[BillingsLUG] WAN to WAN help question

Mon Jul 19 14:15:04 MDT 2010

> Does setting the number of IP addresses to just the number of devices help secure a network?

I take it you mean "assigned via DHCP on a wired LAN"?  Not in any
meaningful way.  A knowledgeable adversary could just statically
assign an address.

This is a form of Security Through Obscurity.
As a category, all of these types of security "enhancements" assume
you know more about networks than the would-be attacker.  It may keep
out curious kids, but won't do a thing against a real bad guy.  Better
to rely on industry-standard security techniques.

On Mon, Jul 19, 2010 at 1:21 PM, Mike Berry <madeinmontana at bresnan.net> wrote:
> Dan, thanks again. Couple more questions, does setting the number of IP
> addresses to just the number of devices help secure a network by not
> allowing an outside unauthorized device the ability to get in? (Inconvenient
> in large networks I know). This has been a practice of mine to enhance a
> networks security.
>
>
>
> And, do you have a suggestion for a router of the ones you listed? I don’t
> have much experience with any of them, and only a few Cisco, Netgear, and
> Dlink.
>
>
>
> ________________________________
>
> From: billingslug-bounces at billingslug.org
> [mailto:billingslug-bounces at billingslug.org] On Behalf Of dan
> Sent: Friday, July 16, 2010 23:27
> To: Mailing list for the Billings Linux User Group
> Subject: Re: [BillingsLUG] WAN to WAN help question
>
>
>
> in-line
>
> On Fri, Jul 16, 2010 at 11:13 PM, Mike Berry <madeinmontana at bresnan.net>
> wrote:
>
> Dan, thank you!!  That really helps getting it spelled out,(I've never seen
> it written so well), I hope all that rattled off your head fast, so you
> didn’t have to take a lot of time writing it.
>
>
>
> I have had to solve this problem myself :) I'm also a giant nerd :)
>
> One last question?: Jumping to the last line, “recommended option”: will
> that still work if I want to use static IPs and limit the networks with a
> limited number of IPs needed for workstations, printers, and necessary
> devices?
>
>
>
> Sure, I have personally moved away from statically assigning anything so I
> always recommend DHCP.  I do put 'sticky' IP addresses on printers and other
> utility devices.  I drop in an entry in DHCP for that MAC address so that it
> still gets an IP via DHCP but gets the same one each time (and no other
> device gets that IP either).  This is trivial in a cisco, pfsense, linux, or
> windows DHCP server and helps manage devices easily.
>
>
>
> Again, thank you very much!
>
> mb
>
>
>
> ________________________________
>
> From: billingslug-bounces at billingslug.org
> [mailto:billingslug-bounces at billingslug.org] On Behalf Of dan
> Sent: Friday, July 16, 2010 12:32
>
> To: Mailing list for the Billings Linux User Group
> Subject: Re: [BillingsLUG] WAN to WAN help question
>
>
>
> comments in-line
>
> On Fri, Jul 16, 2010 at 11:17 AM, Mike Berry <madeinmontana at bresnan.net>
> wrote:
>
> Hello all, thank you very much for the quick replies.
>
> The answers to Larrys questions are: no they don’t share a broadcast domain,
> and the wan is a VPN.
>
>
>
> I can set up WINS on the server. But
>
>
>
> are you saying DON’T use VPN with those cisco models
>
> Im saying that the cisco aka linksys models lack the ability to NAT netbios.
>  search for 'CBOS NetBIOS'.  If you move to a Cisco 8xx or 1xxx+ router you
> get IOS which CAN NAT netbios.
>
> pfsense, vyatta, untangle, linux with iptables, freebsd with pf, mikrotik
> can all route netbios.
>
>
>
> , instead use the pfsense or vyatta with ipsec?
>
> its not the VPN type that is getting you, its the OS of the router.  just
> get a better router
>
>
>
> And, to clarify the “LMHOSTS file on each machine with every other machine”,
> (Add every other machine to each machines host file)?
>
>  lmhosts file:
>
> c:\windows\system32\drivers\etc\lhhost.sam
>
>
>
> fill it just like a hosts file:
>
> 127.0.0.1   localhost
>
> 192.168.1.1 server1
>
> 192.168.0.5 fileserver2
>
>
>
> You would need to put this on each machine that needed to access another
> machine via the network neighborhood.  You need an entry for every machine.
>  This is essentially spoofing lanmanager lookups through netbios, working
> around the issue of netbios being poorly routable.  A WINS server is
> essentially a DNS server for LM data.
>
>
>
> NetBIOS = API to facilitate data exchange on a network, uses UDP and/or TCP
> (sometimes IPX) and broadcasts to local broadcast address.
>
> WINS = DNS for LANMANAGER Networks
>
> LMHOST = hosts file to override entries in WINS server (or replace WINS if
> you REALLY like manual host mappings.)
>
> NetBIOS clients (aka Windows machines) have some capabilities that behave
> kind of like AVAHI or Bonjour, where they can exchange data on the local
> subnet by broadcasting.  This is why you can use Network Neighborhood on
> local LANs, your computer broadcasts via NetBIOS and the other machines
> repond to the broadcast.  Because NetBIOS operates by broadcasting on the
