Need help managing a network of unmanaged clients

I'm helping out a friend who is responsible for managing a LAN of about 30-50 computers.  We are connected to the internet by business class ADSL service using a Cayman 3500 series router.  The router is connected to Netgear unmanaged switches.  The majority of users are not employees, but are instead agents who own their own computers or laptops.

When I first came on to help, I discovered that a large number of client systems had no virus protection and many systems were infected with various viruses that were flooding the router and shutting down the internet connection for the entire office.  We cleaned all of the infected systems and implemented a policy requiring virus protection to use the network.  Ultimately, because these are unmanaged systems there is no way for us to insure that all systems are virus free and we have subsequently run into additional problems.  

What are some tips and best practices to protect our network from individual systems infecting other systems and interfering with or shutting down internet connectivity?  The only network connectivity required is to access the internet and shared printers.  There are no servers or file sharing on this network.  Is there a simple hardware solution to 'isolate' each client from each other?  How do hotels accomplish this?

Who is Participating?
The simplest solution I could think of that would prevent any infection from getting to your company computers from computers you have no control over would be this:

Get a Switch that supports VLANs (Cisco 3550 and 3COM 3300 btoh can do this), configure each port to have its own VLAN, that way they are seperated and cannot "see" or "hear" each other or any network traffic.  Associate the VLANs with the port connected to the DSL modem and you are done.

This would protect your internal network from the computers, and with a minimal amount of purchases allow you to support them for internet.  If these computers are privately owned you shouldn't be responsible for cleaning and protecting them.

The 3com 3250 switch has 48 ports supports vlan for about $900, their are other models with prising ranging from $600 - $1200 depending on your requirements.
Most Viruses are spread these days by mail, so the first step is which might be a little hard is to have the mail scanned before it actually arives at the end users, as i said it might be a little hard considering the setup, another thing would be to make sure people don't have admin right on more than one machine.

but if you give us more info on the setup it might help , is it a domain ? do you have upto date AV's on all machine ? whats your limit to changes you can make on the current setup ?

sorry i didn't read everything before i submitted so disregard some comments :)
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

hehewithbracketsAuthor Commented:
As I stated above, these are unmanaged clients.  The systems are owned by the individuals who use them, therefore we have limited control over them.  They are not part of a domain, as a matter of fact, they aren't even part of a workgroup.  
heres the best suggestion i could come up with at the moment.
Create sub domains for ever 5-10 users and disable any access between them, and use Vlans in the switches , and control speeds based on each sub domain , that way virus spreading will reduce and one machine going out of control will not affect the entire network, only the subdomain.
But that's the best i can come up with at the moment I'll have a think about it and in the mean time someone else might be a lot smarter than me and will be able to help you out ;-)
Well I researched a lot on the web and my used softwares and found that using only Three softwares you can achive all your goals.

The Two softwares are:
1) Kerio winroute firewall 6.X
2) PestPatrol
3) smartcop antivirus corporate edition
the kerio winroute firewall is a software which provides teh features of firewall, proxy, antivirus, VPN, and may otherr features.
The pestpatrol is a software to detect and remove the small small pests, trojans, malwares,spywares etc,its not an antivirus.
Smartcop antivirus has many featurs like remote installation, AVI, Central management etc
with the help of remote installation feature u can push the installation to ur unmanaged clients, with AVI any machine get infected with a virus will be isolated from the network, and many more features.

you can view the full feature list of all softwares form the following links:


Now let me tell you the PLAN OF ACTION i have thought

you will configure one server with Keriowinroute and Pestpatrol installed on it.
The kerio winroute firewall will be used as a firewall, proxy and VPN server.since it has integrated Mcafee antivirus you dont need to worry about the viruses as it will scan all inbound and outboud connections in realtime.Now you need to create a LOGON.BAT file which will invoke the pestpatrol to scan all the users machine as they login,for this you dont need t have pestpatrol on all the machines for further help see the pestpatrols userguide.
Now install the smartcop antivirus corporate edition on the server and ask all ur clients and users to connect to the server,Note that ur unmanaged clients will connect to the firewall/VPN server using the kerio VPN client, NOW using th econtrolpannel of your smart cop you can install the smartcop desktop to all your clients and then you can create the policy to scan your clients.

After implementing this you will achive the following goals:
1) All unmanaged clients will connect using VPN clients which is secure.
2) Since all unmanaged clients are connecting through h eKERIO firewall they will be scanned and monitored for all inbound and outbound connections.
3) As soon as the user logges in to th enetwork the LOGON.BAT file will run and will invoke the pestpatrol scanner which will run in background without knowing users and will monitor the whole session and will e-mail you the log file.
4) Even after so tight security if any machine is found to be infected with a virus it will be ISOLATED from the network immediately by SMARTCOP'S Active Virus ISOLATOR facility.
Thus letting you to know that whichmachine is infected.

Hope you understand wht I mean to say. But before implementing this I strongly prefer you to install and implement these softwares in the test environment.

Although for implementing these softwares, I strongly recommend you to please go through the manuals espacially for PESTPATROL's batch file.

Wish u good luck and if u think that implementing this could achive your goal the do give me ur +ve response.
hehewithbracketsAuthor Commented:
iwontleaveyou, I will take a look at your suggestions when I have a moment and let you know what I think.

Mazaraat, you hit it on the nose when you said we are not responsible for cleaning and protecting privately owned machines, therefore we need a solution that doesn't require us to mess with the clients.  For all intents and purposes, I don't really care if the clients are infected as long as it doesn't screw up the rest of our network.

Your solution was similar to what I had in mind, but will it really solve our problem and will it create a problem for our network printers?  Each client may be isolated to its own VLAN so it no longer infects other systems in the office, but it will still be connected to our router.  It seems our current problem happens when infected systems bombard the router with bogus traffic causing it to eventually shut down.

Upgrading our switches to managed switches that support VLAN's is definitely within our budget (~ $3,000-$5,000), but what about our router?  Will the switches alone prevent our router from shutting down?
I was thinking of that Mazaraat but the only problem was that since theres between 30-50 clients that means you have to have a device that has 30-50 different internal netwrok addresses/nics to really seperate them, that's not very practical, that's why i thought segmenting the network into smaller parts would be more ideal, and depending on the switches that are already in place, they might have Vlan capability.

I'm still thinking about the problem, so what if you just made 2 subdomains/Vlans one for employees, and one for unmanaged comps,place a firewall to block most of what's going out from the unmanaged subdomain, and block all unneeded ports, most viruses won't use port 80 or 443 ,110, 21,22,23, some will use port 53, and mailers will use port 25, but just make sure all 53 requests are either going to your DNS server or being blocked and i'm not too sure about port 25,anyway that way your router won't be flooded with wroms trying to spead as much.
it's just another idea.

If you put the employee network on one Vlan, and the others on a seperate VLAN you won't need a firewall between them, as they can't see each other anyway. But I would put one just for extra protection =)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.