4

I am wondering if it would be safe to setup my network with a single switch running both internal and external interfaces.

Currently I have a 255.255.255.240 block of IPs from the ISP and a 10.10.10.0/24 private network running from the router. The router has one WAN port and is setup with one of the external IPs as a static IP. All computers are currently off of the private network. The switch being used is a NETGEAR JGS516.

Basically the current setup is like this:

  Computers  ----  Switch  ---- Router ---- ISP's Switch

What I would like to do is this (basically plugging both the WAN and LAN port of the router into the switch):

                  Router
                    /\
 Computers  ----  Switch  ---- ISP's Switch

I have tried doing this and it seems to work. I can assign both public and private IPs to computers and they both function.

The reason I am wanting to make this change is so computers that are behind the switch can be assigned public IPs. I want some of them to only have public IPs, some only private IPs, and some to be assigned both private and public IPs using the single NIC in the computer.

What I want to know is:

What would be any downsides to this setup?

Would this compromize security on the network?

Could machines access computers that only have a private IP assigned to them?

Anything else I should know?

Matt
  • 83
  • 4

3 Answers3

8

Congratulations. You've effectivley eliminated any security your router was providing for your internal network.

What you need to do is to put things back as they were and set up NAT on your router to NAT the appropriate public ip address to the appropriate private ip address.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • Thanks. That is why I am asking on here first before actually setting the network up this way. I only briefly setup a separate test bed just too see if it actually possible to make the connections work this way. – Matt Oct 07 '11 at 20:30
4

What would be any downsides to this setup?

Security. The machines to which you have assigned public IPs are now completely exposed to the Interwebs.

Would this compromize security on the network?

Yes. If your public machines get hacked you'll soon find you have problems on your not-so-private LAN.

Could machines access computers that only have a private IP assigned to them?

I assume you mean from the public network? No, they wouldn't be routable directly. But see above.

Anything else I should know?

Yes, go back to the original method. If it's a Cisco or HP variant you would setup NAT rules to map public IPs through to the internal servers, and then add specific access list controls to lock down the ports that are open, and control source networks if necessary.

George Hewitt
  • 1,066
  • 7
  • 13
  • The way you describe it, it sounds to me like using a NAT would have the same security. If the machine gets hacked then it is screwed either way. What would be the difference between a directly assigned computer with locked down ports (iptables) and a NAT rule for the IP to the server? – Matt Oct 07 '11 at 20:28
  • @Matt: It's about security through layers. The ingress/egress of your network (your firewall or router) should be the first layer of security. It's analogous to having a door on a bulding locked and all of the office doors inside the bulding locked. Someone has to first get into the bulding in order to get into an office. Without a locked door on the bulding you're letting hackers inside the building where they're free to roam about testing for unlocked office doors or office doors with weak locks, which they'll find in short order. – joeqwerty Oct 07 '11 at 21:15
  • @joeqwerty I don't see that analogy fitting in this case. Say I have the router configured with x.x.x.6 public IP with only allowing outgoing connections and no incoming. A server is setup that gets web connections (port 80 only blocking all others with iptables) from public IP x.x.x.7. I could either set this up with either method, directly assigned or NAT to get the second IP to the server. From the way I am seeing it, there is 2 "building doors" (public IPs) in both cases. There is also only 1 "office door" in both cases with the same security. – Matt Oct 07 '11 at 21:40
  • @joeqwerty With the second setup is there actually a way someone could test any other "office doors" (machines with only private IPs)? I just want to know the reasons of why it is less secure. So far the only thing I have seen is the machines with Public IPs could get hacked, but I don't see how letting access to those machines through NAT is any different. – Matt Oct 07 '11 at 21:45
  • 1
    It's less secure because your switch is connected directly to the internet (via the ISP switch), effectively bypassing any security the router provides. A simple ARP scan on that switch would tell a hacker exactly what ip addresses are in use, from which point they would bring more sophisticated tools to bear on your network. Now it may be that the ISP has security at their switch and at the remote end of the connection, but I'd never trust my network security to my ISP. – joeqwerty Oct 07 '11 at 22:58
  • @joeqwerty Thanks, that makes much more sense. I wasn't aware a scan of the switch would reveal that. Now I see why it would be less secure. – Matt Oct 09 '11 at 14:28
  • Happy to throw in my two cents. – joeqwerty Oct 09 '11 at 15:08
0

It just means you can't also use the router as a firewall and you can't isolate machines that connect only to the public network from machines that connect only to the private network. Most typical home networks don't do either of these things anyway. So if you're building the typical home network, it won't make any difference.

David Schwartz
  • 31,215
  • 2
  • 53
  • 82
  • I beg to differ. Most typical home networks aren't configured this way. There is most certainly a router/modem of some type (DSL, cable, etc.) providing security (albeit very basic security) at the ingress/egress of the network (which is the router/modem itself) with all other devices (computers, WAP's, switches) connected on the LAN side, not the WAN side of said router/modem. I don't know of any router or modem that gives traffic originating from the WAN unobstructed access to the internal network. – joeqwerty Oct 07 '11 at 23:04
  • @joeqwerty: Right, but they don't do that to provide security. They do that because they don't know which device to forward that traffic to. It's not behavior you can rely on to provide security. (In fact, many people enable UPnP which takes that 'feature' away.) He can get this same behavior in the router if he wants it anyway. – David Schwartz Oct 07 '11 at 23:10