Cycling and bicycle discussion forums. 
   Click here to join our community Log in to access your Control Panel  


Go Back   > >

Foo Off-Topic chit chat with no general subject.

User Tag List

Reply
 
Thread Tools Search this Thread
Old 11-07-08, 07:34 PM   #1
MrCrassic 
Senior Member
Thread Starter
 
MrCrassic's Avatar
 
Join Date: Jun 2007
Location: Brooklyn, NY
Bikes: 2008 Giant OCR1 (with panda bear on the back!)
Posts: 3,650
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
For network specialists - setup question.

A while ago, I started a thread about switching one of my servers over to Debian Etch. The switch was successful, and its only use right now is as a SAMBA server.

However, I tried to set it up so that it can only be accessed internally. I'm looking for a critique. I can post a diagram later if anyone wants to see it.

There are three routers in the setup. One of them is a DSL router that is on the DMZ so I didn't have to bridge it. It connects to the WAN of a wireless router, which I tried to configure to allow VPN and SSH (for internal use ONLY). The router will connect via ethernet to the VPN server, which will have two NICs. The other NIC will be connected to a DMZed router, which will connect my SAMBA server and any other computer using that network.

Is this a good setup? What security implications should I worry about?

Thanks!
__________________
Ride more.

Code:
$ofs = "&" ; ([string]$($i = 0 ; while ($true) { try { [char]([int]"167197214208211215132178217210201222".substring($i,3) - 100) ; $i =
 $i+3 > catch { break >>)).replace('&','') ; $ofs=" " # Replace right angles with right curly braces
MrCrassic is offline   Reply With Quote
Old 11-07-08, 07:39 PM   #2
ehidle
T-Shirt Guy
 
ehidle's Avatar
 
Join Date: Jul 2008
Location: Lansdale, PA
Bikes: 2005 Fuji Team Issue, 2007 Fuji SL-1
Posts: 464
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Yeah it's a little hard to wrap around your verbal description. But, the first question that comes to mind is, why three routers? What are you trying to segregate from what? Do you have a specific reason for multiple networks?

What are your specific security requirements? The security implications depend on the requirements.
__________________
Yellow + Blue Jerseys!

Get your Cranky T-Shirt!
Men's
and Women's designs available
ehidle is offline   Reply With Quote
Old 11-07-08, 07:43 PM   #3
mlts22 
Senior Member
 
Join Date: Aug 2006
Bikes:
Posts: 998
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
I'm not sure if one router is doing the firewall work between your DMZ and your internal network, or if its handing traffic to the other routers.

For the router connecting to the Internet, PPP over ssh is one way to bridge so if you are not at home and want to access your samba shares you can, pptp is another way.
mlts22 is offline   Reply With Quote
Old 11-08-08, 02:20 PM   #4
MrCrassic 
Senior Member
Thread Starter
 
MrCrassic's Avatar
 
Join Date: Jun 2007
Location: Brooklyn, NY
Bikes: 2008 Giant OCR1 (with panda bear on the back!)
Posts: 3,650
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
I'm using PPTP right now, but I would like to set up my VPN with a more secure protocol. I'll Visio up what I'm trying to do.
__________________
Ride more.

Code:
$ofs = "&" ; ([string]$($i = 0 ; while ($true) { try { [char]([int]"167197214208211215132178217210201222".substring($i,3) - 100) ; $i =
 $i+3 > catch { break >>)).replace('&','') ; $ofs=" " # Replace right angles with right curly braces
MrCrassic is offline   Reply With Quote
Old 11-08-08, 02:22 PM   #5
DannoXYZ 
Senior Member
 
DannoXYZ's Avatar
 
Join Date: Jul 2005
Location: Saratoga, CA
Bikes:
Posts: 11,600
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Also list brands & models of the routers. Do you need a DMZ? Do you need file-sharing access at a remote location?
DannoXYZ is offline   Reply With Quote
Old 11-09-08, 07:49 PM   #6
MrCrassic 
Senior Member
Thread Starter
 
MrCrassic's Avatar
 
Join Date: Jun 2007
Location: Brooklyn, NY
Bikes: 2008 Giant OCR1 (with panda bear on the back!)
Posts: 3,650
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Turned out that it didn't need to be complex at all!

