Solved

How to add a second untrusted subnet

Posted on 2004-08-23
8
393 Views
Last Modified: 2008-01-09
We are adding a training room to our internal network. I don't want users on the training network trying to get into our internal system. I want to secure this at the lowest level possible so that ideally the training users wouldn't even be aware of the internal network. However occasionally one of our trusted users will plug into the training room when it is not being used and will need access to the internal network. Not sure how I can do this.
I guess I am looking at 2 subnets with a switch for each. I think the best option is then going to be a router/firewall between the 2 switches. I am looking for confirmation that I am on the right lines and a recommented product to use as a firewall. My experience of routers/firewalls has been between internal LAN and the internet rather than LAN-LAN. Most of the routers/firewalls I have looked at seem to be geared to internet use.
0
Comment
Question by:Caltor
8 Comments
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 100 total points
ID: 11874481
Hi Caltor,
If you want to partition the subnets you will need a router or a switch capable of layer 3 swiching (VLAN partitioning) but this will ISOLATE the networks - as you want trusted user access also Id just make an OU called training room or something restrict the user accounts and use them for that "network"

PeteL
0
 
LVL 34

Assisted Solution

by:PsiCop
PsiCop earned 100 total points
ID: 11874498
Yes, your best option is a router/firewall between the two subnets. Another option, not quite as good, would be to use a VLAN to separate the traffic, but that is more risky. You have better control with the router/firewall.

There's really no substantive difference between a firewall to separate internal nets and to separate the internal nets from the Internet. The function is identical, only the scale changes.

Since you didn't say, I dunno what your internal network architecture uses for a platform. If you're a NetWare shop, I'd say get a server with two NICs and do IP filtering (for a cheap solution that only costs whatever the hardware is that you put into it - since modern NetWare is licensed on a per-user basis it doesn't matter how many servers you have); or for a solution with better control and authentication for the occasional "trusted" person who logs in on that net, get BorderManager.

If you're in a *NIX environment, get a server with two NICs and run IPChains or something like that to filter traffic between the two environments. Don't have a ready suggestion for the "trusted user" question.

A 2-port Cisco router with a modern IOS could also do the trick.
0
 
LVL 2

Accepted Solution

by:
marcin79 earned 250 total points
ID: 11874959
the trusted user might be done by MAC filtering.
2 aproaches
ie: You have an room with 10 computers, next You configure Your firewall to let through into your private network everything except theese 10 computers
or (more secure)
you configure Your firewall to let through *only* "trusted users"

Both of theese aproaches require customizable firewall with mac filtering support

Hope this helps
Regards
Marcin
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 3

Author Comment

by:Caltor
ID: 11875568
Environment is Microsoft SBS2003 Premium.
VLAN sounds interesting. Not so sure about the OU. I would like to make things a bit less visible. ie block pings, portscans, net view etc.
PsiCop you say "There's really no substantive difference between a firewall to separate internal nets and to separate the internal nets from the Internet. The function is identical, only the scale changes." but all the firewalls/routers I have looked at online seem to have a WAN port and LAN port (sometimes a DMZ). Are you saying that you would just put the untrusted network onto the WAN port? Also some of the firewalls seem to rely on NAT and I'm not sure if that is going to work on LAN-LAN basis??
Marcin, Mac filtering sounds like the kind of thing I am thinking of. Can you recommend a firewall with mac filtering support? Would you recommend hardware firewall or a linux/Windows box etc...
0
 
LVL 11

Expert Comment

by:Joseph O'Loughlin
ID: 11875768
Hi Caltor,
Have only once PC multihomed on both networks, not running any routing software.  Use a remote control program, such as terminal server or VNC, to control this PC, login to the corporate network to download the needed files etc.  If the bridge PC is running a server os, it could be a SUS server, and NAV Corporate Anti-virus Server downloading security updates to be made available to the test network.
usual disclaimers apply
0
 
LVL 2

Expert Comment

by:marcin79
ID: 11878369
Caltor
I would rather recommend linux box and its iptables its much more flexible then any other hardware solution, but if you are interested in hardware soulution its quite difficult for me becouse i've never looked from this angle to hardware routers (always used linux) but I may take a look at different kind of linksys which I have plenty in use at the moment, or look for any other hardware in the internet for You.

Regards
Marcin
0
 
LVL 27

Assisted Solution

by:pseudocyber
pseudocyber earned 50 total points
ID: 11879971
Enterasys makes gear which can recognize who is on the network and allow them access to different segments with different permissions - all dynamically.

Check it out:  http://www.enterasys.com/solutions/secure-networks/secure_guest_networking/
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 11906622
ThanQ
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
forward schedule of change 1 50
Upgrade firmware on Engenius BH-ENS202Wi-Fi router 5 38
Website Issue 10 76
Viber-Only Restriction 6 43
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question