> local subnet, it wont typically see or be seen by computers on another
> subnet.  If you have an appropriate router, you can NAT the broadcast
> between two subnets and the remote machines will respond to the broadcast to
> their router and in turn their response will be NAT'd back.  Your client
> will register in WINS *if* it is assigned a WINS server via DHCP or
> manually.  Have no delusions, this is a HACK.
>
>
>
> By using WINS, you can add a DNS type lookup where the client (Network
> Neighborhood) asks the WINS server over TCP for all other WINS clients,
> skipping the need to broadcast.  You can still have an issue here with NAT
> because even though your client knows where the WINS server is, if it is on
> another subnet your router will need to know how to NAT netbios so that you
> can communicate with the WINS server in the first place.
>
>
>
>
>
>
>
> Your best option in my opinion is to replace the routers with something that
> can NAT netbios.  Install WINS on the server and setup DHCP to hand out the
> WINS server.
>
>
>
>
>
>
>
> Thanks again, it already makes better sense, but also confirms my thoughts
> on some hardware.
>
> mb
>
>
>
> ________________________________
>
> From: billingslug-bounces at billingslug.org
> [mailto:billingslug-bounces at billingslug.org] On Behalf Of dan
> Sent: Wednesday, July 14, 2010 19:51
> To: Mailing list for the Billings Linux User Group
> Subject: Re: [BillingsLUG] WAN to WAN help question
>
>
>
> Im guessing you are using the RVS4000 as a VPN bridge also.  I would bet
> that device runs CBOS, which is a cut down alternative to IOS and is unable
> to NAT netbios.  Netbios is not happy with routing, which means that it wont
> work well if the two sites are on different subnets.
>
>
>
> Your options:
>
> 1) Replace the routers with something running a more advanced routing
> platform like a cisco with IOS (cisco 8xx, 18xx, 28xx), pfsense or vyatta
> with ipsec tunnels.
>
> 2)Setup the W2003 server as a WINS server and push the WINS with DHCP.
>
> 3)LMHOSTS file on each machine with every other machine.  This is
> essentially the hosts file for netbios.  You would need to statically assign
> IP addresses to each machine or at least use a sticky DHCP.
>
>
>
>
>
>
>
> On Wed, Jul 14, 2010 at 2:50 PM, Larry Dillon <dillon.larry at gmail.com>
> wrote:
>
> Usually, if you're having Windows network browsing problems, the
> solution is to set up a WINS server (and configure all of the clients
> to know about it, usually through DHCP), but I'm not sure about how
> the WAN environment might complicate this.
>
> It would help to know more details about how the two LAN's are
> configured.  Do they share a broadcast domain?
>
> Is the WAN a dedicated circuit or a VPN tunnel?
>
> On Wed, Jul 14, 2010 at 10:20 AM, Mike Berry <madeinmontana at bresnan.net>
> wrote:
>> Hoping this gets to everyone that can help?
>> Its been a long time since I have asked the Blgs LUG for any ideas, most
>> wont know me or remember, but:
>>
>> I recently inherited a VERY bad WAN to WAN network, Blgs to Bzmn.
>> XP, Vista, and Win7, most home versions, some Pro, with a dedicated
>> 2003 standard server.(located in Bzmn).
>> Linksys RVS 4000 VPN Routers at each end.
>>
>> It is possible to connect to the server, install printers from each end,
>> Upload/download files, and run quickbooks from Blgs.
>>
>> Problem is, owner wants to SEE the workstations from both ends of the
>> NETWORK in NETWORK "hood" view,
>> And be able to print a topology map of the two networks, speed up the
>> network access time, and, especially quickbooks.
>>
>> I don't think the Linksys is the best answer after reading some of the
>> reviews and problems.
>>
>> Does anyone have any suggestions? If so, please call me, as I will not be
>> near email today:
>>
>> Mike Berry
>> 855.0584
>>
>> or email if that's all you can do, I will get it later.
>>
>> Much thanks to all!
>> mb
>>
>>
>> _______________________________________________
>> BillingsLUG mailing list
>> BillingsLUG at billingslug.org
>> http://lists.billingslug.org/mailman/listinfo/billingslug
>> http://www.billingslug.org group information
>>
> _______________________________________________
> BillingsLUG mailing list
> BillingsLUG at billingslug.org
> http://lists.billingslug.org/mailman/listinfo/billingslug
> http://www.billingslug.org group information
>
>
>
> _______________________________________________
> BillingsLUG mailing list
> BillingsLUG at billingslug.org
> http://lists.billingslug.org/mailman/listinfo/billingslug
> http://www.billingslug.org group information
>
>
>
> _______________________________________________
> BillingsLUG mailing list
> BillingsLUG at billingslug.org
> http://lists.billingslug.org/mailman/listinfo/billingslug
> http://www.billingslug.org group information
>
>
>
> _______________________________________________
> BillingsLUG mailing list
> BillingsLUG at billingslug.org
> http://lists.billingslug.org/mailman/listinfo/billingslug
> http://www.billingslug.org group information
>