[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Network design problem



Peter Humphrey wrote:
> On Friday 14 March 2008 14:13:36 Tom Bird wrote:
>> Peter Humphrey wrote:
>>> ethnet          192.168.128.0/17
>>> wapnet          192.168.192.0/19
>>>
>>> $ cat /etc/conf.d/net
>>> config_eth0=( "192.168.128.49 netmask 255.255.128.0 brd
>>> 192.168.255.255" ) config_eth1=( "192.168.192.210 netmask 255.255.224.0
>>> brd 192.168.223.255" )
>> These overlap.  This is bad.
> 
> I thought it was an example of sub-netting. Have I misunderstood that 
> concept? Where can I find an explanation?
>

Quick recap on IP addresses.  Each one of the four numbers in an IPv4 
address represent an octet of binary digits (or bits) which can equally 
well be represented by two hexadecimal numbers.

The 17 in the subnet 192.168.128.0/17 says your network is matched by 
the first 17  bits of the preceding data with the remainder of any 
matching IP address being a host. The leftmost octet takes 8.  The 
second leftmost takes a further 8 leaving 1 for the third octect and 
none for the fourth octet.  Your netmask for this network is 
255.255.128.0 and your broadcast address will be 192.168.255.255.

This will allow 192.168.128.0 through to 192.168.255.255 (over 32,000 
hosts) on that subnet and it includes the 192.168.192.0  you 
subsequently subnet to wapnet.

192.168.192.0/19 says the network is matched on the first 19 bits of the 
preceding data with just over 8000 hosts attached.  Again the first two 
octets take 16 bits leaving three bits at the top of the third octet - 
which can therefore be expressed as 1110 0000 in binary, or E0 in hex or 
   224 in decimal. So your netmask is 255.255.224.0 with a broadcast 
address of 192.168.255.255.

I think you really meant /18 here (giving 1100 0000 or C0 or 192).

However I am worried about what you think you are doing with the network 
- especially as you are tacking on a WAP.

Do you really need to tack on 32000 possible hosts? Furthermore do you 
really need more than 65000 on your phrnet?

In essence I have this setup

192.168.1.0/28 - internal side of ADSL router allowing up to
                  13 hosts - one is used for the router and one is used
                  for the gateway connection.  The default route is the
                  internal IP address of the router
192.168.2.0/24 - a network with 254 possible hosts.  The default route
                  for anything connected to this network is the IP
                  address of the card on the gateway box for this subnet.
192.168.3.0/24 - a network with 254 possible hosts.  The default route
                  for anything connected to this (even through a switch)
                  is the IP address of the card on the gateway box for
                  this subnet.

Similarly to you, I have three ethernet cards on my gateway box - one 
goes to the ADSL and the other two to each of the subnets.  Neither of 
these are a demilitarized zone.  The nearest I could get to a DMZ is to 
hang it off the back of the router which means it would be part of the 
router's internal subnet.

If I wanted to be really really tight about it I could have

192.168.1.0/30 - gateway and internal side of ADSL allowing only two
                  hosts one of which would be the gateway and t'other the
                  router (but I wouldn't be able to connect to the
                  router any other machine.)
192.168.2.0/30 - allowing two hosts which will be used by the card on
                  the gateway for this subnet and the single machine I
                  have attached to it.
192.168.3.0/29 - allowing six hosts which would have to include the card
                  on the gateway box and would therefore leave me with
                  the capability of attaching 5 more hosts onto this
                  network.

and it would all work the same.

 From the hardware you declare you have one card to the modem and one to 
a switch plus one more.  You therefore need one subnet for the card that 
is connected to the ADSL router and one for the card connected to the 
switch and one for the extra card.

I suspect you could quite easily get away with

192.168.1.0/28 on the router side
192.168.2.0/24 on the switch side.
192.168.3.0/24 for your third interface

and that is all you need according to the hardware you have declared. 
Presumably NAT and redirection on the gateway between the two subnets 
and use the gateway's firewall to protect your 192.168.2 subnet.

Now let's deal with your WAP.

You should bear in mind that a wireless device is a receiver and 
transmitter.  It doesn't care who or what it receives from or who or 
what it transmits to.  When the data over a wireless connection is 
transmitted so that a WAP can receive it, any other suitable device in 
the range of the transmitting device can also receive it.  And there is 
much out there to sniff the air e.g. http://airdump.net/ .

I assume your WAP uses DHCP to assign an IP address to any machine that 
connects to it.  If your wife is the only one using the wireless access 
point then make sure that the DHCP server on the WAP is set to rotate 
only one IP address, and that it will only accept from one MAC address 
plus use appropriate authentication methods that are not WEP or WPA.

WPA2 can be sniffed but you can use 63 character passwords designed for 
machine to machine communication i.e. case sensitive and containing any 
character including alphanumerics, punctuation and special characters 
such as '@' or '>'.  These are harder to crack.  Change this password 
frequently.

Your wife's machine should also be suitably firewalled and you will have 
to deliver the new password to her machine by a secure method every time 
you change it on the WAP.

None of this is foolproof security but it may stop or hinder some people 
from using your network or using your wife's machine as a trojan on your 
network.

Monitor the network coming to or from the WAP.  Leave it on for a while 
when your wife is not using it and her machine is switched off and not 
registered with the WAP.  This may persuade you to at least switch it 
off when not in use.

I think your best solution is to have the WAP on it's own subnet e.g. 
192.168.4.0/30 connected to the gateway, and monitored and controlled 
from there.  You can then prevent that subnet from accessing any other 
subnet on your network or at least control its access.  This means 
adding a new card to the gateway box.

If you don't want to add a new card to the gateway then put it on the 
third interface and deal with it at the firewall end of the server, 
workstation and any other element connected to the switch.  At least 
then the firewall on your gateway can redirect incoming 25, 80 traffic 
as required to your server and you can prevent any incoming to other 
service ports reaching the WAP.  Bear in mind that anything can connect 
to your WAP if it is determined to do so.

Regards

L.









_______________________________________________
        Sheffield Linux User's Group
  http://www.sheflug.org.uk/mailfaq.html
 GNU - The choice of a complete generation