How add Wev server to LAN safely? - Routers

This is a discussion on How add Wev server to LAN safely? - Routers ; I have a beginners question. I have a small network behind a NAT router. I need to add a PC that will function as a low volume Web server. I think that the safest way to do this to to ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 33

Thread: How add Wev server to LAN safely?

  1. How add Wev server to LAN safely?

    I have a beginners question. I have a small network behind a NAT
    router. I need to add a PC that will function as a low volume Web
    server. I think that the safest way to do this to to place the Web
    server behind a NAT router and have the rest of the network behind a
    second NAT rounter.

    The configuration would be:

    Connect the DSL line to the first router.
    Connect the Web server to the first router.
    Connect the first router to the second router.
    Have all other PCs connected to the second router.

    Is this a good solution? If not what should I do?

    --
    ..Bill.

  2. Re: How add Wev server to LAN safely?

    It would be simpler and cheaper to put the webserver PC in the DMZ of the
    (only) router. That way, any compromise of it would not permit
    cross-contamination of the other PCs behind the same router (at least as I
    understand things). The introduction of an additional router doesn't add
    much to the equation in the configuration you are suggesting. You may also
    want to go here and read this information (which may help):

    http://www.grc.com/nat/nat.htm

    and an associated page: http://www.grc.com/nat/nats.htm

    HTH



    "Bill" wrote in message
    news:O1Zxj.9$2e4.185@eagle.america.net...
    >I have a beginners question. I have a small network behind a NAT
    > router. I need to add a PC that will function as a low volume Web
    > server. I think that the safest way to do this to to place the Web
    > server behind a NAT router and have the rest of the network behind a
    > second NAT rounter.
    >
    > The configuration would be:
    >
    > Connect the DSL line to the first router.
    > Connect the Web server to the first router.
    > Connect the first router to the second router.
    > Have all other PCs connected to the second router.
    >
    > Is this a good solution? If not what should I do?
    >
    > --
    > .Bill.




  3. Re: How add Wev server to LAN safely?

    Kerry Liles wrote:

    > It would be simpler and cheaper to put the webserver PC in the DMZ of
    > the (only) router. That way, any compromise of it would not permit
    > cross-contamination of the other PCs behind the same router (at least


    FYI, that is exactly the opposite of what the article at
    http://www.grc.com/nat/nat.htm say. The machine in the DMZ has the same
    access to the internal network as any other machine on the internal
    network and is, therefore, a major security hole.

    > as I understand things). The introduction of an additional router
    > doesn't add much to the equation in the configuration you are
    > suggesting. You may also want to go here and read this information
    > (which may help):


    The articles are excellent. Many thanks. They show exactly how to do
    what I need using two NAT routers to isolate the Web server from the
    Internet, except for the ports that are forwarded to it, and isolate
    the other machines on the internal LAN from the Web server in case it
    is compromised.

    --
    ..Bill.

  4. Re: How add Wev server to LAN safely?

    mea culpa. I guess I should read what I recommend!
    My apologies and kudos to you for reading carefully... I dont know what I
    was thinking (likely nothing at all)

    "comprehension isn't all that it is hyped to be..."

    "Bill" wrote in message
    news:zPZxj.11$2e4.112@eagle.america.net...
    > Kerry Liles wrote:
    >
    >> It would be simpler and cheaper to put the webserver PC in the DMZ of
    >> the (only) router. That way, any compromise of it would not permit
    >> cross-contamination of the other PCs behind the same router (at least

    >
    > FYI, that is exactly the opposite of what the article at
    > http://www.grc.com/nat/nat.htm say. The machine in the DMZ has the same
    > access to the internal network as any other machine on the internal
    > network and is, therefore, a major security hole.
    >
    >> as I understand things). The introduction of an additional router
    >> doesn't add much to the equation in the configuration you are
    >> suggesting. You may also want to go here and read this information
    >> (which may help):

    >
    > The articles are excellent. Many thanks. They show exactly how to do
    > what I need using two NAT routers to isolate the Web server from the
    > Internet, except for the ports that are forwarded to it, and isolate
    > the other machines on the internal LAN from the Web server in case it
    > is compromised.
    >
    > --
    > .Bill.




  5. Re: How add Wev server to LAN safely?

    From: "Bill"

    | Kerry Liles wrote:
    |
    >> It would be simpler and cheaper to put the webserver PC in the DMZ of
    >> the (only) router. That way, any compromise of it would not permit
    >> cross-contamination of the other PCs behind the same router (at least

    |
    | FYI, that is exactly the opposite of what the article at
    | http://www.grc.com/nat/nat.htm say. The machine in the DMZ has the same
    | access to the internal network as any other machine on the internal
    | network and is, therefore, a major security hole.
    |
    >> as I understand things). The introduction of an additional router
    >> doesn't add much to the equation in the configuration you are
    >> suggesting. You may also want to go here and read this information
    >> (which may help):

    |
    | The articles are excellent. Many thanks. They show exactly how to do
    | what I need using two NAT routers to isolate the Web server from the
    | Internet, except for the ports that are forwarded to it, and isolate
    | the other machines on the internal LAN from the Web server in case it
    | is compromised.
    |

    I don't see a need for two Routers.

