2

Given:

  • Outer Network
    • router A
      • wan ip 209.123.12.11
      • address 10.10.0.1
    • machine A
      • address 10.10.0.10
      • gateway 10.10.0.1
  • Inner Network
    • router B
      • wan ip 10.10.0.100
      • address 192.168.10.1
    • machine B
      • address 192.168.10.10
      • gateway 192.168.10.1

Known:

  • machine B can access machine A
  • machine A cannot access machine B (please correct me if I'm wrong)

Question:

  • If machine A is hacked, and the hacker places a sniffer on 10.0.0.100. Is machine B still being "protected"? e.g., if user on machine B goes to a webpage without HTTPS and make a login, can the sniffer capture the traffic?
  • If it's not protected, any advice on the infrastructure change can be given?
developer.cyrus
  • 317
  • 1
  • 2
  • 5

1 Answers1

3

I presume that by "router", you mean each of these is a "router/NAT/firewall" combination appliance. Most home routers include firewall capabilities, which is most likely what you're relying upon here. (Note that NAT is a connection sharing technology, but not a defense mechanism.)

To directly answer your question, if a hacker gets inside your first router A, the answer is "yes." He could install network monitoring software (such as wireshark) on machine A. He would then have a couple of options to get the traffic into machine A to be monitored.

  • He could reconfigure router A to mirror all LAN traffic to the hardware port where Machine A is located (a common task when installing a network monitoring device; many routers and switches support this.)

  • He could reconfigure your router A to act like a hub, automatically mirroring all LAN network traffic to all ports (may be possible with some cheap consumer routers.)

  • He could configure machine A to act as a router. He could install and run DHCP on machine A, assuming router B is getting its external address via DHCP it could respond that its gateway is 10.10.0.10 (machine A's address.) That way all traffic from network B would be routed through machine A, where it would be subject to monitoring.

This would only give the attacker the capability of monitoring unencrypted traffic; but it still would not permit him to decrypt the contents of https/TLS/SSL encrypted streams. It would also not permit him to see LAN traffic inside router B, so if you were printing from machine B to another printer on the 192.168.10. network, he would not be able to capture it. (At least not without breaking into router B.)

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • How about if the hacker ONLY gets inside the machine A (by some trojan), but not router A? Are the first two bullet points you mentioned still valid? How to make defense for the 3rd bullet points? – developer.cyrus Sep 10 '15 at 14:52
  • 1
    @developer.cyrus, if the hacker got into machine A, can you still trust the router? (No.) But if the hacker can't get into the router, they might try point #3. As a defense you could periodically monitor router B to display its address and gateway, or you could try a traceroute from machine B to www.google.com. If its default route is to machine A, or its WAN IP address has changed, something may be wrong. – John Deters Sep 16 '15 at 04:22
  • Is it useful while keeping minimal change to modify the wan IP of router B (10.10.0.100) to another subnet different from machine A (10.10.0.10), e.g., from 10.10.0.100 to 10.10.2.100? – developer.cyrus Sep 16 '15 at 07:47
  • 1
    No, that wouldn't make a difference in security. Don't keep trying to make this the be-all, end-all of defense strategy for your network. Instead, consider that you are building defense in depth. If the outer walls are breached, the inner walls may stay intact and help you defend longer. What you are buying with any of these schemes is _time_, time to detect the intruder and lock the gates again. You will never create the perfect defense, because there is no such thing. – John Deters Sep 16 '15 at 12:42
  • Thanks. One more follow-up question. What if machine A and router B are placed in their own private VLAN? can it be protected? – developer.cyrus Sep 17 '15 at 07:40