Building an Intranet

I am going to put together an Intranet for our company and would like
some feedback on my plans. Since I do not have as good a grasp on
security issues as people here I expect to hear some problems with my
idea, and hope to hear best practices solutions.

Our company has three offices, one in Marylans, one in Alabama, and one
in Kentucky. I am thinking to get a domain, secure it, and allow
access to the website only from the three IP Addresses.

Would this work as far as placing sensitive company information that
would be shared only within the organization? If there is a problem
with doing things this way I would greatly appreciate knowing where the
problems lie and how this could better be done.

Cheers -

george

Re: Building an Intranet

"GLSmyth" writes:

>I am going to put together an Intranet for our company and would like
>some feedback on my plans. Since I do not have as good a grasp on
>security issues as people here I expect to hear some problems with my
>idea, and hope to hear best practices solutions.

>Our company has three offices, one in Marylans, one in Alabama, and one
>in Kentucky. I am thinking to get a domain, secure it, and allow
>access to the website only from the three IP Addresses.

That is no longer and intranet, since you will probably be connecting the
three via the internet, unless you plan on leasing a dedicated line between
them.
As soon as you are on the internet, the danger increases bya very very
large factor.

a) Put each site behind a firewall. Note I assume that the three sites each
have more than one computer. Since those computers probably now already go
onto the iternet, they should already be behind a firewall.
b) "a" domain? YOu have three wildly different sites, going through
different service providers.
c) You are not very clear as to what it is that you are trying to
accomplish. That has to be clear first.


>Would this work as far as placing sensitive company information that
>would be shared only within the organization? If there is a problem
>with doing things this way I would greatly appreciate knowing where the
>problems lie and how this could better be done.

>Cheers -

>george

Re: Building an Intranet

GLSmyth wrote:
> I am going to put together an Intranet for our company and would like
> some feedback on my plans. Since I do not have as good a grasp on
> security issues as people here I expect to hear some problems with my
> idea, and hope to hear best practices solutions.

The blunt answer is if you do not know sufficient, then you should not
be doing it. It will most likely be your job on the line if all the
companies secrets get passed around the Internet.

> Our company has three offices, one in Marylans, one in Alabama, and one
> in Kentucky. I am thinking to get a domain, secure it, and allow
> access to the website only from the three IP Addresses.

What is going to restrict the IP range? A software firewall? A hardware
firewall?

Assuming you sort out a decent method of firewallling, then you are
still going to have to contend with people inside the company getting
information that they should not.

It is not something to take lightly.


--
Dave K

http://www.southminster-branch-line.org.uk/

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually. The month is
always written in 3 letters (e.g. Jan, not January etc)

Re: Building an Intranet

GLSmyth wrote:
> Our company has three offices, one in Marylans, one in Alabama, and one
> in Kentucky. I am thinking to get a domain, secure it, and allow
> access to the website only from the three IP Addresses.

Please consider to use an encrypted VPN.

Yours,
VB.
--
Ein vision statement ist in aller Regel planfreies Gelalle einer Horde
realitätsferner Spinner.
Dietz Pröpper in d.a.s.r

Re: Building an Intranet

Okay, perhaps I was not as clear as I could have been. I know that
using the Internet for an Intranet is a contradition in terms, but the
idea is to have a single website where all three facilities can go to
get company email addresses, telephone extensions, etc.

To do it I would by MyCompanySite.com (or whatever) and use it. I
would restrict access to it via ASP, which would look at each request
coming in, and if it was not the IP Address of one of the three
facilities then they would not receive permission to see the page. All
employees at the facilities would be able to get to the site, and any
restricted pages would be password protected. All pages would be using
https so passing the information from one point to another should not
be a problem.

Thank you for the responses so far, and please let me know if I need to
be more clear.

