–click on the image for a larger view–
Well I finally ran into a situation where I needed to implement the so-called “triple router Y-configuration”. There are several pages that talk about it but the one that I got the information from Steve Gibson and Leo Lapporte’s podcst of Security Now. You can find a transcript of the episode here. There is another page that describes it with a few good illustrations here.
The situation was one where a medical office needed to provide internet access for a workstation but with complete isolation from the current production network in place. The solution is either to lease a new DSL line just for this one machine, or find another way to isolate two networks and still share a single Internet connection. This is a much more economical solution! Normally, the Y-configuration is used in situations where someone needs to provide wireless access to devices that aren’t able to employ WPA encryption. The Nintendo DS is one example of a device that either uses open Wi-Fi or WEP encryption only. Many security-conscious network operators wanted to find a way to provide an economical dual-network setup with a guaranteed isolation between each network. As Steve Gibson so thoroughly explained, only a triple router Y-configuration will work.
The only aspect of this setup that turned out to be a problem was the fact that this office was using Windows Remote Desktop services which involved port forwarding. I tried a few possible solutions to keep that working but simply wasn’t able. Frankly, it was time to move past RDP and to a more secure solution so I’m not too upset about it!