Re: upgrade from 98 to XP

Subject: Re: upgrade from 98 to XP
From: Sandy Harris <sandy -at- storm -dot- ca>
To: "TECHWR-L" <techwr-l -at- lists -dot- raycomm -dot- com>
Date: Wed, 06 Feb 2002 00:02:37 -0500

Andrew Plato wrote:
>
> "Steve Hudson" wrote
>
> > 2 NICs (Network Interface Cards). One has the IP for your external
> gateway
> > and goes to the router. One as the ip 192.168.0.1 which is IP slang for
> > "local server".

You're a bit confused there.

> This is not necessary. The original poster has a router, which is the best
> way to go.

Yes, a router can be a good way to go.

> Dual NIC gateways, which is what Steve is suggesting, are a very bad idea.

A dual NIC gateway is just a PC (or whatever) set up to act as a
router. Provided you know how to set it up, it is just as effective
and can be as secure.

> They are EXTREMELY easy to hack. I have a client who's entire network was
> melted down thanks to a dual-nic WinNT gateway. The hacker planted some
> nasty crap on the gateway then had his way with the internal machines
> (about 40 of them).

I'm not sure if NT can be set up securely. People I respect, and who
know a lot more about NT than I do, say it can, and rely on it for
some fairly important things. Other folks I also respect just laugh
at the notion that any Microsoft product can be set up securely.

If it cannot, then the mistake above was using NT. If it can, then
the mistake was not setting it up right.

The basic rule is do not try to do this unless you know quite a
lot about the tools you will use, and are willing to put considerable
effort into securing the box.

> The best config for a small home LAN is to just buy one of those Linksys
> or Netgear routers. The 4-port Linksys are down to like $75.00 and A LOT
> easier to use than a dual NIC box.

For many people, yes.

> And if you do the "DMZ to nowhere"
> trick (as I described), you'll actually send inbound hack attempts into
> oblivion, slowing down script kiddies armed with port scanners.

I missed that. Please repeat here or in off-list mail to me.

> If you really want security, the best answer is a true firewall running
> something like BSD. These suckers are rock solid. But they are not for the
> faint-of-technical-heart. I use one of these in my office (in addition to
> about 5 different IDS products). Nothing gets through them.

Yes, but only if you know enough about Unix to set them up right, or
the application is important enough to contract an expert.

> 192.168.0.1 is not slang for "local server" its not slang for anything.
> The loopback address is 127.0.0.1. And its slang for "localhost."
>
> And nobody with a small lan should use a submask of 255.255.0.0 unless
> they plan on expanding their home office to include 16 million hosts

Nitpicking: 255.0.0.0 is 16 million. 255.255.0.0 is only 64 K.
But you're right; it is silly for a small LAN.

> across 256 subnets (True Class C)! A /25 (255.255.255.128) subnet mask is
> more than enough for most home offices. It can have 128 (192.168.1.1 -
> 198.168.1.128) IP addresses and it is limited to 2 subnets, thus reducing
> the chance somebody could try to poison your routing tables or send over
> spoofed packets with a higher IP address.
>
> If you're bored, play with this subnet mask calculator:
> http://www.tcpipprimer.com/subnet.cfm?useDHTML=0

The subnet mask stuff is actually fairly simple.
http://www.freeswan.org/freeswan_trees/freeswan-1.94/doc/glossary.html#subnet

RFC 1918 allocates three ranges of addresses for private networks:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
so you can assign any range in there for a local net.

Most people use 192.168.0.0/24 or 182.168.1.0/24.

Andrew correctly points out that you really don't need a /24 (256 addresses)
for a local net, and suggests using a /25. Not a bad idea, but still
128 addresses. Likely most people could use a /27 (32 addresses)
and still be fine. Anyway, I don't think this matters much. Having
a few extra addresses available does no harm.

I'd suggest using anything but 192.168.0.0/24 or 192.168.1.0/24.
Almost everyone uses those so anyone probing your net and trying
to guess your hidden addresses will try those first. Also, if you
try to build a VPN between two offices, there can be problems if
both offices are using the same range of hidden addresses. So use
any of:
192.168.a.0/24 2 <= a <= 255
172.a.b.0/24 16 <= a <= 31, 0 <= b <= 255
10.a.b.0/24 0 <= a <= 255, 0 <= b <= 255

or any /25 or /27 subnet under these.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Collect Royalties, Not Rejection Letters! Tell us your rejection story when you
submit your manuscript to iUniverse Nov. 6 -Dec. 15 and get five free copies of
your book. What are you waiting for? http://www.iuniverse.com/media/techwr

Have you looked at the new content on TECHWR-L lately?
See http://www.raycomm.com/techwhirl/ and check it out.

---
You are currently subscribed to techwr-l as: archive -at- raycomm -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- raycomm -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot- Visit
http://www.raycomm.com/techwhirl/ for more resources and info.


Follow-Ups:

References:
Re: upgrade from 98 to XP: From: Andrew Plato

Previous by Author: Style Guides
Next by Author: Re: Line Numbers in ASCII File
Previous by Thread: Re: upgrade from 98 to XP
Next by Thread: RE: upgrade from 98 to XP


What this post helpful? Share it with friends and colleagues:


Sponsored Ads