Isolating one group of computers

Status
Not open for further replies.

Odyssey

Posts: 18   +0
I have a fibre optic DSL connection and several computers on a home network. My wife is not interested in learning how not to avoid malware and principally uses an WXP Home computer, but she also does banking on her Apple Mac Mini. I would like to isolate the Mac Mini and my linux computer from the wired/wifi network that we now use. (BTW we are out in the countryside and the WiFi is unlikely to be problematic).

I was thinking about putting a D-Link DI-604 router behind one of the wired ports on the existing Zyxel P330W v2 wifi router. The idea is that wife, kids, and guests can browse, hopefully not getting infected, but in any case 'isolated' (?) from the D-Link network behind.

I can imagine the possiblity a sniffer getting installed on the Zyxel network which might then be able to monitor traffic from/to the D-Link network as it passes through the Zyxel. Would such a sniffer be able to monitor the Zyxel traffic or is the latter encrypted or otherwise unsniffable as it leaves the D-Link and passes through the Zyxel?

Alternatively, is there a way for the two routers to sit side by side and somehow share the DSL connection without being reachable by the other, say if a switch sat in front of the routers (don't know if a switch with divide traffic in this way or not)

So, are either of these a good approach and if not, why? TIA
 
I have a fibre optic DSL connection and several computers on a home network. My wife is not interested in learning how not to avoid malware and principally uses an WXP Home computer, but she also does banking on her Apple Mac Mini. I would like to isolate the Mac Mini and my linux computer from the wired/wifi network that we now use.
So the isolation is to protect you from possible infections from her? The Mac has
a firewall too and there aren't too many direct attacks on Macs --
but yes you can isolate it from the others
I was thinking about putting a D-Link DI-604 router behind one of the wired ports on the existing Zyxel P330W v2 wifi router. The idea is that wife, kids, and guests can browse, hopefully not getting infected, but in any case 'isolated' (?) from the D-Link network behind.
so it would look like
Code:
modem--Zyxel (x.y.1.1)--- wired systemes
         +
         +--- (x.y.1.2) DI-604 (x.y.2.1) .... WiFi connections @ x.y.2.*
I can imagine the possiblity a sniffer getting installed on the Zyxel network which might then be able to monitor traffic from/to the D-Link network as it passes through the Zyxel. Would such a sniffer be able to monitor the Zyxel traffic or is the latter encrypted or otherwise unsniffable as it leaves the D-Link and passes through the Zyxel?
Yes a sniffer on the Zyxel will see ALL traffic as it is the highest level router but only see the tcp header info, not the payload of every packet due to encryption
Alternatively, is there a way for the two routers to sit side by side and somehow share the DSL connection without being reachable by the other,
The secret is the Default Gateway. Unless there is a specific route to force
output to a specific subnet, all traffic flows upward thru the Default Gateway.
The Zyxel attached systems will flow ONLY up to the ISP.
The DI-604 attached devices will flow Up to the Zyxel. Any software attempting
to 'probe for other systems' could discover systems attached to it but not see them
as easily as looking for File Shares (which is the only access that could be acquired anyway).

If you FLIP the positions of the router, eg Modem--Di-604--Zyxel, then the WiFi system would never reach the Zyxel systems.
say if a switch sat in front of the routers (don't know if a switch with divide traffic in this way or not)
nope
So, are either of these a good approach and if not, why? TIA
just fine :)
 
Very helpful although I see I have confused things.

The Zyxel is the Wi-Fi, so it would handle guests (wireless), kids (wired and wireless) and wife (who is always wired). I will refer to this as the insecure network because of possible user behaviour.

The D-link is wired only, and because of it's age, I should ask if it needs replacing with a later router that might have better built-in security?

For clarification, I have fibre optic to my home and the incoming terminates on an exterior wall where a converter box (modem/gateway type device) which converts the optical signal to a digital signal, is installed. The digital line then comes into the house like a phone line. So I do not have a modem per se inside the house but rather now plug my router directly into a RJ45 female socket in the interior wall.

I'm unsure if I understand your guidance on use of a switch. Depending on how separate communications streams on different ports are from each other, an ideal solution for me (because I already have all three piieces of kit) is a switch plugged into the wall, with the two routers plugged into it. My linux computer and her Mac will sit behind the (wired-only) D-Link, and I think I can train her to simply unplug the insecure network router from the switch when she is doing online banking.

What comments on this plan please.
 
