security and serving over a NIC on LAN side of router

Problems with the Windows version of XAMPP, questions, comments, and anything related.

security and serving over a NIC on LAN side of router

Postby jmichae3 » 24. August 2012 02:24

Hi everybody! Jim here.

is it secure to:
- serve apache up over a LAN side of a standard off-the-shelf router via a 192.168.1.x style address over a 2nd NIC
- open port 80 in the antivirus firewall so it can even get to the LAN or just open things FULL ACCESS for apache httpd

does this trafffic actually go outside to the ISP (I assume the ISP blocks it)?
or does it remain local?
I need a valid answer quickly.
thanks folks.

by the way, bbcode doesn't work for lists.
-------------------------
Jim Michaels
jmichae3
 
Posts: 39
Joined: 12. November 2007 09:41
Operating System: win7-64-sp1-ult-retail

Re: security and serving over a NIC on LAN side of router

Postby JonB » 24. August 2012 11:05

The answer is that it is local.

As for why -It has nothing to do with the ISP, it is a function of how the router's firmware (programming) is designed. That design encompasses two principles Network (or Native) Address Translation and the IANA-reserved private IPv4 network ranges + an agreement of best practices for ISPs and other providers that says basically "We agree to not 'route/forward' IP traffic in the reserved private ranges". A 'reserved' range also exists in IPv6.

http://en.wikipedia.org/wiki/IP_address

http://en.wikipedia.org/wiki/Network_ad ... ranslation

http://tools.ietf.org/html/rfc1918

A properly designed/configured router will keep all the traffic for the range of IP's that are set for the LAN side from reaching 'escape velocity'. The NAT specification/design does that part.

Good Luck
8)
User avatar
JonB
AF Moderator
 
Posts: 3210
Joined: 12. April 2010 16:41
Location: Land of the Blazing Sun
Operating System: Windows XP/7 - Fedora 15 1.7.7

Re: security and serving over a NIC on LAN side of router

Postby jmichae3 » 02. September 2012 04:05

I found the answer to my own question. no, it is not. at least that what linksys said. best answer? get a sonicwall tz170 firewall appliance ($160-200 USD) and block port 80 LAN to WAN and hope it doesn't break yahoo mail. the sonicwall would go between the modem and the router I should think.
http://sonicwall.com

would love to have one of those so I could serve up http and other things over my LAN. if you block LAN to WAN on a few other ports like 135-139 and 445 you can safely use file and printer sharing also. I highly suggest blocking WAN to LAN as well on those. to help prevent the conficker worm, unless your work requires file and printer sharing.

the wikipedia article you mentioned said nothing about NAT having the capability to block internal transmissions from going out that I could tell. maybe you are talking about those cisco routers they put in server rooms?
I don't have one of those nor can I afford one.
-------------------------
Jim Michaels
jmichae3
 
Posts: 39
Joined: 12. November 2007 09:41
Operating System: win7-64-sp1-ult-retail

Re: security and serving over a NIC on LAN side of router

Postby JonB » 02. September 2012 04:59

Jim -

I stand by what I said. Routers/firewalls that are properly designed and implemented using NAT, by default, will not forward local traffic UNLESS YOU tell them to. Even if it 'leaked' out by error in design, the IETF RFC tells the ISPs/carriers to discard traffic that use reserved/private addresses. It is a two part design. There's the electronics for switching and a HUGE amount of software/firmware.

http://kb.netgear.com/app/answers/detai ... -firewalls

You did not reference what "Linksys said", so I cannot comment on that. For one second, let's think - if it really was as you suppose, wouldn't a lot of people be yelling and screaming?

Its actually simple enough to test. Set up a router, plug the wan side into a switch, run another patch cable to your 'source' DSL modem, whatever. then hookup a PC on that switch with Wireshark installed --- listen to the traffic.

There is a case where your ISP 'could' see your traffic, and that is if you have plugged your PC directly into an ADSL modem/router without a pure IP router in between. Note I said 'could' - that is because it would depend on how that ADSL Modem/router was set up. In the case of ADSL, you are connected as if you were a part of the ISP's own network, using a technology called DSLAM (Digital Subscriber Line Access Method). The DLSAM in your telco's C.O. effectively retimes your traffic and places it on a dedicated circuit, and there's almost zero latency between you and your ISP. Your PC is working as if it were a part of their network. Cable Modems work on the same principle, but with different media.

Short version - If you have a pure IP router between you and the internet, and it is properly designed - no one can peek in.

You can even make PC's into pure firewalls. Microsoft has a server/appliance just for that. There's also open source software for that.

You are welcome to think/believe anything you want.

Good Luck
8)

yjfs
User avatar
JonB
AF Moderator
 
Posts: 3210
Joined: 12. April 2010 16:41
Location: Land of the Blazing Sun
Operating System: Windows XP/7 - Fedora 15 1.7.7

Re: security and serving over a NIC on LAN side of router

Postby jmichae3 » 04. September 2012 00:30

you must be talking about m0n0wall. I could not check output of my router unless:
- I setup static IP for internet side of router on wireshark pc,if it will work on win2k. no DNS, no internet.
OR
- I setup a DHCP server to simulate modem or ISP (I can't)
OR
- hope it works out?

one time I thought I saw some unknown IP in my logs visiting my http server. had me very concerned (my ISP?). I think this was before I started using 127.0.0.1... I assume loopback is safe.
-------------------------
Jim Michaels
jmichae3
 
Posts: 39
Joined: 12. November 2007 09:41
Operating System: win7-64-sp1-ult-retail

Re: security and serving over a NIC on LAN side of router

Postby jmichae3 » 04. September 2012 00:45

I read your URL, and you have NAT backwards. it blocks access to computers from the internet. but it doesn't do this in the reverse direction.
if you were to prevent access to outside, what you have would probably be a firewall is my guess.
-------------------------
Jim Michaels
jmichae3
 
Posts: 39
Joined: 12. November 2007 09:41
Operating System: win7-64-sp1-ult-retail

Re: security and serving over a NIC on LAN side of router

Postby JonB » 04. September 2012 16:43

Jim -

I did you the courtesy of answering your off-topic question, and I gave you an accurate answer.