Cheers -

george

Re: Building an Intranet

In article <1136312696.429941.282870@g43g2000cwa.googlegroups.com>,
"GLSmyth" wrote:

> Okay, perhaps I was not as clear as I could have been. I know that
> using the Internet for an Intranet is a contradition in terms, but the
> idea is to have a single website where all three facilities can go to
> get company email addresses, telephone extensions, etc.
>
> To do it I would by MyCompanySite.com (or whatever) and use it. I
> would restrict access to it via ASP, which would look at each request
> coming in, and if it was not the IP Address of one of the three
> facilities then they would not receive permission to see the page. All
> employees at the facilities would be able to get to the site, and any
> restricted pages would be password protected. All pages would be using
> https so passing the information from one point to another should not
> be a problem.

Rather than checking the IP address on the server, it would probably be
better to put the web site behind a firewall that supports VPNs, and
then set up site-to-site VPNs between the firewall and the offices.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Re: Building an Intranet

The danger with what you want to do is that the machine with the
secrets will be on the Internet. Very bad idea, nightmare. Imagine a
new vulnerability appears and affects your machine: successful
exploitation will give access to everything.

Another danger is TCP spoofing.

The right choice here is probably to set up a VPN.

Re: Building an Intranet

Ludovic Joly wrote:

> The danger with what you want to do is that the machine with the
> secrets will be on the Internet. Very bad idea, nightmare. Imagine a
> new vulnerability appears and affects your machine: successful
> exploitation will give access to everything.
>
> Another danger is TCP spoofing.
>
> The right choice here is probably to set up a VPN.
>
yup. I 3rd the motion.
E.

Re: Building an Intranet

Ludovic Joly wrote:
> The danger with what you want to do is that the machine with the
> secrets will be on the Internet.

Is that true if the firewall is a hardware one? I know any system can be
hacked, but I'm not aware of how VPNs totally

> Very bad idea, nightmare. Imagine a
> new vulnerability appears and affects your machine: successful
> exploitation will give access to everything.
>
> Another danger is TCP spoofing.

Whilst I know its possible to spoof sender the IP address, how can you
actually do it *usefully*?

If you manage to trick a web server into thinking you are at 1.2.3.4 and
really you are at 5.6.7.8, will it be possible to get any of the data
from the server at 5.6.7.8, or will it be sent harmlessly to 1.2.3.4,
where the web server thinks you are at??

> The right choice here is probably to set up a VPN.


--
Dave K

http://www.southminster-branch-line.org.uk/

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually. The month is
always written in 3 letters (e.g. Jan, not January etc)

Re: Building an Intranet

Dave wrote:

> If you manage to trick a web server into thinking you are at 1.2.3.4 and
> really you are at 5.6.7.8, will it be possible to get any of the data
> from the server at 5.6.7.8, or will it be sent harmlessly to 1.2.3.4,
> where the web server thinks you are at??
>
>> The right choice here is probably to set up a VPN.
>
>
>

I man that the other way around !!!

IF the server will accept data from X, but not Y, can you manage to
spoof the IPs to appear to come from X, when in fact they come from Y,
can you get any data back to Y, or will they go to X where the server
thinks you are?

I guess at an intermidate point (an ISP) that is easy to do.

--
Dave K

http://www.southminster-branch-line.org.uk/

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually. The month is
always written in 3 letters (e.g. Jan, not January etc)

Re: Building an Intranet

Concerning tcp spoofing, I think the attack (without any advantage)
involves:
1. source routing (using this IP option as defined in RFC 791), at
first to be able to guess the sequence number of tcp, then to listen to
the answers,
2. blocking the spoofed host.

An attacker with the very big advantage of being on the way (like an
ISP) can do better than this. In securing a communication, it is
interesting to consider your ISP as an enemy - and evaluate what he can
do.

Back to the original post: at least include an encryption layer in your
proposal.

Re: Building an Intranet

In article <1136382008.653431.246770@g43g2000cwa.googlegroups.com>,
"Ludovic Joly" wrote:

> Concerning tcp spoofing, I think the attack (without any advantage)
> involves:
> 1. source routing (using this IP option as defined in RFC 791), at
> first to be able to guess the sequence number of tcp, then to listen to
> the answers,

Source routing only affects the attacker's packets, not the replies from
the machine he's attacking. He can't make the victim machine
source-route the packets back to him (unless he's already broken into
the machine, in which case it's moot).