Very helpful although I see I have confused things.
The Zyxel is the Wi-Fi, so it would handle guests (wireless), kids (wired and wireless) and wife (who is always wired). I will refer to this as the insecure network because of possible user behaviour.
more likely I did :) got it now
The D-link is wired only, and because of it's age, I should ask if it needs replacing with a later router that might have better built-in security?
nope
For clarification, I have fibre optic to my home and the incoming terminates on an exterior wall where a converter box (modem/gateway type device) which ...
That's your modem+router :)
I'm unsure if I understand your guidance on use of a switch. Depending on how separate communications streams on different ports are from each other, an ideal solution for me (because I already have all three piieces of kit) is a switch plugged into the wall, with the two routers plugged into it. My linux computer and her Mac will sit behind the (wired-only) D-Link, and I think I can train her to simply unplug the insecure network router from the switch when she is doing online banking.
yes that would work but only if your modem+router has DHCP and would assign a unique IP address to each. You'll find out quick enough like this
1) connect the switch to the wall plate
2) connect the wired router to a switch port and one running system to the router;
test should give timing data using
get a command prompt (run-cmd) and enter
ping www.google.com
3) now connect the other router to the switch (you don't need a system attached to it just yet)

Repeat the test in (2); should give same results. *IF* NOT, enter ipconfig /all
and it's likely that you have no ip address assigned -- due to IP Address Conflict.
This says the modem+router has no DHCP and therefore you can not use the switch as the first device connected to the wall plate :(

My linux computer and her Mac will sit behind the (wired-only) D-Link, and I think I can train her to simply unplug the insecure network router from the switch when she is doing online banking.
You can but that is overkill :)

show her the WAN side connection to the WiFi router and disconnect it (which is still overkill)

Back to Encryption:
The WiFi router can be configured with {wep,wpa,wpa2} encryption -- the D-link wired has NONE! Therefore, the online banking relies upon https (SSL) to encrypt the data packets.

Let's investigate the ISP connection. Connect any system (with a firewall active)
directly to the wall plate. Test using (2) above to be sure you're connected.

Then use ipconfig /all >mytcp.txt and follow-up by attaching mytcp.txt

That will tell us your exposure to a sniffer upstream from your wall plate.
 
Wow! What a fabulous reply. Here is the ipconfig output:

C:\Documents and Settings\Administrator>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : ROBERT
Primary DNS Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Mixed
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : gvtc.com

Ethernet adapter Local Area Connection 3:

Connection-specific DNS Suffix . : gvtc.com
Description . . . . . . . . . . . : KTI ET32/Px Series PCI Ethernet Adap
ter
Physical Address. . . . . . . . . : : xx-xx-xx-xx-xx-xx
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.0.105
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.1
Lease Obtained. . . . . . . . . . : Sunday, August 09, 2009 3:35:30 AM
Lease Expires . . . . . . . . . . : Sunday, August 16, 2009 3:35:30 AM

C:\Documents and Settings\Administrator>

While you are digesting that, I will re-read yours yet again to try to get all that I can, given my limited expertise. What can I do next?
 
Here is the ipconfig output:
I assume this is the system directly connected to the wall plate
ipconfig /all

Windows 2000 IP Configuration.....

Ethernet adapter Local Area Connection 3:

Connection-specific DNS Suffix . : gvtc.com
Description . . . . . . . . . . . : KTI ET32/Px Series PCI Ethernet Adapter
Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.0.105
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.1
Lease Obtained. . . . . . . . . . : Sunday, August 09, 2009 3:35:30 AM
Lease Expires . . . . . . . . . . : Sunday, August 16, 2009 3:35:30 AM

C:\Documents and Settings\Administrator>
hmm; the ISP router is at 192.168.0.1
and your system is on the same subnet 192.168.0.*
as 192.168.0.105

This means you have no NAT isolation from any of the other 253 systems attached to 192.168.0.1

Normally we get a public address like 76.183.108.74 assigned to our first device
and the NAT creates lan addresses like 192,168,0.* and DHCP gives us the ISP gateway like 76.183.xxx.1; Any attempt to make a direct attack *must* be able to perform Nat Traversal , which is not trivial.

With your IP on the same subnet as the gateway, Nat Traversal is not required
and your Sole protection to a direct attack is your Firewall

Online Banking:
The SSL Encryption is end-to-end, ie: the bank website to your wife's Macintosh.
A sniffer on the 192.168.0.* subnet
  • will see every url accessed
  • will see every email sent
  • will not see SSL Encrypted data sent to the bank

btw: your PC and Linux systems are equally exposed. Your big issue is to be sure
that anytime you enter a password (eg email login) that the connection uses
TLS or SSL
 
I was assuming that the ip # is that of the converter box (on the outside wall of my home). If I run www.myipaddress.com, I get an ip address beginning with a 2 digit number which I have assumed is that of my ISP. Am I off base here?

BTW, for the switch test, I got a normal ping response from the first router, but when I substituted the second router, I got:

unknown host www.google.com

There are lots of cables dangling around here and I think I had it wired right for the second, but if it doesn't sound right, I can try it again.
 
jobeard, just tried to pm you but I am a few posts shy of the 45 needed to be able to pm. If you can pm me, please send an email address to which I can send you the results of an ifconfig from my linux computer. (Too much info for a public post) Thanks.
 
I now realize that I was confused about your post. From memory, (notoriously unreliable) every time I run ipconfig at the office, the ip address shown is always a private address, just as in my computer at home, but the dns server (and maybe the DHCP server?) is a non-private address. In my mind, I "transposed" the ip address reference given in your comments with "dns server".

The dns server address in the previous post was "DNS Servers . . . : 192.168.0.1" and this is a private address. So what I want to understand is why in this instance is a private address showing up as the dns server address?

