3. Bill Grzanich

    jcHeeper Guest

    Bill Grzanich wrote:

    <lots of configuration stuff snipped>

    You need to tell your boss (in a nice way) that disconnecting the Ethernet
    when the modem is active will only minimally protect your network, if
    really at all. You see, a hacker is hitting your COMPUTER and then using it
    to do his dirty work on your network. Most of the problem files work from a
    known computer to explore the network to which they are attached and then
    report back. For example:

    I could write a small program to load into your computer through a known
    Windows security hole. Then it would check every so often to ascertain if
    it saw any other computers on the network. When it does, I could also
    infect those computers if they are vulnerable and do whatever I needed to
    get done. They then report to the first computer which holds the
    information on your passwords, security, etc. until it connects to the
    Internet again. Then it sends the info to some place I designate.

    So you see, the only way to truly protect your network is not have it
    connect to the Internet (or any other network) at all. And even then it is
    still vulnerable to an inside attack should an employee decide to do so.

    It sounds to me like your boss thinks he knows a little more than he
    really does about computers and networks. This is not an uncommon trait in
    bosses. :) You know him well enough to decide how you should approach him
    on the matter. I would try to show him by using a hardware firewall and
    some basic security monitoring, you can get to an "acceptable risk" factor.
    On the other hand, your boss may be the type who does not have a level of
    "acceptable risk" which is reachable given his budget.

    Good luck with it. I have run into this type of person many, many times.
    Some times you can reason with them, other times you just have to accept
    their way of doing things until you either find another job or can convince
    him otherwise.

    jc
     
    jcHeeper, Jun 27, 2003
    #3
  4. Bill Grzanich

    jcHeeper Guest

    An addendum to that last posting:

    If you are running only Linux-equipped computers on the network, then with
    some tweaks and free monitoring software, you can keep a pretty good eye on
    the comings and goings of people. You can also secure each machine pretty
    well locally.

    jc
     
    jcHeeper, Jun 27, 2003
    #4
  5. Bill Grzanich

    root Guest

    This is simply the stupidst thing I have ever heard !

    Buy a broadband NAT router - if you want protection from the nasty icle
    internet then the following will work.

    1) Use NAT - you can see out, the internet cant see in
    2) Dont use Internet explorer
    3) Dont use outlook/outlook express or use a virus filter inserted before
    the email client

    The danger from the internet is code running on the client reaching out,
    with NAT the net cant see in - so as long as you dont have a mechanism to
    get nasty code onto the machines then the security problems go away.
     
    root, Jun 27, 2003
    #5
  6. Bill Grzanich

    Rick Cooper Guest

    It seems to me your boss's concern is having errant internet traffic
    wandering through your LAN while a user is connected to the internet. If you
    place your firewall on the perimeter and all traffic in and out have to pass
    through the firewall you have the security you desire (with proper
    firewalling rules).

    1. Since you have masqueraded all the internal IPs to a single IP each
    foreign host talks only to the firewall device
    and it keeps track of the sessions and sends the inbound packets
    where they need to go. No foreign host
    ever talks directly to the internal machine (even though they
    "think" they are)
    2. Since you FORWARD rules should drop everything by default and pass
    through only packets meeting
    specific rules such as established,related connections, even if
    someone tried to make an inbound connection
    to a host within the LAN it would be dropped. In other words if bill
    connected to evil.com and evil.com tried
    scanning for other hosts within the LAN the SYN packets wouldn't make
    through the firewall

    I recommend you and your boss sit down and look at a few articles dealing
    with internet security and Iptables and rethink the entire concept of
    security. Allowing individual computers their own individual internet access
    would scare me! Even if your LAN connection is broken during the internet
    connection does NOT stop viruses and trojans from gaining access to your
    local LAN. They will wait patiently until there is a network connection and
    spread. The way your boss's thinking goes if all the computers on the local
    LAN are turned off while another PC is connected to the internet they cannot
    be compromised because virus/trojan authors are not smart enough to write
    their programs to periodically scan the network for new machines?

    Start with theses:
    http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html
    http://en.tldp.org/HOWTO/Security-HOWTO/
     
    Rick Cooper, Jun 27, 2003
    #6
  7. Thanks for the comments. I suspected as much, but I thought I would ask.
    I've had several discussions with the owner over the past three years
    about network security, and he simply doesn't believe that anything short
    of a disconnect is secure enough... the so-called "air gap". I agree
    that there is a risk of some malevolent code being deposited on a PC
    while it's connected to the Internet, but we've also installed ZoneAlarm
    and antivirus software to guard against that. And, yes, I see the irony
    of that: "It's okay to dial into the Internet with antivirus and firewall
    software, as long as you're not connected to the local network. But
    bringing the Internet into our network through a firewall and router
    isn't secure enough!" It does seem to be a contradiction. Perhaps I'll
    point that out to him when I have an hour or two to spare.

    Thanks, again, everyone.

    -Bill
     
    Bill Grzanich, Jun 27, 2003
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.