Router-less Network & internet gateway connectivity/security risks. 4

[HunterDG]

Here's a scenario:

1 unmanaged switch.

connected to this switch are:

1 server (dhcp, LAN default gateway, amongst others) 10.10.10.1 / 255.255.255.0 dhcp hands out 10.10.10.x
2+ computers (dhcp clients)
1 cable/dsl modem with a publically routable IP range (lets say 64.233.187.96-99 / 255.255.255.252)

the modem (64.233.187.96, publically routable IP range) is connected to the un-managed switch, but does not have any of the other IP's associated with any computer's NIC.

I was once under the assumption that because the subnets are different, the two networks can't - SEE - eachother, but after some brief reading on the purpose of subnetting, i'm confused. it appears (one of) its purposes is to help define a chunk of ip addresses that have been allotted. such that:
10.42.219.84 / 255.255.255.255
is the same as
10.42.219.84 / 255.255.255.0
is the same as
10.42.219.84 / 255.135.028.238
the only difference being the first one is the only possible IP, the second one is in a range of 254 contiguous IPs (1-254), while the third is in a range of ? non-contiguous IPs.
(if i had three PCs assigned with the IP/subnet masks of above, there'd be an IP conflict)

is this correct?

questions:

1. what is the relationship between the public ip range and the private LAN?

2. can the public (ISP) and the private (intranet) IP's -SEE- eachother, if no compter has a PUBLIC ip associated with a NIC?

3. what is the relationship between the public and private IP's:

a. if i assign one of the PC's NIC a PUBLIC ISP IP?

b. if i assign said pc with both the public AND a private IP?

c. if i assign static routes on said PC such that all private IP requests are routed to the LAN's gateway, and set the public IP with a lower metric than the LAN such that all non-private IP requests are transmitted to the PUBLIC ISP IP? ie:
NIC:
IP:10.10.10.5 / 255.255.255.0
IP:64.233.187.97 / 255.255.255.252
gateway:10.10.10.1 metric 10
gateway:64.233.187.96 metric 5

route add 10.0.0.0 mask 255.0.0.0 10.10.10.1 /p
route add 172.16.0.0 mask 255.240.0.0 10.10.10.1 /p
route add 192.168.0.0 mask 255.255.0.0 10.10.10.1 /p

4. why must i have a public IP assigned to a PC for it to 'see' amd be able to use the public IP gateway?

Please let me know if i need to clarify, AND THANKS IN ADVANCE for any helpful suggestions/answers.

if your comment is not constructive/helpful, please keep it to yourself!

HunterDG

 

[burtsbees]

First off, a subnet is a different network, and you need a layer 3 device such as a router or a layer 3 switch for them to see eachother. Second, subnet masks determine the number of subnets and the number of hosts per subnet by having all the 1's (binary conversion) represent the networks, and the leftover bits (zeroes) represent the hosts per subnet. The 255.255.255.255 mask represents a direct host address in a ppp (point-to-point link ONLY, like PPPoE with adsl), and the only derivitives of any possible subnet mask can possibly be only multiples of the powers of 2, so the scond, third and fourth octets can only be .128, .192, .220,.240, .248, .252, .254 and .255, NOT 255.135.028.238. The examples given of 10.42.219.84 / 255.255.255.255 and 10.42.219.84 / 255.255.255.0 are NOT the same---the first is a host address, and the second is the host in the network consisting of 10.42.219.0, useable IP addresses being 10.42.219.1 through 10.42.219.254, as 10.42.219.255 is the broadcast address of this subnet. The term "subnet" usually only refers to a network space that is not the default mask. For example, 10.42.219.0/24 (which means 24 bits, or 255.255.255.0) is a subnet, because the default mask for a class A address is /8, or 255.0.0.0
The private IP addresses behind a router are able to see the public IP addresses out there because of a technology called NAT, or Network Address Translation. This takes the private IP addresses on your LAN and converts them to inside global and outside global IP addresses, because private IP addresses are NOT routeable on the internet, which is the entire point of RFC1918, pr private CIDR IP addresses (Classless Inter Domain Routing, meaning private IP addresses that do not need the default classful mask, like 10.x.x.x/8 can be subnetted into a bunch of 10.x.x.x/24 subnetworks).
To answer the metric thing, I think you are confused on the term "metric"...
You do not need a public IP address assigned to a pc in order for it to reach the internet, provided your router NATs. Having a public IP address assigned to a node behind a router is very insecure, though people do this. Usually these are web servers in what is known as a "dirty DMZ", DMZ being de-militarized zone, and dirty describing the fact that they have public IP addresses. This is done so people from the outside can reach the domain via the public IP address, or the dns name. If the servers in the dmz had private IP addresses, a static NAT translation would have to be configured on the gateway router.
As far as two subnet not being able to see eachother, well, this is what a router does---it routes logical IP addresses between eachother. For nodes to communicat in the same subnet, a router is not needed---but a switch is, unless two nodes are directly connected to eachother via crossover cable. The switch provides the necessary data link, or layer 2, communication establishment between nodes.
Hope this answers your questions. If you want some reading material, let me know.