Thanks for any clarification.
 
I was assuming that the ip # is that of the converter box (on the outside wall of my home). If I run www.myipaddress.com, I get an ip address beginning with a 2 digit number which I have assumed is that of my ISP. Am I off base here?
No that is what I really expected to see from the ipconfig,
so now I'm confused as to you're wired :confused:

For a DSL Connection, we get a phone line (at the wall plate) --> (ip)modem+router
For a Cable setup, we get Coax cable -> (ip)Modem -->Router
In both cases, (ip) is a public address.

Can you report the make/model of the box that connects directly to the cable coming from the wall please.

What kind of connection is made at the wall plate (RJ45 Ethernet vs RJ323 phone cable)?

Can you get me the first four lines from (run->cmd) and enter
tracert www.google.com
 
So what I want to understand is why in this instance is a private address showing up as the dns server address?

Thanks for any clarification.
That's easy ... the gateway address and dns address is that of the router. Basically your system makes a DNS request (on port 53) to the router, which knows enough to forward it out to the ISP -- very common setup.
 
The setup is as follows:

Ethernet cable from wall plate (RJ45) to D-Link Dl-604

Ethernet cable from D-Link to Dell Powerconnect 3024 24 port switch

Ethernet cable from switch to computer

Here is tracert (with first two sets of number changed to protect the innocent):

C:\DOCUME~1\ROBERT>tracert www.google.com

Tracing route to www.l.google.com [74.125.45.106]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.0.1
2 12 ms 8 ms 7 ms 97-9-196-2.block0.abc.com [97-9.196.2]
3 7 ms 7 ms 7 ms 97-9-191-26.block0.abc.com [97-9.191.26]
4 14 ms 15 ms 15 ms 72.89.191.213

Hope this helps
 
The setup is as follows:

Ethernet cable from wall plate (RJ45) to D-Link Dl-604
Ethernet cable from D-Link to Dell Powerconnect 3024 24 port switch
Ethernet cable from switch to computer

C:\DOCUME~1\ROBERT>tracert www.google.com

Tracing route to www.l.google.com [74.125.45.106]
1 <1 ms <1 ms <1 ms 192.168.0.1
2 12 ms 8 ms 7 ms 97-9-196-2.block0.abc.com [97-9.196.2]
3 7 ms 7 ms 7 ms 97-9-191-26.block0.abc.com [97-9.191.26]
4 14 ms 15 ms 15 ms 72.89.191.213
great!
(1) is from your router and the ISP gateway should be at (2)-- a public address

Now then, the issue is the input to the DI-604. Where and what is the device to which it is connected at the other end?? That has to be a modem/router and that makes me question #2 and #4 entries. Whoever has access to that device has
control over your subnet.

#4 is static-72-89-191-213.nycmny.fios.verizon.net
 
This is a fibre optics connection. Does that matter? The forward device on the other end of my D-link ethernet cable is the converter box on the outside wall of the house. I suppose it is roughly equivalent to a modem, but in this case it converts the optical signal to digital.

You said #2 and 4 (verizon). Did you mean 2 and 3? This is my ISP of course, but what about the tracert return gives rise to alarm? Isn't this what we are supposed to see on a tracert, i.e, from the router to the ISP, and onward? I am surely missing something here.

Or was the "alarm" caused by the ipconfig results which I guess I don't understand. I think I had just assumed that ipconfig showed only stuff in the private network and that another command, such as tracert is needed to see "outside".
 
I have a good friend with FiOS and the connection comes into the home and connects
to a F.O. modem+router.

Let's assume that your F.O. modem+router are enclosed in a box outside the home.
That becomes the equivalent of a Cable Modem setup and comments in post 6 above do not apply.
(I have seen setups where the ISP did have multiple customers on the same subnet :bad idea: )

>> Does that matter?
Not in your case :)
You said #2 and 4 (verizon). Did you mean 2 and 3? This is my ISP of course, but what about the tracert return gives rise to alarm? Isn't this what we are supposed to see on a tracert, i.e, from the router to the ISP, and onward? I am surely missing something here.
as you doctored the first two digits of the results for privacy, I could not verify who owned those IP addresses. #4 was verifiable.
If the ISP address really was the 192.x.x.1, then the tracert would shown a transition to a public IP. All systems on the 192.x.x.* subnet would have been an exposure to your security. That is now put to bed and NOT an issue :)
Or was the "alarm" caused by the ipconfig results which I guess I don't understand. I think I had just assumed that ipconfig showed only stuff in the private network and that another command, such as tracert is needed to see "outside".
you have that ALL correct.

By connecting a system directly to the wall plate, I was attempting to discover what was on the network. Rather goofy that the address on that line ended in x.105, but that can be insignificant as yours appears to be.

I think (& hope) we're done here.

best wishes
 
JO,

Many thanks for your tireless support here. It is much appreciated and has been extremely informative. My wheels turn slowly at my age, but I think I have had my horizons expanded.
 
Status
Not open for further replies.
Back