Hi,

I'm thinking of setting up an older computer on the local network to act as a full web server, activating 'port forwarding' on the DSL router to allow requests from the Internet. The thing is that while it wouldnt be the end of the world if someone decided to hack the server, however I'm thinking that were someone to do that couldnt he then just have full access to the entire local network and everything else that might be connected??

Because of this problem I'm hesitating to set it up...

Of course I would try as best as possible to keep security updated and set up properly, but its never 100% and its not worth this little experiment if there would be a real risk tot he rest of the network...

My question is basically this: is there a way to isolate this one computer and not allow it to access any other local computer no matter what? It would be best if this could be done through the router itself- its a Linksys WRT54G- that way there wouldnt be a need to set up a firewall on each computer and locking out the MAC address of the server... (though in truth it would be good if each networked computer could access it, but as long as there is an absolute rule that this computer never ever can possibly have access to any other computers on the network unless it was requested for something by the other computer itself...)

If anyone has ANY ideas or suggestions, I'd greatly appreciate it.

Thanks,
Larry

Sounds like you want to put the web server in a DMZ. Fortunately, the WRT54G has this capability built in. Check out the manual for instructions on how to implement it. Or, failing that, this is reasonably lucid.

Thanks but I think that the DMZ would do the exact opposite of what I'd need... You see it would be faily simple to set up the server with the router etc. but *supposing* someone decides to take control of the server (without permission) my concern here is that hey could then just waltz around on the LAN and do whatever to the other computers... Being that the server wouldnt be anything too vital, it wouldnt be the end of the world if someone compromised it, *however* if through it they could gain access to the rest of the network, then I probably wouldnt even set one up because it wouldnt be worth the risk...

So basically I would need some way to isolate the server from the LAN...

If anyone has any ideas I'd appreciate it...

Thanks,
Larry

"So basically I would need some way to isolate the server from the LAN"

This is exactly what a DMZ is. Any computers on the DMZ are isolated from the rest of the LAN.

What you want to do is basically a textbook definition of DMZ. Any computers you put in the DMZ are, effectively, on a separate network from your other computers. If they are compromised, there is no way for an attacked to use them to attack your other systems.

Hmm, I thought that DMZ would basically just take away the NAT firewall from that particular IP... In other words if you needed a dedicated gaming server or some other type of server then you could just open all its ports and have a local firewall...

Are you certain that DMZ would effectively cut it off from the rest of the network? Would that mean that someone of the network would also not be able to have access to its files... etc.? Also, suppose an attacker got in, couldnt he detect that it was on a LAN through a router and just hack the router and turn off the limitations...?

I'm just trying to understand what people do in such situations as I'm sure that I'm not the first one to have this concern...

(Of course nothing is foolproof, but some things are just called stupid and other things are called smart- to just plug in the server and leave it open to the web for someone to hack and gain access to the LAN would not be smart I dont think...)

PS- If I would set the firewalls on each individual system to not allow any connections from that particular MAC address, is there a way for someone to override that setting? In other words suppose someone had full access to this server, could he, in theory, override somehow the local settings of each individual computer which is blocking access to the server?

Thanks,
Larry

Sorry, I looked up your link only after posting and I see that DMZ is exactly what you said...

But the other questions I'm still not clear on...

Thanks,
Larry

Still not clear on....the rest of it? Actually, you are clearer than you think.

The DMZ does, in a way, "take away" the firewall from whatever computer(s) you put in the DMZ. This serves two purposes. The first is to allow DMZ'd hosts to act as Internet servers. The second is to isolate those Internet-facing servers from the rest of your network.

If an attacker compromises a DMZ host, he would only have access to the DMZ network. Since the DMZ network is effectively "cut off" from your internal LAN, a compromised DMZ host has no more access to your LAN than any other computer outside the LAN would. Same goes for the router. DMZ hosts have no more access to the router than any other computer on the Internet.

You're right that it's not smart to expose a server to the web. But you have to, if you want the server to be accessible. You should always assume that any Internet-facing computer is already compromised and plan your network accordingly. In practice, that means isolating your Internet servers from the rest of your network. By using a DMZ, you can expose your servers and still protect your network. This is, on a small scale, what people do in such situations.

Firewalling individual hosts and disallowing traffic from a particular MAC address isn't going to be very effective. It would require a lot of extra administrative effort, and source MAC addresses can be easily spoofed. SO yes, in theory anyone with full access to your server (which you must assume is true if the server is compromised) can potentially gain full access to any other host on your network. This is why you separate the two networks using a DMZ.

Thanks a million! That clarified it very much. I think that what I'm going to do is use a small Linux Apache OS as the server, configured with a good firewall, and set the router to DMZ it. Of course someone could always do a port scan on the IP and figure out that its a router he's pinging and then work on compromising the router from the outside and then setting things up in a way to gain access to everything... But I'm not going to go crazy over this- I hope that the router's security (its running a Linux-based system) is good enough to prevent such things...

All in all, as is pretty clear, nobody with a computer facing the web is safe- but you could be more safe or less safe I guess. I hope that this server gets into the 'more safe' category...

Thanks again,
Larry

Sounds like a good plan. Good luck with your project :)

Just out of curiosity, what are you running as your router/firewall?

I'm using just a regular WRT54G Linksys Router... But it runs a Unix-based system that theoretically is pretty customizable...

(Do you think that the security of the NAT on the router is good enough? I mean of course I would set up a firewall on the server itself, but do you think that someone could easily compromise the router itself, thus allowing him to unDMZ the router and play with everyone on the LAN?)

Is it good enough? Probably. There is a much greater chance of one of your computers being compromised than the router itself. Don't make yourself crazy worrying about it.

Allright- thanks.

BTW- its really amazing whats happening on the net these days: I decided to try something- I shut off the NAT on the router for a few minutes. What happened is that the software firewall on the cmoputer here started popping up with permission windows left and right... and then it started getting even more frequent as I left it open. I then uncloacked the router (allowing pings) and thne it became almost like I was having a full port scan happening! I couldnt believe it! That would mean that the avergae person with a simple computer connected to the net directly through a modem or DSL/Cable etc. probably has been hacked to some extent at some point... I dont see how not?!

However, when the pinging is set not to respond, and the NAT is active, then I hardly ever get a need to use the software firewall... (though I'm sure that if I had a server on this IP then it would be a natural candidate for a full port scan which would show that its a LAN and then that would cause someone to be able to target the local computers instead of the server... Just trying to be as paranoid as possible here...)