Separate subnets on the same physical network

Separate subnets on the same physical network

Post by David Brow » Tue, 14 Dec 2010 07:54:34



I've made a setup with two different subnets on the same physical
network, with the router PC having an alias on the same subnet.  Thus I
have:

eth0 = 192.168.0.1, netmask 255.255.255.0
eth0:1 = 192.168.1.1, netmask 255.255.255.0

Most nodes connected to network are on the 192.168.0.x subnet, but I
also have another router set up with a static address 192.168.1.2.
Everything works smoothly, and it has let me solve some routing problems
I was having when the extra router had a 192.168.0.x address.

Now I am wondering about the security implications of such a setup -
specifically, what are the realistic risks assuming the user of a
machine on the network has no ill intent?  I try to keep a tight reign
on machines connected to the company network, and I don't allow machines
from outside to be connected.  But sometimes it would be very convenient
if it /were/ allowed, with limited and controlled access.

So suppose the router were setup with some simple iptables rules
allowing 192.168.1.x machines access to the internet, but no packets
back and forth to 192.168.0.x.  If an external unchecked machine is
given address 192.168.1.100 on this network, what harm can be done to
192.168.0.x machines, assuming the user is not malicious, but that the
machine is a windows machine with some common malware?

Obviously if the user was malicious, or if an external cracker were
directly in control of the machine, then it's easy to manually configure
a static address in the 192.168.0.x range.  And any sort of Ethernet
capture software would be able to view broadcast traffic.

But I think malware would not spot the other network - any broadcasts or
searches for neighbouring machines would target the 192.168.1.x subnet.
  The 192.168.0.x machines would be effectively invisible.  Or am I
being overly optimistic here?

Security is always a balance between user convenience and the security
of the network - the safest network is the one where no users are
allowed to connect.  If alternative subnets like this can give a low
enough risk of problems, balanced with a high enough user convenience of
allowing occasional outside machines to connect, then it might be a very
useful tool for our network.

 
 
 

Separate subnets on the same physical network

Post by a.. » Tue, 14 Dec 2010 09:40:35


Hi...



Quote:>I've made a setup with two different subnets on the same physical
>network, with the router PC having an alias on the same subnet.  Thus I
>have:

>eth0 = 192.168.0.1, netmask 255.255.255.0
>eth0:1 = 192.168.1.1, netmask 255.255.255.0

[clipped for brevity...]

Quote:>But I think malware would not spot the other network - any broadcasts or
>searches for neighbouring machines would target the 192.168.1.x subnet.
>  The 192.168.0.x machines would be effectively invisible.  Or am I
>being overly optimistic here?

Malware might not see it, but as broadcasts in the 192.168.0.0/24 network
do reach the machines in the 192.168.0.1/24 network, too, the setup would
be not too difficult to guess. And I at least would routinely look for all
kinds of traffic when surveying a network, moreso if I would do it wich bad
intent.

Quote:

>Security is always a balance between user convenience and the security
>of the network - the safest network is the one where no users are
>allowed to connect.  If alternative subnets like this can give a low
>enough risk of problems, balanced with a high enough user convenience of
>allowing occasional outside machines to connect, then it might be a very
>useful tool for our network.

Yeah. But I would not consider this barrier as a relevant deterrent to
consider the risk to be significantly lowered.

cu

AW
--
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)


 
 
 

Separate subnets on the same physical network

Post by David Brow » Tue, 14 Dec 2010 20:18:21



> Hi...



>> I've made a setup with two different subnets on the same physical
>> network, with the router PC having an alias on the same subnet.  Thus I
>> have:

>> eth0 = 192.168.0.1, netmask 255.255.255.0
>> eth0:1 = 192.168.1.1, netmask 255.255.255.0

> [clipped for brevity...]

>> But I think malware would not spot the other network - any broadcasts or
>> searches for neighbouring machines would target the 192.168.1.x subnet.
>>   The 192.168.0.x machines would be effectively invisible.  Or am I
>> being overly optimistic here?

> Malware might not see it, but as broadcasts in the 192.168.0.0/24 network
> do reach the machines in the 192.168.0.1/24 network, too, the setup would
> be not too difficult to guess. And I at least would routinely look for all
> kinds of traffic when surveying a network, moreso if I would do it wich bad
> intent.

IP-level broadcasts will not cross the networks - a broadcast on
192.168.1.0/24 will not be seen by 192.168.0.0/24 machines (or rather,
it will be seen and ignored).

But non-IP broadcasts will certainly reach all machines.

Quote:

>> Security is always a balance between user convenience and the security
>> of the network - the safest network is the one where no users are
>> allowed to connect.  If alternative subnets like this can give a low
>> enough risk of problems, balanced with a high enough user convenience of
>> allowing occasional outside machines to connect, then it might be a very
>> useful tool for our network.

> Yeah. But I would not consider this barrier as a relevant deterrent to
> consider the risk to be significantly lowered.

My concern is lowering the risks for common malware.  I am not concerned
about intentional attacks - these won't happen (to be precise, I view
the likelihood to be too small to worry about).  The biggest question is
thus whether common windows worms are going to be able to spread from an
infected machine on the 192.168.1.x network onto machines on the
192.168.0.x network.
 
 
 

1. 2 Physical Networks, One Subnet - Possible?

I have the following network I am trying to configure:

Internet <->Linux1<->Linux2<->More boxes

I have a small chunk of a Class C network, with Linux1, Linux2 and
more Boxes all in that subnet range.

Linux1 is happily configured as being multi-homed (PPP, NIC) between
my network and the ISP.

Linux2 is also multi-homed with 2 NICs (1 TP, 1 BNC).

Is there a way without sub-netting, or masquerading, that all of my
boxes can happily exist?

At the moment I have used host routes on Linux2 to point to More boxes
through NIC1 and Linux1 through NIC2.
This works all fine and dandy except:
ARP messages aren't forwarded by Linux2 and as a result Linux1 and
More boxes don't respond to each other, but the routing is such that
all boxes can get onto the Internet.

I am trying to do the impossible here of having 2 physical networks,
but only one subnet?
I looked at the ARP proxy HOWTO, but that doesn't seem to apply.
Is IP Aliasing what I need?

TIA

2. Few Easy Questions

3. 2 different logical subnet on the same physical network

4. Hangs in 1.2.4/1.2.5?!

5. creating partitions on separate physical drives.

6. Kudos to Sarkoffs and Linux!

7. Does / need a separate physical IDE HD partition?

8. console I/O error

9. creating partitions on separate physical drives.

10. Routing question - Dual homing , 3 separate subnets, gateway, local switch

11. Selective routing / how to separate 2 subnets