Q: Now Im sure this is somewhere below, so if I should just be referred to another thread, thats fine.
Here s the situation:
Small office Wireless LAN – we have ADSL Modem u003e u003e Linksys Wireless AP (model BEFW11S4)-u003e (via XP Pro ICS) Our PCs.
This of the course is fairly safe to share files and such, as none of us have direct IP connectivity to the Internet. But we can not run programs like VNC remote login.
Before today, we had a dynamic IP that everyone pissed off because we had to keep updating tables on our secure servers with our new range of IP addresses every time it resets. That is now resolved and we have a static IP for our router. Besides that, we have permission to use the wireless access point as a hub instead of a router and all individual static IPs.
My question is this: if we like a hub instead of a router, our internal movement / the Sharing files will be publicly accessible? And if so, is there an easy way around this? Or is the remote desktop with WinXP Pro, our current SITA station handle?
Im Sorry Im shamefully ignorant – Ive just never had that before now.
Thanks in advance for the input.
The Quick Start Guide to Model Trains
Re:Oh, if the original poster just has to use public Ip's for all his LAN PC's, then I would run whatever firewall I was using in bridged mode with a router in front.
Altho their is no reason you couldn't assign static public Ip's to all of your LAN boxes and lock them down with the bridged firewall). BUt why go to all ther trouble.
I still say buy a real firewall and NAT your LAN boxes behind them, if serving anything to the public, then make sure to get a firewall with a 3rd interface for the DMZ and host them there. And still use VPN tunnels to connect Lans to remote control PC's/servers.
The Ultimate Guide To Model Trains
Re:No that I don't like the PIX myself, but I like paying $375 delivered for 500 VPN tunnels, unlimted users, free lifetime Firmware upgrades SSH v2, DNS proxy and NTP serving vs $1000 for a comperably equipped PIX
Throwing that wireless in their without securing it properly totally craps out any security you might have for the LAN. Hence the smoothwall box I am setting up for 3DES Ipsec for wireless I am going to add to my Lan at work (still deciding best way for home as in previous post).
Take a look at the snapgear if you ever get the chance, might just convert you from the PIX if you ever have a tighter budget
Oh yeah, almost forgot the traffic shaping, content filtering and serial connect for modem failover (or modem dial in access to enter LAN or configure the Snap Gear
Lets Model!
Re:Doh.
Now that I re-read my post, I have to say that I wouldnt open any ports to any PC's on the firewall or create static one-to-one mappings. Just assign all your external IP's into one pool and let the firewall dynamically assign them. If you need to do any remote control stuff, configure VPN on the firewall and VPN in, once you are in with VPN you can do anything as if you were sitting up at the office.
Is your wireless access point a router as well? I dont use any linksys crap anymore, but I suspect it probably is. If so and you can turn off the router portion of the box and just the leave the wireless AP active that would be the best thing to do. Let your firewall handle all the routing and DHCP stuff.
guy: that snapgear box looks really nice. But I like my PIX 501 better 
The Essential Guide To Model Trains
Re:Having used Netscreen, Sonicwall, etc I HIGHLY reco a Snapgear for your needs. If you have the budget, by all means go for a PIX, but you will have to spend 3xs as much on it as you would this:
SME 550 (http://snapgear.com/sme550.html)
If anyone is NOT familiar with this product, give it a good look over. Can't tell you how happy I am with mine. Even have a NICE 3DES Ipsec tunnel to my Sonicwall Pro 200 @ work.
How To Become A Fitness Model.
Re:Get a good firewall like a SonicWall or a Netscreen (I cant recommend any of the previously mentioned products above, never used them) or a Cisco PIX if you have the know-how and can afford it. Dont use a hub and give up NAT, NAT does provide some security against the outside world in itself. In any good firewall you should be able to create one-to-one static NAT mappings which maps your static external IP to a static internal IP, you can then open up whatever ports you need for remote control. You shouldnt think of getting a range of static external IP's as a replacement to NAT, you should think of it in terms of now you can just use static one-to-one mappings where each PC has its own static internal address which is mapped to its own external address instead of just pumping all your users through one global external IP that changes all the time.
Model Airplane Secrets.
Re:The 1st thing I would do is try and figure out why you think this is remotely secure in the 1st place. No offense, but in no way is that ANYWHERE near secure (let me count the ways) for a business environment.
What is your budget? 1st thing I would do is get yourself a good Firewall appliance. You can get a mid range Snap Gear or Zywall in the $200-300 range. Put that behind your DSL modem and you have a REAL firewal which you can creat in/out ACL's, content filter AND create Endpoint VPN tunnels (which is what you want to use if you are remotely controlling PC"s over the WAN connection.
Are you saying your PC's are ALL wifi connected? if so, then you are EXTREMELY insecure right now.
Read Soybombs thread about IPsec encrytping Wifi in the office.
I would drop the hub idea as all your PC's will have (or need) publicly accessible Ip's if nothing is used to at least NAT them (provided you are thinking of dropping ICS altogether (which is a good idea in itself as ICS BLOWS).
0 Comments.