Here's the scenario:

  • DSL MODEM: This connects our network to the Internet, obviously. Set it to Bridge mode; I put it in a DMZ to send all ports open to the wireless access point, but it turned out that its built-in firewall was still mucking it up.
  • WAP 1: This wireless access point is more for the people using the Internet on another floor. I used this also, but the purpose of this post was to eliminate the need to. This is connected directly to the DSL modem, and not including wireless clients, my Debian server and the second WAP is connected directly to it on eth0 and eth1.
  • WAP 2: This is my wireless access point. It's connected directly to WAP 1 and no other devices connect to it. Using this access point improved my signal SIGNIFICANTLY.


I was going to connect to my stuff using VPN, but I finally figured out the proper way to use SSH to connect to my SAMBA shares. So all I'm running right now is SSH on that server, which lets me connect to my two shares. It works amazingly; I'm so happy!
__________________
Ride more.

Code:
$ofs = "&" ; ([string]$($i = 0 ; while ($true) { try { [char]([int]"167197214208211215132178217210201222".substring($i,3) - 100) ; $i =
 $i+3 > catch { break >>)).replace('&','') ; $ofs=" " # Replace right angles with right curly braces
MrCrassic is offline   Reply With Quote
Old 11-09-08, 09:50 PM   #7
DannoXYZ 
Senior Member
 
DannoXYZ's Avatar
 
Join Date: Jul 2005
Location: Saratoga, CA
Bikes:
Posts: 11,600
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Bah! I HATE modems with built-in routers or firewalls. They're crap! Usually I like a different component for each function:

MODEM -> Barracuda Firewall/SPAM filter -> Cisco 6500 router/switch -> Wireless Access Points#1, etc, etc.
DannoXYZ is offline   Reply With Quote
Old 11-09-08, 10:14 PM   #8
mlts22 
Senior Member
 
Join Date: Aug 2006
Bikes:
Posts: 998
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Quote:
Originally Posted by DannoXYZ View Post
Bah! I HATE modems with built-in routers or firewalls. They're crap! Usually I like a different component for each function:

MODEM -> Barracuda Firewall/SPAM filter -> Cisco 6500 router/switch -> Wireless Access Points#1, etc, etc.
+1 there. I have a 2-Wire combination modem/router/wireless AP that initally came with my DSL connection. Its firewall and NAT abilities are passable, but I had to manually disable the wireless because it only supports WEP.

Eventually, I plan to see if AT&T can sell me just a plain CSU/DSU, and I can then use a real firewall/router/AP such as a Linksys WRT350N, or perhaps a 1TB Time Capsule. Both of these devices can be used as NAS heads, so I can hook up a big external drive array. This, combined with TrueCrypt, will give me decent, secure storage without having to remember where I stored what on which machine.
mlts22 is offline   Reply With Quote
Old 11-10-08, 09:22 AM   #9
MrCrassic 
Senior Member
Thread Starter
 
MrCrassic's Avatar
 
Join Date: Jun 2007
Location: Brooklyn, NY
Bikes: 2008 Giant OCR1 (with panda bear on the back!)
Posts: 3,650
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
That would be an amazing backup solution. Too bad this is my grandma's house, so I can't exactly turn it into a server farm (though I have enough old computers to do it).

This is the first time I actually got SSH to work reliably. It's frackin' amazing. I can use Flickr at work now!

The only bite is that because I don't have permissions to disable File and Print Sharing or install a loopback adapter, I can't map my network drives. Bummer; would have been pretty rad to listen to music remotely.
__________________
Ride more.

Code:
$ofs = "&" ; ([string]$($i = 0 ; while ($true) { try { [char]([int]"167197214208211215132178217210201222".substring($i,3) - 100) ; $i =
 $i+3 > catch { break >>)).replace('&','') ; $ofs=" " # Replace right angles with right curly braces
MrCrassic is offline   Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -6. The time now is 08:06 PM.