Burt

 

[HunterDG]

HMM..

i had read about the subnet 'mask' purpose you described, to define subnet vs. host, but it sounds like i may be confusing "subnet" and "subnet mask"

to clarify, the setup i described above is devoid of routers and NAT.

i am curious how the IPs/subnets interact in such a situation.

could you possibly review my questions with that in mind?

you advised that subnets must be multiples of two.. while i understand the reasoning behind that, i question what happens when i assign a subnet that does not conform. (my brain only accepts such 'givens' when i understand the WHY and HOW of the 'given')

you started:

Having a public IP address assigned to a node behind a router is very insecure, though people do this...'

that is almost what i am looking for, though i'd like to know 'WHY' it is insecure if, say, i'm dealing with different subnets and only a single SWITCH to connect things. (no router, no NAT)

only a dhcp server assigning private IPs and a modem with an alloted PUBLIC IP range connected to the switch.

(i suppose one could assume the dhcp server is behind a router/firewall/modem) as well, thus the scenario would fit yours, having a public IP assigned to a node behind the main router., but then the router would be performing 'routing' functions, thus eliminating the inherent security of the differing subnets)

it appears i could benefit greatly from any reading material you could throw my way. I started on a Cisco book but my other studies have prevented me from further

more specifically, what are the specific risks (examples) of having a physical firewall/router between internet connection and PC's
vs
internet connection and PCs all tied into same switch with differing subnets and NO Routing or NAT?

 

[burtsbees]

Well, is essence, a modem connecting the outside world to your network IS a router---it modulates and demodulates the signals to convert them to IP information as they should, and in doing so, they make the network behind it separate from the outside world (in a NAT situation). If the modem does not NAT, then there would be a public IP address on your end (modem) as a point-to-point connection to the ISP.
This situation used to (and still may) occur in cable internet service. This is insecure by nature and virtue of the fact that NAT hides your private IP address from the outside world---in order to communicate with a node above just data link communications, the logical IP (layer 3) layer of the OSI model has to be established, in order for any layer above it (layer 4, where tcp/udp takes place) to establish communications. In other words, the cable modem in this example does not hide your public IP address, and can easily be reached and hacking can occur. A firewall is usually what protects a dirty dmz.
IP addresses must be in the same subnet as eachother in order to communicate with eachother if no router is being used. Your pc, for example, can be connected to the internet and have a public IP address if the modem is in bridge mode, or is only capable of bridging the connection (bridge mode means no PPPoE authentication or NAT is taking place on the modem, and therefor PPPoE must take place via software on the pc). When this happens, the other bend of the connection (router at the ISP) has an IP address in the same subnet as your pc. The ISP router then usually goes to an authentication (usually RADIUS) server to fulfill the PPPoE authentication credential requirements. The server reports a good set of credentials if authenticated properly to the router, and the router in turn lets your pc be connected. This is usually an "always on" connection. When your pc tries to click on a web address, the ISP router then does a route table look-up (usually BGP as the routing protocol) and properly routes your pc IP address to the destination IP address, much like the PTSN (public telephone system network)---in fact, most internet connections use POTS (plain old telephone system)---the circuit gets switched to the proper switches (routers) until a connection with the destination is achieved.
To understand why a node will not accept input of a subnet mask outside of multiples of POWERS of two (not just multiples of two), you have to understand binary---this is what the entire concept and basis of IP addressing (and computer language in general) is derived from---binary. The octets in an IP address are octets by virtue of them being 8 bits in length (xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx is 32 bits, or 4 octets of 8, or 4 bytes {one byte=8 bits}). The numbering, or conversion into decimal, starts at the right side, and is read from right to left. Take for example the IP address 192.168.1.5 (by the way, subnet masks as well as IP addresses are all in multiples of powers of two)...
The decimal to binary conversion is 11000000.10100000.00000001.00000101---the ones represent the number of the bit position is present---the bit position corollations are as such, starting from right to left...
bit 1=1, 2=2, 3=4, 4=8, 5=16, 6=32, 7=64, 8=128---the powers of two, or 2^1, 2^2, 2^3, 2^4, 2^5, 2^6, 2^7, and 2^8. This short explanation is a basic answer for your question concerning this statement...

