Isolate my domain from the Internet ?

Microsoft Windows server 2003 r2 enterpr...
April 28, 2010 at 17:55:04
Specs: Windows XP
Hi, I have win2003r2 domain ( witch i would like to stay way from the internet ) , the domain controller answers logon requests trough simple 5 port gigabit switch , i use 192.168.10.x for this.. i also have 2 computers with internet access delivered by thomson modem/router with 4 "Lan" ports ( on 192.168.1.x ) those 2 computers are multihoomed, My intent is to use the second nic from those computers to connect to the domain. ( i need to upload stuff downloaded etc... to my main server using distributed file system )

My question is:

If i use 2 nics on same computer with different subnets would my domain be secured from the Internet ?

note: using only windows firewall on the internet facing nic

thank you !


See More: Isolate my domain from the Internet ?

Report •

#1
April 28, 2010 at 18:14:02
if you can afford the enterprise edition of server you can afford a real firewall router. I have had great experience with sonicwall.

Report •

#2
April 28, 2010 at 18:28:17
Yes you are right ,i should use a real firewall , but my main concern
here is .. can the internet see my internal network using this
configuration ?


Report •

#3
April 29, 2010 at 06:46:56
if the dual homed pc gets compromized your network is compromized.

Report •

Related Solutions

#4
April 29, 2010 at 07:11:58
I have to agree with wanderer. You're making something that should be simple, a whole lot more complex. Remember, always apply the "KISS" principle whenever possible.

The simpler the setup, the less to go wrong with it and the easier to troubleshoot when something does go wrong.


Report •

#5
April 29, 2010 at 10:31:59
Reply:

I have to agree with wanderer. You're making something that should be simple, a whole lot more complex. Remember, always apply the "KISS" principle whenever possible.

The simpler the setup, the less to go wrong with it and the easier to troubleshoot when something does go wrong.

Re:

That means I actually have to plug and unplug the lan cable when i want to "upload" stuff to the server ?

I thought that with different subnets i could achieve some kind of
isolation .. if i try to ping the NET nic of one of those workstations
from a domain computer i get "destination host unreachable"
since i have no routing enabled between the 2 nics ( LAN and NET ) shouldn't this work the other way around ?


Report •

#6
April 29, 2010 at 10:35:54
tcp/ip by itself is not secure. Security is built upon more that that. For example what would prevent a hacker from engaging bridging the dual homed pc to then access the DC? The answer is nothing. Nothing = no security. Ping is no test for security.

Report •

#7
April 29, 2010 at 10:41:09
Reply:

if the dual homed pc gets compromized your network is compromized.


Re:

Let´s assume the workstation never gets compromized , and yes
what a great assumption .. but is the LAN reachable ? with this setup ? since i´m no expert whatsoever in the field , can i use this configuration without thinking my files are flying all over the NET ? thanks..


Report •

#8
April 29, 2010 at 11:14:45
Reply:

tcp/ip by itself is not secure. Security is built upon more that that. For example what would prevent a hacker from engaging bridging the dual homed pc to then access the DC? The answer is nothing. Nothing = no security. Ping is no test for security.

Re:

Even if the workstation does NOT use domain based policy
I make changes to Local GPO using gpedit , for instance...

Prohibit use of Internet Connection Sharing on your DNS domain network ENABLED

surely ping does not test security , i apply security at NTFS level as best as i can / know just stated ping as simple tool to test if i can reach the other segment.


Report •

#9
April 29, 2010 at 11:41:27
Flock you don't have to quote was was written previously in each post. Save yourself some time.

I don't beleive you understand the threat you are guarding against. A hacker would have no problem undoing your registry changes on the dual homed machines.

In isolating your server you can't do updates which is what closes known holes in MS security.

There is a reason why we practice standard operating procedures for securing networks. For example my business wing has two different firewalls in serial with the idea that we should be able to detect if the first is compromised before the second one is compromised. There is a reason for firewall subscription services. There is a reason for stateful packet inspections and exploits denial.

You have none of these protections given your setup.

I would add that ntfs security is file level security. If network security has been breached ntfs security does not matter. It's like saying I chained up the chickens but forgot to close the door to stop the fox from entering.


Report •

#10
April 29, 2010 at 12:20:52
I went back to the start and reread your initial post.

You stated you want your 2003 domain isolated from the internet and that you have two domain clients you want to have internet access.

