Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 427
  • Last Modified:

How to add a second untrusted subnet

We are adding a training room to our internal network. I don't want users on the training network trying to get into our internal system. I want to secure this at the lowest level possible so that ideally the training users wouldn't even be aware of the internal network. However occasionally one of our trusted users will plug into the training room when it is not being used and will need access to the internal network. Not sure how I can do this.
I guess I am looking at 2 subnets with a switch for each. I think the best option is then going to be a router/firewall between the 2 switches. I am looking for confirmation that I am on the right lines and a recommented product to use as a firewall. My experience of routers/firewalls has been between internal LAN and the internet rather than LAN-LAN. Most of the routers/firewalls I have looked at seem to be geared to internet use.
0
Caltor
Asked:
Caltor
4 Solutions
 
Pete LongConsultantCommented:
Hi Caltor,
If you want to partition the subnets you will need a router or a switch capable of layer 3 swiching (VLAN partitioning) but this will ISOLATE the networks - as you want trusted user access also Id just make an OU called training room or something restrict the user accounts and use them for that "network"

PeteL
0
 
PsiCopCommented:
Yes, your best option is a router/firewall between the two subnets. Another option, not quite as good, would be to use a VLAN to separate the traffic, but that is more risky. You have better control with the router/firewall.

There's really no substantive difference between a firewall to separate internal nets and to separate the internal nets from the Internet. The function is identical, only the scale changes.

Since you didn't say, I dunno what your internal network architecture uses for a platform. If you're a NetWare shop, I'd say get a server with two NICs and do IP filtering (for a cheap solution that only costs whatever the hardware is that you put into it - since modern NetWare is licensed on a per-user basis it doesn't matter how many servers you have); or for a solution with better control and authentication for the occasional "trusted" person who logs in on that net, get BorderManager.

If you're in a *NIX environment, get a server with two NICs and run IPChains or something like that to filter traffic between the two environments. Don't have a ready suggestion for the "trusted user" question.

A 2-port Cisco router with a modern IOS could also do the trick.
0
 
marcin79Commented:
the trusted user might be done by MAC filtering.
2 aproaches
ie: You have an room with 10 computers, next You configure Your firewall to let through into your private network everything except theese 10 computers
or (more secure)
you configure Your firewall to let through *only* "trusted users"

Both of theese aproaches require customizable firewall with mac filtering support

Hope this helps
Regards
Marcin
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
CaltorAuthor Commented:
Environment is Microsoft SBS2003 Premium.
VLAN sounds interesting. Not so sure about the OU. I would like to make things a bit less visible. ie block pings, portscans, net view etc.
PsiCop you say "There's really no substantive difference between a firewall to separate internal nets and to separate the internal nets from the Internet. The function is identical, only the scale changes." but all the firewalls/routers I have looked at online seem to have a WAN port and LAN port (sometimes a DMZ). Are you saying that you would just put the untrusted network onto the WAN port? Also some of the firewalls seem to rely on NAT and I'm not sure if that is going to work on LAN-LAN basis??
Marcin, Mac filtering sounds like the kind of thing I am thinking of. Can you recommend a firewall with mac filtering support? Would you recommend hardware firewall or a linux/Windows box etc...
0
 
Joseph O'LoughlinCommented:
Hi Caltor,
Have only once PC multihomed on both networks, not running any routing software.  Use a remote control program, such as terminal server or VNC, to control this PC, login to the corporate network to download the needed files etc.  If the bridge PC is running a server os, it could be a SUS server, and NAV Corporate Anti-virus Server downloading security updates to be made available to the test network.
usual disclaimers apply
0
 
marcin79Commented:
Caltor
I would rather recommend linux box and its iptables its much more flexible then any other hardware solution, but if you are interested in hardware soulution its quite difficult for me becouse i've never looked from this angle to hardware routers (always used linux) but I may take a look at different kind of linksys which I have plenty in use at the moment, or look for any other hardware in the internet for You.

Regards
Marcin
0
 
pseudocyberCommented:
Enterasys makes gear which can recognize who is on the network and allow them access to different segments with different permissions - all dynamically.

Check it out:  http://www.enterasys.com/solutions/secure-networks/secure_guest_networking/
0
 
Pete LongConsultantCommented:
ThanQ
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now