"you advised that subnets must be multiples of two.. while i understand the reasoning behind that, i question what happens when i assign a subnet that does not conform. (my brain only accepts such 'givens' when i understand the WHY and HOW of the 'given')"

Logic at its best!

More material---I recommend CCNA 1-4...

ftp://70.240.7.173/Cisco%20Stuff

Hope this helps.

Burt

 

[LawnBoy]

May I recommend Daryl's TCP/IP Primer


"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 

[HunterDG]

boy We're getting super simplistic. i am quite aware of the binary aspect of IP addresses, how modems work, etc. let's try again. suppose i have a self sustaining network of 2 pc's and a server handing out private ip addresses,all connected to a switch. this network has no internet connection. then we add a T1 with an allotment of 8 public ips to the switch. the public t 1 obviously has It's own subnet . what association do the private and public addresses now have?

 

[burtsbees]

The T1 is connected to a router, thus handling the logical addressing. If a private scheme is implemented, then they must be NATted in order to be routed on the internet. So with the T1, you're talking about it being connected to a layer 3 device---you cannot connect a T1 to a layer 2 device such as a switch.

Burt

 

[brianinms]

The public and private ip addresses should be mapped though a hardware firewall as needed. You should never put a server out on the internet without the protection of a firewall

 

[LawnBoy]

They have no association as delivered. You have two basic choices, either use the 8 T1 addresses for your network or have a gateway perform NAT. NAT is more secure.


"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 

[HunterDG]

thank's LawnBoy! i simply neede to know if a security risk existed with that set up.

let's take it to another level:

say i assign one PC with 2 IP's, one private, one public, so that i can access both the entire internal network and the public internet from that ONE PC.

below is the setup i have found to work very effectively, but i am unaware of any security risks:

IP:10.10.10.5 / 255.255.255.0
IP:64.233.187.97 / 255.255.255.252
gateway:10.10.10.1 metric 10
gateway:64.233.187.96 metric 5

DNS servers: 2 private, 2 public
Wins servers: 2 private
(metric on public gateway is smaller to prioritize this gateway for all requests) I then create persistent static routes to route all private IP address requests to the internal 'default gateway' of 10.10.10.1 as follows.

route add 10.0.0.0 mask 255.0.0.0 10.10.10.1 /p
route add 172.16.0.0 mask 255.240.0.0 10.10.10.1 /p
route add 192.168.0.0 mask 255.255.0.0 10.10.10.1 /p

the end result of the above is that all private IP requests are forwarded to the internal default gateway, and all public internet requests are forwarded to the internet.

is this the most effective way to accomplish this?

what are the inherent security risks? please give specific examples.(assume windows firewll is enabled (on both public and private IPs) on the PC in question.)

will an intruder from the public internet be able to connect to the private network? via the pc in question or other pcs?

thanks again for all the suggestions so far, and the reading material!
hopefully i am now being more specific!

 

[burtsbees]

Yes. Very insecure.

Burt

 

[HunterDG]

can you expand on that? perhaps provide a few specific examples?

 

[brianinms]

You would essential be creating a bridge from the public to the private network thus defeat the purpose of even having a private network. Any server or workstation is designed for functionality and not security. Thus you always use a firewall between the internet and workstations or servers. You merely configure the services you need through the firewall and NAT them to public IP addresses

 

[burtsbees]

Whoever gave me stars, I definitely appreciate it, but please do not leave brian out---I think he deserves it.

Burt

 

[LawnBoy]

My slant on the security risk:
Let's face it, you're running Windows, the most notoriously insecure operating system known to man. If you use a public IP on a Windows machine it is directly accesible from the internet and hackers are free to scan that machine looking for vulnerabilities that they will eventually find.

If instead you use a router to perform NAT, the only IP address visible to the internet is that of the router itself. Routers are hardened appliances with simple operating systems that are designed to withstand attacks.



"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 

[burtsbees]

Not only that, but a hacker really does not need to know your IP address---they scan, and they can hijack a tcp session---sequence numbers are easily guessed, without a firewall in place. The attacker could hijack (take over) the data session and send whatever information they want into your network (like for example an information gathering trojan, to get your bank login, email login, etc). An attacker could spoof an IP address and launch a DDoS (distributed denial of service) attack from several different machines using several different IP addresses. Once the server is overwhelmed by trying to answer 17 million half-open tcp connections, it is brought to its knees, and it would be as if the server was not even there.
If you have a web server, especially with a dirty IP (public), and NO hardware firewall, you may as well put all your bank account, email and pictures on a public FTP server with an anonymous login.

Burt