Also, it's very common to block source-routed packets at organization
boundaries, precisely to protect against stuff like this.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Re: Building an Intranet

>Source routing only affects the attacker's packets

You're right, I made a mistake. The idea was crazy.

Re: Building an Intranet

I have to verify this.

Re: Building an Intranet

Thank you for the comments, they are appreciated.

To sum things up (please correct me if I am wrong), it appears that
checking the IP Address and using https should work fine, but the
primary problem is that if the box was exploited then that would
compromize everything. For that reason setting up a Virtual Private
Network would resolve that threat.

We do have a network person on board here, so I will check with him on
the feasibility of setting this up.

Cheers -

george

Re: Building an Intranet

GLSmyth wrote:
> Thank you for the comments, they are appreciated.
>
> To sum things up (please correct me if I am wrong), it appears that
> checking the IP Address and using https should work fine, but the
> primary problem is that if the box was exploited then that would
> compromize everything. For that reason setting up a Virtual Private
> Network would resolve that threat.

You have three permanent offices. I would use permanent IPSec tunnels
between their edge routers. Fully transparent to the end users.

> We do have a network person on board here, so I will check with him on
> the feasibility of setting this up.

Any decent edge router supports IPSec.

-- Lassi

Re: Building an Intranet

Dave writes:

>Ludovic Joly wrote:
>> The danger with what you want to do is that the machine with the
>> secrets will be on the Internet.

>Is that true if the firewall is a hardware one? I know any system can be
>hacked, but I'm not aware of how VPNs totally

>> Very bad idea, nightmare. Imagine a
>> new vulnerability appears and affects your machine: successful
>> exploitation will give access to everything.
>>
>> Another danger is TCP spoofing.

>Whilst I know its possible to spoof sender the IP address, how can you
>actually do it *usefully*?

>If you manage to trick a web server into thinking you are at 1.2.3.4 and
>really you are at 5.6.7.8, will it be possible to get any of the data
>from the server at 5.6.7.8, or will it be sent harmlessly to 1.2.3.4,
>where the web server thinks you are at??

It will be sent to 1.2.3.4 but you can then blindly hack in, since the
server thinks your are trusted. Ie, there are loads of ways of using the
spoof.
You do not necessarily ever need to see the response.


>> The right choice here is probably to set up a VPN.


>--
>Dave K

>http://www.southminster-branch-line.org.uk/

>Please note my email address changes periodically to avoid spam.
>It is always of the form: month-year@domain. Hitting reply will work
>for a couple of months only. Later set it manually. The month is
>always written in 3 letters (e.g. Jan, not January etc)

Re: Building an Intranet

Using IP numbers to authenticate a client is not a good idea even if
you use SSL. I also think VPN is your best option.
SSL runs on layers beneath application protocols such as HTTP, SMTP and
NNTP and above the TCP transport protocol it doesn't protect the IP.
Thus you can't authenticate a client by IP even if you use SSL.
Although using both server and client certificates does provide some
authentication (in combination with an publicCA).
If you really fancy IP numbers you better use IPSEC. In IPsec AH
(provides authentication and message integrity) or ESP (provides
confidentiality) or both together.
VPN makes use of IPSEC.

TCP hijacking works basicly as Ludovic Joly described.
the easiest way of IP Spoofing is by spoofing the router. Thelling it
to send packets for IP (A) not to the mac-adress [a] but to
mac-adress[b]. Their is also the issue that if there is a proxy between
the client and the server then you will see the ip of the proxy !
(altough you could refer to the via_header !

Re: Building an Intranet

GLSmyth wrote:
> To sum things up (please correct me if I am wrong), it appears that
> checking the IP Address and using https should work fine

No.

Using HTTPS and checking certificates would work fine.

Yours,
VB.
--
Ein vision statement ist in aller Regel planfreies Gelalle einer Horde
realitätsferner Spinner.
Dietz Pröpper in d.a.s.r