Small network, liability concerns, etc

Posted on 2004-11-29
Last Modified: 2013-11-30

I've been trying to work on a web filtering solution using SUSE 9.1 and SQUID.  Which test runs have been very effective - but it presented an additional problem - and a potential liability for our company.

Heres the rundown of my network.

T1 line into the Router.
SMC Router - which does not allow reserved IP for MAC Addresses.
The router performs firewall/DHCP.

Router to 1 W2K Server - Active Directory/IIS Webhost/Mail Server
Router to 2 switches out to 35 workstations.

All this part works great, my addition is the SUSE 9.1 as a proxy/web filtering server.  Which if my other question located at:

Gets answered - it will integrate with the AD and give me the nice filtering based on groups.
I've got the warm fuzzy on all of the above - not optimal - but it is sufficient.

Heres the problem I am facing.

The owner wants to allow one open lan line for customers to plug their laptops into.  We also have some wireless available for the owner and his business associates.

The wireless does not concern me - I can restrict that to Mac addresses within the WAP.  What does concern me is the open LAN line and the ability for employees to unplug their workstation and plug in a laptop to access the internet.

And while that vulnerability exists - the possibility also exists for people to browse websites that would put the company into liability.

Which brings me to thinking - perhaps I should use the SUSE with IPCop or similiar to act as the router.  But there lies a problem - I don't know linux except for playing with the SUSE trying to set up SQUID/SAMBA over the past week.  If it went down - That would not be good - plus I need the AD to configure access groups for domain shares.  Stability is an absolute must.

The other problem - I don't have any other available computers other than the W2K AD and the SUSE one.  

And the big problem - I have no budget at all, unless I paid for it out of my pocket - and where I'm paid about 75% of what most comparable peers get paid in this area, money is tight (not to mention i'm not bilingual to try to get a better job here)

Any ideas?  500 points means how important it is for me.
Question by:schase02
    LVL 17

    Accepted Solution

    We use a DSL line for our non-corporate individuals.  IE wire into one boardroom using a switch or other if prefered.  Only allow the non company equipment to use that line.  

    Reasoning is you can prevent all you want from the exterior only to have it brought to the ground by letting someone behind your defenses who may or may not have his/her computer secured!

    We have a DSL router in our computer room which is linked to a switch on a VLAN.  The VLAN is hooked to several switches in the building providing access currently at 8 locations.  (we have 8 ips provided by the ISP).

    Much cheaper than putting the rest of your network at risk and if they blow up there own computer that is not your companies responsibility.
    LVL 17

    Expert Comment

    If your company is worried about the liability get your corporate lawyer on line with your plan and leverage his/her experience in convincing the corporate people of the necessity to keep non company computers off your corporate lan.  If you want you could also set up an alarm type system to alert you when a non AD computer name is connected on the LAN.
    LVL 87

    Expert Comment

    What will that extra lan be used for? Will those users need lan access or just internet access? If it is just internet access i'd add another nic to your suse/squid box and setup shorewall firewall, so in the end that third nic will be a DMZ. If you also need LAN access, you can install OpenVPN to the Linux box (along with openssl).  Those users needing access to the lan from the insecure DMZ will have to be given a personlized VPN client which will allow a secure tunnel to the LAN.

    Shorewall is pretty easy to configure and get running, OpenVPN  and OpenSSL is a bit more complicated, as OpenVPN relies on the other (it is still simpler than other VPN solutions).

    OpenVPN has client software for many OSs, but not for windows9x(me).


    Author Comment

    hmm, interesting points.

    I'm now believing I'm going to have to let a nix box handle the DHCP to capture any unwanted traffic - While the ability for non-AD computers getting on the lan is a concern - the bigger concern is someone browsing porn, warez, etc on our lan.

    Anyone ever try IP Cop?

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Suggested Solutions

    Article by: IanTh
    Hi Guys After a whole weekend getting wake on lan over the internet working, I thought I would share the experience. Your firewall has to have a port forward for port 9 udp to your local broadcast x.x.x.255 but if that doesnt work, do it to a …
    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now