schase02
asked on
Small network, liability concerns, etc
Hello,
I've been trying to work on a web filtering solution using SUSE 9.1 and SQUID. Which test runs have been very effective - but it presented an additional problem - and a potential liability for our company.
Heres the rundown of my network.
T1 line into the Router.
SMC Router - which does not allow reserved IP for MAC Addresses.
The router performs firewall/DHCP.
Router to 1 W2K Server - Active Directory/IIS Webhost/Mail Server
Router to 2 switches out to 35 workstations.
All this part works great, my addition is the SUSE 9.1 as a proxy/web filtering server. Which if my other question located at:
https://www.experts-exchange.com/questions/21223254/SQUID-problems-with-NTLM-AUTH-BASIC-AUTH.html
Gets answered - it will integrate with the AD and give me the nice filtering based on groups.
I've got the warm fuzzy on all of the above - not optimal - but it is sufficient.
Heres the problem I am facing.
The owner wants to allow one open lan line for customers to plug their laptops into. We also have some wireless available for the owner and his business associates.
The wireless does not concern me - I can restrict that to Mac addresses within the WAP. What does concern me is the open LAN line and the ability for employees to unplug their workstation and plug in a laptop to access the internet.
And while that vulnerability exists - the possibility also exists for people to browse websites that would put the company into liability.
Which brings me to thinking - perhaps I should use the SUSE with IPCop or similiar to act as the router. But there lies a problem - I don't know linux except for playing with the SUSE trying to set up SQUID/SAMBA over the past week. If it went down - That would not be good - plus I need the AD to configure access groups for domain shares. Stability is an absolute must.
The other problem - I don't have any other available computers other than the W2K AD and the SUSE one.
And the big problem - I have no budget at all, unless I paid for it out of my pocket - and where I'm paid about 75% of what most comparable peers get paid in this area, money is tight (not to mention i'm not bilingual to try to get a better job here)
Any ideas? 500 points means how important it is for me.
I've been trying to work on a web filtering solution using SUSE 9.1 and SQUID. Which test runs have been very effective - but it presented an additional problem - and a potential liability for our company.
Heres the rundown of my network.
T1 line into the Router.
SMC Router - which does not allow reserved IP for MAC Addresses.
The router performs firewall/DHCP.
Router to 1 W2K Server - Active Directory/IIS Webhost/Mail Server
Router to 2 switches out to 35 workstations.
All this part works great, my addition is the SUSE 9.1 as a proxy/web filtering server. Which if my other question located at:
https://www.experts-exchange.com/questions/21223254/SQUID-problems-with-NTLM-AUTH-BASIC-AUTH.html
Gets answered - it will integrate with the AD and give me the nice filtering based on groups.
I've got the warm fuzzy on all of the above - not optimal - but it is sufficient.
Heres the problem I am facing.
The owner wants to allow one open lan line for customers to plug their laptops into. We also have some wireless available for the owner and his business associates.
The wireless does not concern me - I can restrict that to Mac addresses within the WAP. What does concern me is the open LAN line and the ability for employees to unplug their workstation and plug in a laptop to access the internet.
And while that vulnerability exists - the possibility also exists for people to browse websites that would put the company into liability.
Which brings me to thinking - perhaps I should use the SUSE with IPCop or similiar to act as the router. But there lies a problem - I don't know linux except for playing with the SUSE trying to set up SQUID/SAMBA over the past week. If it went down - That would not be good - plus I need the AD to configure access groups for domain shares. Stability is an absolute must.
The other problem - I don't have any other available computers other than the W2K AD and the SUSE one.
And the big problem - I have no budget at all, unless I paid for it out of my pocket - and where I'm paid about 75% of what most comparable peers get paid in this area, money is tight (not to mention i'm not bilingual to try to get a better job here)
Any ideas? 500 points means how important it is for me.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
RDAdams
If your company is worried about the liability get your corporate lawyer on line with your plan and leverage his/her experience in convincing the corporate people of the necessity to keep non company computers off your corporate lan. If you want you could also set up an alarm type system to alert you when a non AD computer name is connected on the LAN.
What will that extra lan be used for? Will those users need lan access or just internet access? If it is just internet access i'd add another nic to your suse/squid box and setup shorewall firewall, so in the end that third nic will be a DMZ. If you also need LAN access, you can install OpenVPN to the Linux box (along with openssl). Those users needing access to the lan from the insecure DMZ will have to be given a personlized VPN client which will allow a secure tunnel to the LAN.
Shorewall is pretty easy to configure and get running, OpenVPN and OpenSSL is a bit more complicated, as OpenVPN relies on the other (it is still simpler than other VPN solutions).
OpenVPN has client software for many OSs, but not for windows9x(me).
Shorewall is pretty easy to configure and get running, OpenVPN and OpenSSL is a bit more complicated, as OpenVPN relies on the other (it is still simpler than other VPN solutions).
OpenVPN has client software for many OSs, but not for windows9x(me).
ASKER
hmm, interesting points.
I'm now believing I'm going to have to let a nix box handle the DHCP to capture any unwanted traffic - While the ability for non-AD computers getting on the lan is a concern - the bigger concern is someone browsing porn, warez, etc on our lan.
Anyone ever try IP Cop?
I'm now believing I'm going to have to let a nix box handle the DHCP to capture any unwanted traffic - While the ability for non-AD computers getting on the lan is a concern - the bigger concern is someone browsing porn, warez, etc on our lan.
Anyone ever try IP Cop?