How to add a second untrusted subnet

Posted on 2004-08-23
Last Modified: 2008-01-09
We are adding a training room to our internal network. I don't want users on the training network trying to get into our internal system. I want to secure this at the lowest level possible so that ideally the training users wouldn't even be aware of the internal network. However occasionally one of our trusted users will plug into the training room when it is not being used and will need access to the internal network. Not sure how I can do this.
I guess I am looking at 2 subnets with a switch for each. I think the best option is then going to be a router/firewall between the 2 switches. I am looking for confirmation that I am on the right lines and a recommented product to use as a firewall. My experience of routers/firewalls has been between internal LAN and the internet rather than LAN-LAN. Most of the routers/firewalls I have looked at seem to be geared to internet use.
Question by:Caltor
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 100 total points
ID: 11874481
Hi Caltor,
If you want to partition the subnets you will need a router or a switch capable of layer 3 swiching (VLAN partitioning) but this will ISOLATE the networks - as you want trusted user access also Id just make an OU called training room or something restrict the user accounts and use them for that "network"

LVL 34

Assisted Solution

PsiCop earned 100 total points
ID: 11874498
Yes, your best option is a router/firewall between the two subnets. Another option, not quite as good, would be to use a VLAN to separate the traffic, but that is more risky. You have better control with the router/firewall.

There's really no substantive difference between a firewall to separate internal nets and to separate the internal nets from the Internet. The function is identical, only the scale changes.

Since you didn't say, I dunno what your internal network architecture uses for a platform. If you're a NetWare shop, I'd say get a server with two NICs and do IP filtering (for a cheap solution that only costs whatever the hardware is that you put into it - since modern NetWare is licensed on a per-user basis it doesn't matter how many servers you have); or for a solution with better control and authentication for the occasional "trusted" person who logs in on that net, get BorderManager.

If you're in a *NIX environment, get a server with two NICs and run IPChains or something like that to filter traffic between the two environments. Don't have a ready suggestion for the "trusted user" question.

A 2-port Cisco router with a modern IOS could also do the trick.

Accepted Solution

marcin79 earned 250 total points
ID: 11874959
the trusted user might be done by MAC filtering.
2 aproaches
ie: You have an room with 10 computers, next You configure Your firewall to let through into your private network everything except theese 10 computers
or (more secure)
you configure Your firewall to let through *only* "trusted users"

Both of theese aproaches require customizable firewall with mac filtering support

Hope this helps
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.


Author Comment

ID: 11875568
Environment is Microsoft SBS2003 Premium.
VLAN sounds interesting. Not so sure about the OU. I would like to make things a bit less visible. ie block pings, portscans, net view etc.
PsiCop you say "There's really no substantive difference between a firewall to separate internal nets and to separate the internal nets from the Internet. The function is identical, only the scale changes." but all the firewalls/routers I have looked at online seem to have a WAN port and LAN port (sometimes a DMZ). Are you saying that you would just put the untrusted network onto the WAN port? Also some of the firewalls seem to rely on NAT and I'm not sure if that is going to work on LAN-LAN basis??
Marcin, Mac filtering sounds like the kind of thing I am thinking of. Can you recommend a firewall with mac filtering support? Would you recommend hardware firewall or a linux/Windows box etc...
LVL 11

Expert Comment

by:Joseph O'Loughlin
ID: 11875768
Hi Caltor,
Have only once PC multihomed on both networks, not running any routing software.  Use a remote control program, such as terminal server or VNC, to control this PC, login to the corporate network to download the needed files etc.  If the bridge PC is running a server os, it could be a SUS server, and NAV Corporate Anti-virus Server downloading security updates to be made available to the test network.
usual disclaimers apply

Expert Comment

ID: 11878369
I would rather recommend linux box and its iptables its much more flexible then any other hardware solution, but if you are interested in hardware soulution its quite difficult for me becouse i've never looked from this angle to hardware routers (always used linux) but I may take a look at different kind of linksys which I have plenty in use at the moment, or look for any other hardware in the internet for You.

LVL 27

Assisted Solution

pseudocyber earned 50 total points
ID: 11879971
Enterasys makes gear which can recognize who is on the network and allow them access to different segments with different permissions - all dynamically.

Check it out:
LVL 57

Expert Comment

by:Pete Long
ID: 11906622

Featured Post

Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question