Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DMZ & Secure zones in home LAN?


  • Please log in to reply
2 replies to this topic

#1 Odyssey42

Odyssey42

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 18 May 2010 - 02:08 PM

I have the following groups of devices on my LAN:

1) WiFi router, TIVO, Aluratek Internet Radio

2) 1 Linux and 2 Windows XP computers

3) Apple Mac Mini (used solely for photos and online banking)

I want Group 1 to be in a DMZ, isolated from Groups 2 & 3, and want to be able to use the Apple as the only device online when doing banking.

I am thinking of this setup:

Switch #1 to the WAN and connected to:

- Router #1 for Group 1 (this is the wireless router)
- Router @2 for Groups 2 & 3 (this router wired only)

Behind Router #2:

- using one port for Switch #2 for all of the Group 2 devices
- using one port for the Apple Mac Mini

The plan is that Group 1 should not have access to Groups 2 & 3 at any time, AND any time banking is to be done:

- Router #1 is unplugged from Switch #1 AND
- Switch #2 is unplugged from Router #2

leaving only the Apple online and only requiring unplugging of two ethernet cables.

This may seem like equipment overkill, but I have all the switches and routers that are needed, most of which are unused at the moment.

I don't understand enough about switches and routers to know whether one port of either device is effectively isolated from the other ports of the same device. So my question is how to improve/simplify the setup without compromising the objectives, or is this perhaps the minimum configuration to meet the objectives?

BC AdBot (Login to Remove)

 


#2 CaveDweller2

CaveDweller2

  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:40 PM

Posted 19 May 2010 - 02:13 AM

I have no idea why you want such a convoluted network but if you don't want people to access other PCs put them in different workgroups. If you want the Mac to be the only thing online(which I have no idea why, your bank is using https which is encrypted) then first surf into the router and enable, on my Belkin its called Client IP filters it could be something else on yours, where you can block access via their IP. You just enable and save changes. Then when done unenable and save changes again.

Any particular reason for your overly paranoid ideas?

Hope this helps thumbup.gif

Associate in Applied Science - Network Systems Management - Trident Technical College


#3 Odyssey42

Odyssey42
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 19 May 2010 - 08:08 AM

Cave Dweller,

Thank you for your suggestion and I will try to educate myself further on this.

As is probably obvious, I am not very computer experienced, but I do hear a lot about sniffers and keyloggers (which if I do understand correctly, the latter will make the encrypted nature of a SSL connection meaningless as one's login and password keystrokes can be recorded).

I have great respect for the damage that malcreants can do to one's financial security and that is the reason for my "overly" paranoid concerns. Where my retirement security is at risk of being impacted, I am happy to be characterized as paranoid, even "overly" paranoid. While I might well be paranoid, if I can just use the two routers (one a Wifi for Group 1, the other wired only for Groups 2 & 3) and the two switches I have to minimize risk, I want to do this.

Instead of DMZ, I probably should have said "a less secure area" where whatever my guests get up to on the Wifi might be isolated from our home lan, the TIVO can update itself, etc. I have no idea how easy it might be to hack a Tivo or an Aluratek Internet Radio compared to a PC, but certainly would not be surprised to learn that they are much easier to get into and I doubt if they operate in a tunneled mode.

I am aware that once a SSL connection is established, the communication between the Apple and the bank will be more secure than almost anyone wants to try to capture and penetrate, but what I don't know is:

-when establishing a SSL connection, are the login and passwords also encrypted or are they sent before the SSL is estabished?

-if before, could not one of the other PC's sniff this info if they are also on the lan?

-in any case a key logger on the Apple could capture the keystrokes, no?

I hope that I have better explained my concerns and clarified what I want to accomplish. Any further assistance anyone can give will be most appreciated.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users