Security usng two internet ports 1

[tedsmith]

I was hoping to use 2 network ports, one to one local network and another to the internet cable modem.
The only internet access was an automatic update of data once a day port(80) with no human intervention.

The hope was to increase security to prevent people on the internet hacking into computers on the local network but security wise it appears this would be no better than having them all on one port. Perhaps?

The reason I asked this was -
Some computers on the local network have to be run without firewalls and passwords because they are on a dedicated 24 hour unattended information system (no keyboards) and have to restart and reconnect without human intervention if power fails. Both file and TCP access is needed.
This didn't matter when there was no outside access but now the system would be exposed.
I have even changed the security level of the root directory to Everyone because all the files and the .exe (not in Program Files) are there so they can be updated by remote control, some workstations being inaccessible on top of poles.

Another reason for this is to make it easy if a computer has to be changed in the field otherwise too many things have to be set up beforehand. All the tech has to do it to change one number in a file and all the address and setting change accordingly.

Any brilliant ideas other than fire-walling except for one port and making my own one port "TCP windows explorer"?

The sort of thing I need is to be able to firewall and set sharing on one internet port but not the other.

 

[strongm]

>without firewalls and passwords because they are on a dedicated 24 hour unattended information

Seems the lazy option. It is perfectly feasible to configure a Windows platform with both firewall rules and passwords to run in unattended mode, including allowing restarting and reconnecting.

>I have even changed the security level of the root directory to Everyone

I am speechless ...

>The sort of thing I need is to be able to firewall and set sharing on one internet port but not the other.

Right, you have a setup where you have one internal network facing port, and one web-facing port (whether implemented as two IP addresses on one NIC, or two NICs each with their own IP address), yes? (remembering that here I am referencing network ports rather than TCP or UDP ports)

And each IP address is on a different subnet, yes?

In which case you can set up Windows Firewall rules to achieve your goals, by restricting anything apart from TCP Port 80 traffic on the the web-facing subnet. And allowing whatever are the approved TCP and/or UDP ports on the internal subnet. And making sure that bridging is disabled.

 

[tedsmith]

Thanks for your quick reply.
I first developed this system on machines with Windows98 and only got rid of the last 98 machine a few months ago.
It has grown a bit like topsy. Now there are 72 clients and 3 sub servers on the network and it is still growing.
Nothing would make me happier than to go back to "normal" so I can leave it to someone else to look after when I go the the big ROM in the sky or RAM as some religions would have you.

>configure a Windows platform with both firewall rules and passwords to run in unattended mode,
How would I do that? How can I make my server and clients not need a sharing password for file access and possible hackers need one?
Just "remembering" the password doesn't work for ever I have found. I got sick of climbing up ladders and reentering lost passwords on a portable keyboard so I removed them.
If I could have separate net firewalls then I don't think this would be so much of an issue.

Yes they have different ips, subnets and gateways. All computer Ips and listening ports are fixed except for the internet router in case it has to be changed.

I haven't a computer with 2 ports at hand to experiment with so how do I configure different firewalls for the different ports? Do two firewalls appear when you install an extra net port?

The server currently has Server2003 but will be updated probably in the next year but probably use normal Windows 7 rather than a newer server OS version that I am unsure will run my master vb6 app. -perhaps-

 

[strongm]

>not need a sharing password for file access

I didn't say that ... I thought your challenge was concerned with restarts/reboots. To deal with this you don't use 'remember', you use Windows' autologon capability. I'll let you google that for a comprehensive description and how-to.

>Do two firewalls appear when you install an extra net port?

No. One firewall - but you can set up inclusion and exclusion rules for different subnets, ports, and applications. To be honest, it's slightly tricky to do so on XP (as the firewall GUI is somewhat limited, plus on XP the firewall only controls inbound traffic, not outbound, although given your description this should not be an issue). Again this can be a complex area, so it might be best for you to read up on the Windows firewall elsewhere. For example, this gives a pretty reasonable overview of the various ettngs available to you for the Windows 7 firewall:

http://www.howtogeek.com/112564/how-to-create-advanced-firewall-rules-in-the-windows-firewall/

 

[tedsmith]

Thanks you have been very helpful.(as usual)