Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LAN vulnerable from WAN via BT Business Hub 3?

iainH
Member

‎20-07-2012 06:04 PM - edited ‎20-07-2012 06:07 PM

I am a little concerned that the network I find here could be vulnerable and wonder what solutions you favour? 

 

This must be a pretty common scenario:

We have two servers, each with a public-facing static IP address, behind the BT Business Hub 3 (BTBH3) firewall; each server has ports opened appropropriate to the services it offers publicly.

Currently, local computers' IP addresses are served by BTBH3's DHCP server. The servers use one of these as a backup device.

Access to the servers is only explicitly with SSH keys but WAN clients have access to their services too.

So my concern is about the vulnerability of locally-attached computers being accessed from the public-facing servers via the BTBH3.

So I am considering making one of the servers a gateway to the local network, its firewall isolating this LAN from the WAN and strictly controlling the servers' access to the local backup machine.

 

Whilst we will lose the wireless access to the the LAN via the BTBH3, the NAS is also a Wireless Access Point giving LAN interconnectivity. Also server backups to the NAS can be faster as the wired LAN will be connected by a Gigabit switch (whereas, with the current setup, only one machine can make a Gigabit connection into the BTBH3).

OS X Lion Server; Ubuntu 12.04 Server; MacBook;
0 Kudos
2 REPLIES 2

nimbystripes
Member

on ‎23-07-2012 02:46 AM

I am also running two servers with static IPs. Just wondering if this is possible. I am on OS X Lion server and Windows 2008.

0 Kudos

iainH
Member
In response to nimbystripes

‎23-07-2012 06:34 AM - edited ‎23-07-2012 06:42 AM

The network I describe works very well on BTs Business Hub 3. Both WAN-facing servers (with static IPs supplied by BT) are plugged directly onto the BTBH3 as are these LAN-facing devices: a Vodafone Sure Signal (it's a femtocell giving us 3G site coverage) and the LaCie Wireless Space (it's a NAS + wireless access point sitting in another building). Local computers connect wirelessly either to the BTBH3 or to the LaCie depending upon which building they're in. I'm very impressed with the functionality and performance of the BTBH3. I just worry about the servers having access to machines on the LAN and, thus indirectly, malicious WAN clients having access to machines on the LAN. We're very cautious with configuring the servers and which ports we open to the WAN but obviously you can't be 100% sure you've anticipated all vulnerabilities; rather you can be sure that there are some vulnerable combinations you haven't thought of in all the millions of lines of code in the software your servers run. This episode of paranoia arose because we wanted to eke out max performance by plugging a Gigabit Ethernet switch into the the Gigabit port of the BTBH3 and then re-plugging everything into the switch rather than having all traffic broadcast on the BTBH3's 100Mbps Ethernet ports. The static IP routing tables in the BTBH3 protect the LAN from the WAN but our servers do have addressability to IP addresses on the LAN so we wondered: would using the switch alter the potential vulnerability of the LAN? We couldn't agree on whether using the switch would make matters any difference as routing decisions will have been made in BTBH3 and the servers and blindly executed in the switch. Thus an appeal to others here with greater experience. Right now all our computers attached to the LAN (can) run their own firewalls but we don't want to expose any visitors' laptops to vulnerabilities.
OS X Lion Server; Ubuntu 12.04 Server; MacBook;
0 Kudos