    One Router is all thats needed. If it is a standard HTTP server forward TCP port 80 to the
    Web Server. If it also uses SSL, port forward TCP port 443 to the web server IP address as
    well. Make the Web Server a static address.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



  6. Re: How add Wev server to LAN safely?

    David H. Lipman wrote:

    > I don't see a need for two Routers.
    >
    > One Router is all thats needed. If it is a standard HTTP server
    > forward TCP port 80 to the Web Server. If it also uses SSL, port
    > forward TCP port 443 to the web server IP address as well. Make the
    > Web Server a static address.


    Are you saying that there is no way that a hacker could hack into the
    Web server PC if port 80 is forwarded? If so, that is great.

    --
    ..Bill.

  7. Re: How add Wev server to LAN safely?

    From: "Bill"

    | David H. Lipman wrote:
    |
    >> I don't see a need for two Routers.
    >>
    >> One Router is all thats needed. If it is a standard HTTP server
    >> forward TCP port 80 to the Web Server. If it also uses SSL, port
    >> forward TCP port 443 to the web server IP address as well. Make the
    >> Web Server a static address.

    |
    | Are you saying that there is no way that a hacker could hack into the
    | Web server PC if port 80 is forwarded? If so, that is great.
    |

    Well if you have a vulnerability on said server and the miscreant uses TCP port 80 then
    yes... it could still be hacked. But that would be the case in any other solution noted as
    well.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



  8. Re: How add Wev server to LAN safely?

    David H. Lipman wrote:

    > Well if you have a vulnerability on said server and the miscreant
    > uses TCP port 80 then yes... it could still be hacked. But that
    > would be the case in any other solution noted as well.


    If I understand the two papers on the Gibson Research site referenced
    in Kerry Liles' earlier post, using two NAT routers with the Web server
    between the two and the rest of the computers behind the second router
    makes it impossible for the Web server to access the rest of the
    computers on the network. It is impossible for a computer on the WAN
    side of a NAT router to access computers on the LAN side of the NAT
    router. OTOH, computers on the LAN side can access the computer on the
    WAN side (the Web server). For the $30 cost of a second NAT router it
    seems like very cheap insurance.

    --
    ..Bill.

  9. Re: How add Wev server to LAN safely?

    From: "Bill"

    | David H. Lipman wrote:
    |
    >> Well if you have a vulnerability on said server and the miscreant
    >> uses TCP port 80 then yes... it could still be hacked. But that
    >> would be the case in any other solution noted as well.

    |
    | If I understand the two papers on the Gibson Research site referenced
    | in Kerry Liles' earlier post, using two NAT routers with the Web server
    | between the two and the rest of the computers behind the second router
    | makes it impossible for the Web server to access the rest of the
    | computers on the network. It is impossible for a computer on the WAN
    | side of a NAT router to access computers on the LAN side of the NAT
    | router. OTOH, computers on the LAN side can access the computer on the
    | WAN side (the Web server). For the $30 cost of a second NAT router it
    | seems like very cheap insurance.
    |

    Insurance ? from what ?

    I don't see a problem or a need for two NAT Routers.

    So the web server can be seen by LAN side nodes and vice versa. What's the problem ?

    Remember SOHO Routers have high latency. Two NAT Routers means you effectively double the
    latency.

    BTW: GRC -- what a laugh.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



  10. Re: How add Wev server to LAN safely?

    Hi...

    I've read some of the other replies, and there is a lot of good ideas
    there. Let me relate what I ended up doing, and sort of 'why'.

    Originally I put my server on port 80, and set my router to forward any
    inbound port 80 traffic to it. Seemed to be a straight forward
    approach. I tried to lock that computer down as tightly as possible so
    hackers wouldn't be able to easily break into it. That does require the
    router knows the ip address for the computer you are forwarding to! The
    Netgear router I use will reserve IP addresses for specific MAC
    addresses within the dynamic range it hands out. So any time the server
    computer is booted, it would request an IP via DHCP, and the router
    would always hand it the same address. If you want to used static IP
    addresses, I see nothing wrong with that -- I guess a computer that is
    only a server really doesn't need to know where DNS servers are, and so
    on.

    Watching the activity on the server, I was surprised at the number of
    connection attempts to it. Large numbers of attempts to connect, and
    for each packet in, I was responding with several replies. That is
    normal in a TCP handshake situation, until a connection is established
    -- but that should almost immediate. And what got me even more
    concerned, some of the attempts to connect to my server were from ip
    addresses on the web that would never be trying to connect.

