Solved

Setup another subnet with max security

Posted on 2003-10-24
3
207 Views
Last Modified: 2010-04-17
I am not a networking expert by any means, but I am the only person at my company that can handle the network problem that I am having.  
My network configuration is set up as follows:  2610 Cisco Router (outside) that is connected to a Pix 506e which goes into a Cisco 2924 Catalyst Switch and then into my LAN.  I have only one subnet 192.168.x.x and the switch has only one VLAN on it for my domain (default settings).  I have a VPN tunnel set up on my PIX that goes to our client using IPSec.  We have complete access to our clients LAN, which we use to support them.
My problem is I built a Win2K (Advanced Server) with SQL server on it.  I am using a software program that runs an inventory scan of our client’s machines.  Well the inventory software developers (who’s product we are using) want complete 24x7 access to this server for updates and to verify data integrity (they will use TSC to access this server so I will open a port on our firewall and router for them to come in on).  From a security stand point we do not want this vendor to be able to see our local domain or our clients domain.  So I want to put this stand-alone server on another subnet to hide our domains from the inventory software developers.  My router has only one Ethernet port and we are not going to buy another router with two Ethernet ports on it right now.  In summary, I need to know how can I set up a stand-alone server (on another subnet with optimum security) allowing our vendor access this stand-alone server and allow my company and our client to see this server on our domains?

Thanks for your help in advance.
0
Comment
Question by:MarkHob
  • 2
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 300 total points
ID: 9617046
Your options are limited.
Assuming that this server must be able to have access to the remote network, your own network and this third pary..
VLAN's is not an option, because you have no way to route between them.
One of your only options would be to give them a separate login and be sure to set the login properties to only allow connection to the one computer, and be sure to enable auditing..


0
 

Author Comment

by:MarkHob
ID: 9617267
So it sounds like I will need to keep this server on my subnet (in its own workgroup), disable netbios to make it a pure TCP/IP box, enable auditing, create a power user account and check the audit logs to make sure they are not going any where they are not suppose to go.  Is there anything else I should do to lock it down to my third party vendor?
I was just hoping that there would be a way to make it work on a different subnet but it sounds like my network topology will not allow for this to happen (besides punching a hole for the third party client to come in through).
Will Terminal Services allow Power Users or does it only allow Admins to use it remotely?  If I use Application Mode in Terminal Services can I specify Group Policy levels?  If this box has to be on my subnet I just want to make it as secure as possible.
I guess this topic is now steering towards a different topic, initially I was not sure where I should post this.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9617405
Unfortunately, I'm not a Term services guru...yet.... I don't know if you have to be an administrator to log in with the standard Admin services Term services only enabled...
I think you'll be OK. I work with several customers that have the same issues.
You have to have some level of trust with the vendor. Your client trusts you enough to have full access across the VPN tunnel...
There should be a setting for the user account that it can only access specific computers. Be sure you lock it down to just that one. With this, at least you have taken prudent measures to protect yourself and your client, and can shift the blame to them if they do something they shouldn't because you have an audit trail.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now