The simple (KISS) way to achieve this is to buy a SOHO router. Plug the internet into the WAN port and your switch into a LAN port and the server and clients in the switch. Use DHCP on all computers except the server (this has to have a static IP) and the two clients you wish to access the internet.

For the DHCP Clients, stopping them from accessing the internet is a simple as removing the gateway IP from the DHCP settings. With no gateway IP, DHCP clients can't go outside the local zone (LAN).

On the two clients you want to have accessing the internet, you statically assign them IP's in the same subnet but outside the defined DHCP scope and you do assign them the gateway IP (Which should be the LAN IP of the SOHO Router).

If you do not want the server to access the internet, again, remove the gateway IP.

NOTE: You would still need to enable DNS Forwarding on the server itself and forward it's DNS to your ISP's DNS servers. This is necessary since all domain clients must authenticate to your DC and that will be the client DNS address. With forwarding configured, the two PC's able to access the internet would contact the DC for DNS resolution and requests outside the local zone would be forwarded to your ISP's DNS servers to be resolved by them.

Since a SOHO Router comes equipped with a firewall, your server and clients are all reasonably safely isolated from the internet by the router/firewall.... voila! Your aim is achieved. Two PC's are able to access the internet, no other PC or server is, and your LAN is isolated from the internet.

For an extra layer of security, you could also enable the built in firewalls on each of the aforementioned.

If you'll pardon my saying so, what you're trying to do makes no sense. Using the above setup, which I might add is a typical setup used by thousands of businesses and millions of home users, will provide good isolation from intrusion which is likely your main concern.


Report •

#11
April 29, 2010 at 12:22:23
Ok , i understand what you´re saying and thanks for the advise
so , in my current setup the only thing preventing an intrusion is NAT from my router.. am i right ?

I think you misunderstood my "isolation" point of view , actually is more like a doubt i have for some time and i can´t get
an answer , if i google around etc... it all comes to internet connection sharing ! i just want the opposite

In one pc with 2 network interface cards one setup as 192.168.10.x other as 192.168.1.x and with "file and printing sharing etc.." disabled on one of them can they talk ? ( i dont have routing and remote access enabled or any sort of routing protocol enabled )

I really don´t want to expose DC to internet even for updates ,
as i manually install security updates myself

I have various domain based distributed file system roots on DC
and use a lot of replication on my domain , what i´m trying to do here is using some pc to browse internet retrieve files etc , and using DFS on the other NIC to replicate to the server , so i thought if i multihoomed those pc i could get away with it

well ... can you advise ?


Report •

#12
April 29, 2010 at 12:50:31
In re: to Curt R

First off thank you for your reply.

But you´re getting me wrong .. My LAN is completely ALIEN to the
Internet , My DNS only resolves internal names My lan pc´s get IP form server DHCP

the other 2 computers get their IP from router ( DHCP )

the only way those 2 networks can touch each other is in the multihomed computers , witch i don´t want ..

i have DFS target on say NET pc A , want to replicate content of share to SERVER PC X , thats it ! no internet communications between the 2 "LAN´s"


Report •

#13
April 29, 2010 at 13:15:55
I work at a hospital/treatment center and understand completely about having an air gap between clinical lan and the internet.

Report •

#14
April 29, 2010 at 13:37:05
Exactly what i want :) an air gap... just need the 2nd nic faced towards LAN to talk to domain , not the other ( EVIL ) one..

Report •

#15
April 29, 2010 at 13:51:26
Well, the multihomed idea should work just fine then. I wasn't getting that you had to have the separation. Now I do. I'm not always the sharpest tool in the shed......lol

If it were me, I'd just leave the Domain facing NIC disabled until I had files to transfer. Then I'd disable the internet NIC and enable the Domain NIC, do the transfer, and then swap the NIC's back again.

If you're really concerned about intrusion through your multihomed box, just physically unplug the Domain facing NIC when it's not being used. There's no way on earth a hacker could bypass that!


Report •

#16
April 29, 2010 at 14:10:48
That is exactly what i have been doing ... first plug and unplug ,
few weeks later ( tired of in/out ) enable disable etc...
this is my main problem here , should i have the "know how" would never posted .. maybe this is trivial to most network gurus
If the 2 nics can´t see each other then i will leave the connection
enabled

because one of the advantages of using distributed file system in this way is automatic replication if something changes in a folder,
like a new download , this really saves me the hassle of using external usb disks , etc, that sort of stuff to move files around..


Report •

Ask Question