    Keep in mind a connection can be made by a user either using a URL, or
    an IP address. My friends were given the URL, but anyone who knew the
    IP could use it directly.

    I am on a DSL line, and, like many broadband residential services, the
    IP address can change -- it is a dynamic IP rather than a static address
    that never changes. So, I used a redirection service. The one I use is
    DynDNS.org, but there other ones out there that do the same. For low
    volume users, they are free. I supply them with my IP address, and they
    supply me with a URL that gets linked to it. My router even has the
    ability to automatically update the IP with them, should it change.

    When I realized what was going on, I moved my server off of port 80 to
    an unused port number. I also changed the port forwarding in the router
    to forward the new address rather than 80. Now port 80 is not responded
    to. I'm sure you've seen some URLs that have port numbers tacked on
    (like :8080). Now, anyone who knew the URL and the port number could
    still connect, but the casual bad guy scanning IP addresses would not
    find it.

    Obviously, the need for that port number on a URL isn't the greatest!
    At DynDNS they have another feature where a URL on port 80 can get
    forwarded to another URL using a different port. So, now I use for the
    public URL one at DynDNS that doesn't require a port number, and it gets
    forwarded to whatever IP address I happen to have at the time and at the
    port I have set up for the server.

    Actually, I have a couple of very low volume servers here, and this
    allows me to have both on one DSL line with no problems.

    I hope I haven't made this sound too complicated! It really turns out
    to be straight forward!

    ....Bob

    (For reference only, the original message follows)



    Bill wrote:
    >
    > I have a beginners question. I have a small network behind a NAT
    > router. I need to add a PC that will function as a low volume Web
    > server. I think that the safest way to do this to to place the Web
    > server behind a NAT router and have the rest of the network behind a
    > second NAT rounter.
    >
    > The configuration would be:
    >
    > Connect the DSL line to the first router.
    > Connect the Web server to the first router.
    > Connect the first router to the second router.
    > Have all other PCs connected to the second router.
    >
    > Is this a good solution? If not what should I do?
    >
    > --
    > .Bill.


    --
    The FROM: email address has been set up for receiving SPAM.
    Don't bother using it -- email to it won't be read.
    Right now, you can use: posts01 [at-sign] kesters [DOT] org
    (Until the scumbags figure that one out.)

  11. Re: How add Wev server to LAN safely?

    From: "Bob Kester"

    | Hi...
    |
    | I've read some of the other replies, and there is a lot of good ideas
    | there. Let me relate what I ended up doing, and sort of 'why'.
    |
    | Originally I put my server on port 80, and set my router to forward any
    | inbound port 80 traffic to it. Seemed to be a straight forward
    | approach. I tried to lock that computer down as tightly as possible so
    | hackers wouldn't be able to easily break into it. That does require the
    | router knows the ip address for the computer you are forwarding to! The
    | Netgear router I use will reserve IP addresses for specific MAC
    | addresses within the dynamic range it hands out. So any time the server
    | computer is booted, it would request an IP via DHCP, and the router
    | would always hand it the same address. If you want to used static IP
    | addresses, I see nothing wrong with that -- I guess a computer that is
    | only a server really doesn't need to know where DNS servers are, and so
    | on.
    |
    | Watching the activity on the server, I was surprised at the number of
    | connection attempts to it. Large numbers of attempts to connect, and
    | for each packet in, I was responding with several replies. That is
    | normal in a TCP handshake situation, until a connection is established
    | -- but that should almost immediate. And what got me even more
    | concerned, some of the attempts to connect to my server were from ip
    | addresses on the web that would never be trying to connect.
    |
    | Keep in mind a connection can be made by a user either using a URL, or
    | an IP address. My friends were given the URL, but anyone who knew the
    | IP could use it directly.
    |
    | I am on a DSL line, and, like many broadband residential services, the
    | IP address can change -- it is a dynamic IP rather than a static address
    | that never changes. So, I used a redirection service. The one I use is
    | DynDNS.org, but there other ones out there that do the same. For low
    | volume users, they are free. I supply them with my IP address, and they
    | supply me with a URL that gets linked to it. My router even has the
    | ability to automatically update the IP with them, should it change.
    |
    | When I realized what was going on, I moved my server off of port 80 to
    | an unused port number. I also changed the port forwarding in the router
    | to forward the new address rather than 80. Now port 80 is not responded
    | to. I'm sure you've seen some URLs that have port numbers tacked on
    | (like :8080). Now, anyone who knew the URL and the port number could
    | still connect, but the casual bad guy scanning IP addresses would not
    | find it.
    |
    | Obviously, the need for that port number on a URL isn't the greatest!
    | At DynDNS they have another feature where a URL on port 80 can get
    | forwarded to another URL using a different port. So, now I use for the
    | public URL one at DynDNS that doesn't require a port number, and it gets
    | forwarded to whatever IP address I happen to have at the time and at the
    | port I have set up for the server.
    |
    | Actually, I have a couple of very low volume servers here, and this
    | allows me to have both on one DSL line with no problems.
    |
    | I hope I haven't made this sound too complicated! It really turns out
    | to be straight forward!
    |
    | ...Bob


    Good Job!


