I work at a small company and I’ve been put in charge of IT stuff because everyone else is even more clueless than I am. The way things are setup, every PC has two networking cards. One uses a dedicated internal IP address to communicate with our internal network. We run terminal emulation software to talk to our IBM server which runs AIX. The other card is for an Internet connection and they all use automatic IP and are connected through a switch to a DSL modem. The belief expressed by my superiors is that doing it this way keeps the two netwroks separate and so the IBM server is never being exposed to the Internet.
I’m not so sure. I’m pretty sure that I’ve had machines that were temporarily disconnected from the Internet network still be able to access the Internet through the internal network. However, it must be happening through one of the other PCs as the IBM machine has no Internet connection and is not connected to any phone lines or modems.
Does any of this make any sense? Is it really possible to have two totally independant networks or does Windows try to find connections wherever it can and manages to do so?
You’re right to not be sure. Fortunately there’s an easy test. In your terminal session, open up a command shell (if it autoloads a GUI) and try PINGing a site on the internet (e.g. boards.straightdope.com ). If it comes back with a positive response, you’ve got a problem. What you’ve got to ensure is that on all machines routing is disabled.
I’d suggest that your network simply needs everything on the same LAN and a decent firewall.
Well it’s not going to do so automatically, and it is possible to have two totally indepedant networks, but not like that. The idea of a totally independent network is that it is not connected to any other network. Not logically but physically. The idea being is that instead of figuring out the logistics of how to keep the two networks separate through software and topology you can just ignore the whole issue to make sure there’s no wires going anywhere. This isn’t always useful, but sometimes it is.
The way you described your operation is that you have a DSL connection, a set of PCs that need to access the IBM server and the Internet, and you don’t want the IBM server to be accessible through the Internet or have it connect to the Internet, correct? I’m assuming the point of this is security and such a setup is inherently hard to secure. Any of the PCs can be compromised through the Internet (in theory) and give somebody access to the AIX server. Regardless of how you actually wire it up (two NICs or one).
Probably the easiest way to accomplish exactly this (easiest does not imply easy however) is to put the PCs on a network that has two firewalls on it. One separating the AIX server from the network and the other separating the network from the Internet. The firewall on the internet side should be configured to be as fascist as possible - block all incoming ports, preferrably with stealth, do not respond to pings, block all outgoing ports for services you are not going to need. Disallow file sharing. For maximum security you can even run something like Squid (a caching web proxy) on the firewall and disallow any other routing between the internet and the network.
The other firewall has to separate the AIX server from all these PCs that are trusted to some degree but are not guaranteed to be entirely safe. This firewall should be even more fascist, disallow any routing to or from the other firewall directly and only allow the required services to pass through based on TCP fingerprinting (if available) or simply port access.
Then you have to make sure all your PCs are patched and updated and are not running crap software, preferrably through some sort of a central login/domain server but that’s optional. Also securing the IBM server on the inside would be a good idea. Make sure extra services are not running if you are not using them, perhaps even run some sort of IP filtering firewall on the IBM server itself.
Now, I am not actually suggesting you do all that because from the sound of it this is overkill for a small business. For somebody who knows what they are doing really well this would take a few days to setup, and requires two good firewalls. Firewalls in terms of hardware can just be Pentium class PCs with 2 NICs that run something like OpenBSD which has a really good built in packet filtering system. However configuring and testing something like that is not as straightforward as calling a Cisco guy and having him install two PIX firewalls. To save costs you might want to consider making the internal firewall purely software on the AIX, but I am not familiar with AIX enough to tell you if that is sufficiently easy.
Which version of Windows? Certainly in XP, it is possible (and easy enough that it often gets set up accidentally) to create a ‘network bridge’ encompassing two or more network connections; this effectively turns the computer into a hub/switch as far as the two networks facing it are concerned. If someone has done that on one of the machines, then the whole of the ‘internal’ network is connected to the whole of the ‘external’ one (when the affected machine is turned on).
Other ways that a similar thing could happen is if one of the machines is compromised with some kind of malware, is running internet connection sharing(maybe), or is running some kind of remote access software, or something else providing a non-standard network layer.
In any case, it seems like a particularly inelegant solution (in fact, it’s an administrative/support nightmare) and I would say it isn’t likely to provide any real protection - only a false sense of security; groman’s suggestions are the way to go.
Each one of those four interfaces has a subnet mask of 255.255.255.0 and a default gateway of 192.168.1.1. And of course 192.168.1.1 is the DSL router’s inside interface.
The “private” network:
10.10.10.6
10.10.10.7
10.10.10.8
10.10.10.9
10.10.10.10 (the IBM server)
The first four are the same four machines’ IP addresses on the second network cards. Each of these has a subnet mask of 255.255.255.0. As far as I can tell, there’s no need to specify a default gateway here, since all traffic is local to the 10.10.10.0 network.
Our dual-homed machine might be set up as a router or as a bridge. In either case, it’s unclear to me how traffic would get from the 10.10.10.0 network to the outside world.
Why? Because the DSL router has no route to the 10.10.10.0 network. There’s no way for it to know which machine to pass the traffic to.