Small network, liability concerns, etc

Posted on 2004-11-29
Medium Priority
Last Modified: 2013-11-30

I've been trying to work on a web filtering solution using SUSE 9.1 and SQUID.  Which test runs have been very effective - but it presented an additional problem - and a potential liability for our company.

Heres the rundown of my network.

T1 line into the Router.
SMC Router - which does not allow reserved IP for MAC Addresses.
The router performs firewall/DHCP.

Router to 1 W2K Server - Active Directory/IIS Webhost/Mail Server
Router to 2 switches out to 35 workstations.

All this part works great, my addition is the SUSE 9.1 as a proxy/web filtering server.  Which if my other question located at:

Gets answered - it will integrate with the AD and give me the nice filtering based on groups.
I've got the warm fuzzy on all of the above - not optimal - but it is sufficient.

Heres the problem I am facing.

The owner wants to allow one open lan line for customers to plug their laptops into.  We also have some wireless available for the owner and his business associates.

The wireless does not concern me - I can restrict that to Mac addresses within the WAP.  What does concern me is the open LAN line and the ability for employees to unplug their workstation and plug in a laptop to access the internet.

And while that vulnerability exists - the possibility also exists for people to browse websites that would put the company into liability.

Which brings me to thinking - perhaps I should use the SUSE with IPCop or similiar to act as the router.  But there lies a problem - I don't know linux except for playing with the SUSE trying to set up SQUID/SAMBA over the past week.  If it went down - That would not be good - plus I need the AD to configure access groups for domain shares.  Stability is an absolute must.

The other problem - I don't have any other available computers other than the W2K AD and the SUSE one.  

And the big problem - I have no budget at all, unless I paid for it out of my pocket - and where I'm paid about 75% of what most comparable peers get paid in this area, money is tight (not to mention i'm not bilingual to try to get a better job here)

Any ideas?  500 points means how important it is for me.
Question by:schase02
  • 2
LVL 17

Accepted Solution

RDAdams earned 1000 total points
ID: 12702535
We use a DSL line for our non-corporate individuals.  IE wire into one boardroom using a switch or other if prefered.  Only allow the non company equipment to use that line.  

Reasoning is you can prevent all you want from the exterior only to have it brought to the ground by letting someone behind your defenses who may or may not have his/her computer secured!

We have a DSL router in our computer room which is linked to a switch on a VLAN.  The VLAN is hooked to several switches in the building providing access currently at 8 locations.  (we have 8 ips provided by the ISP).

Much cheaper than putting the rest of your network at risk and if they blow up there own computer that is not your companies responsibility.
LVL 17

Expert Comment

ID: 12702552
If your company is worried about the liability get your corporate lawyer on line with your plan and leverage his/her experience in convincing the corporate people of the necessity to keep non company computers off your corporate lan.  If you want you could also set up an alarm type system to alert you when a non AD computer name is connected on the LAN.
LVL 88

Expert Comment

ID: 12703357
What will that extra lan be used for? Will those users need lan access or just internet access? If it is just internet access i'd add another nic to your suse/squid box and setup shorewall firewall, so in the end that third nic will be a DMZ. If you also need LAN access, you can install OpenVPN to the Linux box (along with openssl).  Those users needing access to the lan from the insecure DMZ will have to be given a personlized VPN client which will allow a secure tunnel to the LAN.

Shorewall is pretty easy to configure and get running, OpenVPN  and OpenSSL is a bit more complicated, as OpenVPN relies on the other (it is still simpler than other VPN solutions).

OpenVPN has client software for many OSs, but not for windows9x(me).


Author Comment

ID: 12709290
hmm, interesting points.

I'm now believing I'm going to have to let a nix box handle the DHCP to capture any unwanted traffic - While the ability for non-AD computers getting on the lan is a concern - the bigger concern is someone browsing porn, warez, etc on our lan.

Anyone ever try IP Cop?

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question