Need help managing a network of unmanaged clients
I'm helping out a friend who is responsible for managing a LAN of about 30-50 computers. We are connected to the internet by business class ADSL service using a Cayman 3500 series router. The router is connected to Netgear unmanaged switches. The majority of users are not employees, but are instead agents who own their own computers or laptops.
When I first came on to help, I discovered that a large number of client systems had no virus protection and many systems were infected with various viruses that were flooding the router and shutting down the internet connection for the entire office. We cleaned all of the infected systems and implemented a policy requiring virus protection to use the network. Ultimately, because these are unmanaged systems there is no way for us to insure that all systems are virus free and we have subsequently run into additional problems.
What are some tips and best practices to protect our network from individual systems infecting other systems and interfering with or shutting down internet connectivity? The only network connectivity required is to access the internet and shared printers. There are no servers or file sharing on this network. Is there a simple hardware solution to 'isolate' each client from each other? How do hotels accomplish this?
When I first came on to help, I discovered that a large number of client systems had no virus protection and many systems were infected with various viruses that were flooding the router and shutting down the internet connection for the entire office. We cleaned all of the infected systems and implemented a policy requiring virus protection to use the network. Ultimately, because these are unmanaged systems there is no way for us to insure that all systems are virus free and we have subsequently run into additional problems.
What are some tips and best practices to protect our network from individual systems infecting other systems and interfering with or shutting down internet connectivity? The only network connectivity required is to access the internet and shared printers. There are no servers or file sharing on this network. Is there a simple hardware solution to 'isolate' each client from each other? How do hotels accomplish this?
sorry i didn't read everything before i submitted so disregard some comments :)
ASKER
As I stated above, these are unmanaged clients. The systems are owned by the individuals who use them, therefore we have limited control over them. They are not part of a domain, as a matter of fact, they aren't even part of a workgroup.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
iwontleaveyou, I will take a look at your suggestions when I have a moment and let you know what I think.
Mazaraat, you hit it on the nose when you said we are not responsible for cleaning and protecting privately owned machines, therefore we need a solution that doesn't require us to mess with the clients. For all intents and purposes, I don't really care if the clients are infected as long as it doesn't screw up the rest of our network.
Your solution was similar to what I had in mind, but will it really solve our problem and will it create a problem for our network printers? Each client may be isolated to its own VLAN so it no longer infects other systems in the office, but it will still be connected to our router. It seems our current problem happens when infected systems bombard the router with bogus traffic causing it to eventually shut down.
Upgrading our switches to managed switches that support VLAN's is definitely within our budget (~ $3,000-$5,000), but what about our router? Will the switches alone prevent our router from shutting down?
Mazaraat, you hit it on the nose when you said we are not responsible for cleaning and protecting privately owned machines, therefore we need a solution that doesn't require us to mess with the clients. For all intents and purposes, I don't really care if the clients are infected as long as it doesn't screw up the rest of our network.
Your solution was similar to what I had in mind, but will it really solve our problem and will it create a problem for our network printers? Each client may be isolated to its own VLAN so it no longer infects other systems in the office, but it will still be connected to our router. It seems our current problem happens when infected systems bombard the router with bogus traffic causing it to eventually shut down.
Upgrading our switches to managed switches that support VLAN's is definitely within our budget (~ $3,000-$5,000), but what about our router? Will the switches alone prevent our router from shutting down?
I was thinking of that Mazaraat but the only problem was that since theres between 30-50 clients that means you have to have a device that has 30-50 different internal netwrok addresses/nics to really seperate them, that's not very practical, that's why i thought segmenting the network into smaller parts would be more ideal, and depending on the switches that are already in place, they might have Vlan capability.
I'm still thinking about the problem, so what if you just made 2 subdomains/Vlans one for employees, and one for unmanaged comps,place a firewall to block most of what's going out from the unmanaged subdomain, and block all unneeded ports, most viruses won't use port 80 or 443 ,110, 21,22,23, some will use port 53, and mailers will use port 25, but just make sure all 53 requests are either going to your DNS server or being blocked and i'm not too sure about port 25,anyway that way your router won't be flooded with wroms trying to spead as much.
it's just another idea.
I'm still thinking about the problem, so what if you just made 2 subdomains/Vlans one for employees, and one for unmanaged comps,place a firewall to block most of what's going out from the unmanaged subdomain, and block all unneeded ports, most viruses won't use port 80 or 443 ,110, 21,22,23, some will use port 53, and mailers will use port 25, but just make sure all 53 requests are either going to your DNS server or being blocked and i'm not too sure about port 25,anyway that way your router won't be flooded with wroms trying to spead as much.
it's just another idea.
If you put the employee network on one Vlan, and the others on a seperate VLAN you won't need a firewall between them, as they can't see each other anyway. But I would put one just for extra protection =)
but if you give us more info on the setup it might help , is it a domain ? do you have upto date AV's on all machine ? whats your limit to changes you can make on the current setup ?