Need a little help from you pro network people familiar with commercial broadband....

Post by **FlyingPenguin** » Thu Feb 20, 2003 10:56 pm

I have a client who's a franchisee. The company is requiring all the franchises to upgrade their broadband in order to be compliant (and qualify for certain benefits). I was originally told (2nd hand) that all they would need to be complaint was a static IP but I just got a requirements document from them and this looks like a screw job.

This is what they require:

A publicly routeable Static IP, subnet and default gateway (Persistent IP and PPPoE are not acceptable)

Following ports need to be open on the broadband router:
- Ports 21 (FTP), 22 (Pc Anywhere), 23 (telnet), 80 (http)
- IMCP

Following must be disabled on the broadband router:
- NAT
- DHCP
- Port forwarding
- Port filtering

Maybe I'm reading this wrong, but it sounds like even a DSL static IP won't be acceptable. Sounds like the clent would be forced to lease a 1/4 T1 line in order to meet these requirements. No way the client can afford that.

AND they want my client to leave themselves wide open. WTF does he need to run an FTP server for (I do know one of the programs that will be required to be installed is an FTP server)?

I don't even understand the requirement to leave a port open for PcAnywhere. Their current system is web-based and right now tech support can remote control any workstation (with the client's permission) via a web-based java remote control program (similar to GoToMyPC).

Sounds like they want to be able to access my client's workstations any time, without prior permission via FTP and PcAnywhere.

If NAT is disabled then I presume that they expect each workstation to have it's own public IP address. Why the F@ck would my client want to expose his network that way?

Sounds to me like they're making it difficult to meet the requirements on purpose.

Correct me if I'm reading this wrong.

Judg3 · Post by **Judg3** » Thu Feb 20, 2003 11:34 pm

This wouldn't happen to be a travel agency would it? I only ask, as I used to install T1's in the midwest for franchise agencys.

Anyway, from how I read it, something like a Business class DSL package with 5 or so IP's should be acceptable. Send the main line through the router (There's your gateway) and 5 static IP's are usually in numerical order (There's the subnet (sorta)). And does it say 22 is for PC Anywhere, 23 is for telnet, or are you assuming that from the registered port listings? I only ask, because that's an odd thing to have open with what you've said about java remotes and the like, and makes me think it's the listening/etc ports for the franchisee's custom apps. I've run into a lot of services running on the wrong ports, especially with custom inhouse apps. Just thought I'd throw that at ya. Don't forget Port 22 is also SSH too. Just a couple thoughts.

Post by **FlyingPenguin** » Thu Feb 20, 2003 11:55 pm

Yes it does say 22 for PcAnywhere and 23 for Telnet. That's verbatim from the document.

It's pack & ship type store. This really is bizarre. 2 years ago they switched from a local based application to a web based system. All the counter systems are nothing but dumb internet stations running a java application from a secure website to run the packaging software. Simplified everything, and let's corporate worry about security.

There's a local network but up til now it's not been required. The Point of sale system can integrate with the counter systems, but no one uses that - most of the stores use the POS as a standalone.

In some rural areas stores don't even have DSL (I have one that's still using dialup - no broadband available).

Now suddenly they throw these wacky requirements at them. They want them to install an FTP server app on the POS system (VERY spooky idea if you ask me), and all these other requirements I posted above.

I'm concerned about cost (since all the client is paying for now is regular DSL - we're sharing it with a router) and security. Seems like this new scheme is going to leave them very exposed. I'm not thrilled with the idea of putting all the workstations on public static IPs and then leaving those ports open.

Thanks Judg... if you can suggest anything else I'd appreciate it. This is slightly over my head. Up until now I've nver handled any business class broadband setups other than simple DSL. At least now I can call the broadband provider and the tech support people at the home office and ask some intelligent questions.

TruckStuff · Post by **TruckStuff** » Fri Feb 21, 2003 7:39 pm

You don't neccesarily have to leave the ports "wide" open. I haven't ever looked for a good firewall package for windows, but something like IPTABLES on *nix does stateful packet matching. This means that when configured properly, the firewall will allow connections that have followed teh proper TCP/IP handshake procedure (SYN > ACK > SYN/ACK, etc.). This setup would block anything that doesn't follow the standard TCP/IP handshake (including random unathorized packets in and out). So you still have a firewall, its just a smart firewall. Don't know what you have to work with on these machines, but its a thought.

But Judge is right. A business class DSL package should set them up. Around here, they run about $100/month for blocks of IPs. Dunno what they run elsewhere.

Post by **FlyingPenguin** » Fri Feb 21, 2003 9:38 pm

I need to talk to their tech people, because the more I hear from the franchisees, the more it sounds like only the POS system needs to meet these requirements. I understand what they're doing - they want to setup an FTP server on the POS system and download the transaction files daily. They also want to be able to control it via PcAnywhere without intervention at the store.

So the way some of the owners and I are reading this, if we upgrade their existing DSL to a static IP and then put the POS system on the router's DMZ, that should satisfy the requirements.

Just the way it's phrased is misleading.

Post by **FlyingPenguin** » Mon Feb 24, 2003 11:31 am

Well I finally got them to explain. They're sending the stores a VPN router, so they just need a DSL account with a block of 4 static IPs and they're just using the telco's router as a bridge.

Sheesh, like pulling nails trying to get info.

Thanks for all your help.

Gand1 · Post by **Gand1** » Mon Mar 03, 2003 7:25 pm

Is there a firewall in this mix at all? If there is, then opening those ports should not be too much of a problem. With a decent firewall ( hopefully running a version of Checkpoint) you can easily tell the ports to only accept incomming on the specified ports from specified IP addresses.

O.K. ....... Just read your last post. So they plan on using the VPN as the secure route for these ports? So, theoretcally (sp?) this would act as a psudo firewall. Hmmm... interesting. Not how I would do it, but interesting.

Post by **FlyingPenguin** » Mon Mar 03, 2003 8:25 pm

Ya, the VPN box acts as a firewall & router.