The fact that you don't know how to or can't perform a test has exactly nothing to do with my original answer. I'm not here to teach a course in network design and testing, or router design principles (although it might appear so at this moment).

Let me ask you a question, how do you think I know the test for design leaks and problems with forwarding? I will answer that question -- I run a private ISP/IP distribution operation. I assure you that the answer I gave you (local traffic will not be forwarded) is correct, provided that the router is a pure IP router that is properly configured and designed. I deal with and test for these issues all the time. I have a mis-configured router issue right now, if that tenant's router forwarded their local traffic into the LAN it is free-loading off, we would have a storm of discarded packets (and a saturated network). That is not the case. What we do see is their Internet traffic as it passes through the network. This is not only the router design at work, but a matter of transport and protocol methods.

Good Luck
8)
User avatar
JonB
AF Moderator
 
Posts: 3210
Joined: 12. April 2010 16:41
Location: Land of the Blazing Sun
Operating System: Windows XP/7 - Fedora 15 1.7.7

Re: security and serving over a NIC on LAN side of router

Postby jmichae3 » 06. September 2012 13:11

I guess what it really comes down to is, I can't say one way or another whether or not this linksys E4200 is properly designed. you can't manually configure it by sending it commands (unless you flash it with dd-wrt), and even if it had that feature, I wouldn't know what to do with that feature - my guess is each router is different, and I am not a router expert, but I am not a flunkie either, my focus is more on programming & writing web utilities. I can set up an IP network,but have trouble with figuring out how I am going to serve up a LOCAL dns from this lowly desktop pc because I have never done that before. I don't want it propagating outside my lan. I have set up a local mail relay/server before using Apache James, but not that.

I wish I did know how to test the router. any test that is cheap and saves me from having to buy a firewall

my router has an SPI firewall and it has NAT. what kind of NAT I don't know, it isn't clear (like all linksys stuff, all the useful details are taken away from the user, but I hear this is common with off-the-shelf routers these days - instead of selecting WPA2-AES you only get WPA2-Mixed). have not been able to get IPV6 to work if that's any indication, appears mostly disabled in this router. too late now, gotta wake up in the morning. I appreciate your tips and help.
-------------------------
Jim Michaels
jmichae3
 
Posts: 39
Joined: 12. November 2007 09:41
Operating System: win7-64-sp1-ult-retail

Re: security and serving over a NIC on LAN side of router

Postby JonB » 06. September 2012 14:45

Jim - thanks for your reply.

You are quire correct that consumer broadband router products are way short on details. Every model is literally different, because its really just a little computer with a switch built in -- its all about the programming. 99% of the functionality of a router is in the software implementation, and that is in the realm of degreed EE-CS engineers. I promise you 99.5 % of consumer broadband pure IP routers are not pure routers, almost all have a backside switch, NAT, port-forwarding, DHCP, IP and packet filtering, and software firewalls built-in that all work correctly pretty much correctly. I have no choice about the CPE (Customer Provided Equipment) that gets installed in their premises, I can only control the infrastructure that enables it, so I have seen just about every brand of router. I can honestly say I have never found a router that leaked traffic when properly configured. That was what was reflected in my original answer.

http://www.wikihow.com/Choose-the-Best- ... ur-Network

For what its worth, I only buy Cisco and Netgear equipment when it comes to switches and routers. Cisco goes into big environments and Netgear into small and mid sized businesses. I would bet I have over two hundred pieces of Netgear equipment deployed. Their stuff is very reliable, 5 year or lifetime warranties on 'Pro' equipment and they have good support. Netgear has incredibly inexpensive support plans for critical gear.

Tools: There are smart switches like the Netgear GS108T (and its bigger brothers/sisters) that allow traffic monitoring via port mirroring, they do lots of other amazing stuff - like rate limiting by port (you can set the data-rates from 4Mbps to 1000Mbps) and traffic statistics. The manual is in the 100's of pages. You can also just learn/use Wireshark with a man-in-the-middle switch. I use both approaches.

you might find this site useful:
http://www.smallnetbuilder.com/

8)

Good Luck
User avatar
JonB
AF Moderator
 
Posts: 3210
Joined: 12. April 2010 16:41
Location: Land of the Blazing Sun
Operating System: Windows XP/7 - Fedora 15 1.7.7

Re: security and serving over a NIC on LAN side of router

Postby jmichae3 » 09. September 2012 09:27

for my test, I have a couple of routers to toy with and can use to isolate my testing. but because I use named virtual hosts, chances are I am not going to see anything because I know of no app which lists IP addresses of items on your network through a NAT or lists open ports. I don't know how I would discover the IP of that machine that NAT has assigned. that's the kind of tool I DON'T want to run connected to the internet.

I am starting to give up on the idea because we need the exercise in this house running up and down stairs (but I just wanted the technical prowess and to serve over a LAN).

the problem with detecting using canyouseeme.org is that in order to actually be visible on the internet, this violates some ISP's rules. so a local program is needed for detection. fortunately, serving up over 127.0.0.1 over my isp is safe.
-------------------------
Jim Michaels
jmichae3
 
Posts: 39
Joined: 12. November 2007 09:41
Operating System: win7-64-sp1-ult-retail


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 51 guests