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



  12. Re: How add Wev server to LAN safely?

    I think you are trying to isolate the web server from your other LAN
    clients. You might want to look into getting a router that supports VLANs.

    --
    JL


  13. Re: How add Wev server to LAN safely?

    From: "Johnnie Leung"

    | I think you are trying to isolate the web server from your other LAN
    | clients. You might want to look into getting a router that supports VLANs.
    |

    Certainly not a SOHO solution.

    A managed Ethernet Switch would support VLANs in conjunction with a SOHO Router.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



  14. Re: How add Wev server to LAN safely?

    Johnnie Leung wrote:

    > I think you are trying to isolate the web server from your other LAN
    > clients. You might want to look into getting a router that supports
    > VLANs.


    Other way around. I am trying to protect the other PCs on the LAN from
    a Web server that gets hacked.

    --
    ..Bill.

  15. Re: How add Wev server to LAN safely?

    Thanks for the detailed explanation.


    --
    ..Bill.

  16. Re: How add Wev server to LAN safely?

    From: "Bill"

    |
    | Other way around. I am trying to protect the other PCs on the LAN from
    | a Web server that gets hacked.
    |

    You have to make sure that the web server is completely mitigated of vulnerabilities.
    You can start with Secunia's Software Inspector run on the web server.
    http://secunia.com/software_inspector

    Lets say that the server was indeed hacked. For example an SQL Injection or a PHP exploit.
    In such an instance, the hacker would most probably insert malicious code in your HTML files
    such that an IFrame Exploit, or other exploit, is inserted such that the web site viewer is
    taken to a another malicious web site that then causes a malicious file download. In this
    case any of the above mentioned methodologies wouldn't help. Any LAN nodes or WAN nodes
    loading the web page would be vulnerable. We are not talking about a virus on your web
    server that would spread from the web server to the LAN nodes. That would not be a hack
    attack. That would be a case of server infection. In that case the above mentioned
    methodologies would help to mitigate this kind of threat. An example would be a SDBot that
    infected the web server and then spread to the LAN nodes. However, BOTs don't use TCP port
    80 (or an alternate such as 8080) and the NAT Translation of the Router would protect the
    web server from getting infected from WAN nodes.

    Having a web server and understanding the needs of securing it is a lengthy subject. You
    have to look at all avenues and there are many.

    I guess if you really want two NAT Routers, go for it. However, don't think that this is a
    cure-all. It isn't. The most important thing is to have anti virus running on the web
    server and making sure all software components, and I mean all, are kept up to date and all
    vulnerabilities are mitigated. This means being proactive. Additionally as a web server,
    it shouldn't be used to 'browse' the Internet. As a server, this would degrade is
    information assurance level and make the web server vulnerable to infection. All browsing
    should be done on workstations and only logon to the web server when updating it or
    installing trusted applications.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



  17. Re: How add Wev server to LAN safely?

    Thanks Dave. I think I now have a good understanding of how to approach
    this project. I have learned a lot that would have taken much longer
    without your help and you've convinced me that two routers are not
    really necessary.

    --
    ..Bill.

  18. Re: How add Wev server to LAN safely?

    From: "Bill"

    | Thanks Dave. I think I now have a good understanding of how to approach
    | this project. I have learned a lot that would have taken much longer
    | without your help and you've convinced me that two routers are not
    | really necessary.
    |

    YW and good luck in your project.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



  19. Re: How add Wev server to LAN safely?


    "David H. Lipman" wrote in message
    news:mWbyj.7411$li.3045@trnddc06...
    > From: "Johnnie Leung"
    >
    > | I think you are trying to isolate the web server from your other LAN
    > | clients. You might want to look into getting a router that supports
    > VLANs.
    > |
    >
    > Certainly not a SOHO solution.


    Why not? I am using one such ('SOHO') router now for my residential
    broadband connection.

    > A managed Ethernet Switch would support VLANs in conjunction with a SOHO
    > Router.


    And managed switches are SOHO gear?

    --
    JL


  20. Re: How add Wev server to LAN safely?


    "Bill" wrote in message
    news:7Ocyj.29$2e4.1163@eagle.america.net...
    >
    > Other way around. I am trying to protect the other PCs on the LAN from
    > a Web server that gets hacked.


    Doesn't matter which way. VLANs can't see one another, period.

    --
    JL


+ Reply to Thread
Page 1 of 2 1 2 LastLast