Small network, liability concerns, etc


I've been trying to work on a web filtering solution using SUSE 9.1 and SQUID.  Which test runs have been very effective - but it presented an additional problem - and a potential liability for our company.

Heres the rundown of my network.

T1 line into the Router.
SMC Router - which does not allow reserved IP for MAC Addresses.
The router performs firewall/DHCP.

Router to 1 W2K Server - Active Directory/IIS Webhost/Mail Server
Router to 2 switches out to 35 workstations.

All this part works great, my addition is the SUSE 9.1 as a proxy/web filtering server.  Which if my other question located at:

Gets answered - it will integrate with the AD and give me the nice filtering based on groups.
I've got the warm fuzzy on all of the above - not optimal - but it is sufficient.

Heres the problem I am facing.

The owner wants to allow one open lan line for customers to plug their laptops into.  We also have some wireless available for the owner and his business associates.

The wireless does not concern me - I can restrict that to Mac addresses within the WAP.  What does concern me is the open LAN line and the ability for employees to unplug their workstation and plug in a laptop to access the internet.

And while that vulnerability exists - the possibility also exists for people to browse websites that would put the company into liability.

Which brings me to thinking - perhaps I should use the SUSE with IPCop or similiar to act as the router.  But there lies a problem - I don't know linux except for playing with the SUSE trying to set up SQUID/SAMBA over the past week.  If it went down - That would not be good - plus I need the AD to configure access groups for domain shares.  Stability is an absolute must.

The other problem - I don't have any other available computers other than the W2K AD and the SUSE one.  

And the big problem - I have no budget at all, unless I paid for it out of my pocket - and where I'm paid about 75% of what most comparable peers get paid in this area, money is tight (not to mention i'm not bilingual to try to get a better job here)

Any ideas?  500 points means how important it is for me.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

We use a DSL line for our non-corporate individuals.  IE wire into one boardroom using a switch or other if prefered.  Only allow the non company equipment to use that line.  

Reasoning is you can prevent all you want from the exterior only to have it brought to the ground by letting someone behind your defenses who may or may not have his/her computer secured!

We have a DSL router in our computer room which is linked to a switch on a VLAN.  The VLAN is hooked to several switches in the building providing access currently at 8 locations.  (we have 8 ips provided by the ISP).

Much cheaper than putting the rest of your network at risk and if they blow up there own computer that is not your companies responsibility.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
If your company is worried about the liability get your corporate lawyer on line with your plan and leverage his/her experience in convincing the corporate people of the necessity to keep non company computers off your corporate lan.  If you want you could also set up an alarm type system to alert you when a non AD computer name is connected on the LAN.
What will that extra lan be used for? Will those users need lan access or just internet access? If it is just internet access i'd add another nic to your suse/squid box and setup shorewall firewall, so in the end that third nic will be a DMZ. If you also need LAN access, you can install OpenVPN to the Linux box (along with openssl).  Those users needing access to the lan from the insecure DMZ will have to be given a personlized VPN client which will allow a secure tunnel to the LAN.

Shorewall is pretty easy to configure and get running, OpenVPN  and OpenSSL is a bit more complicated, as OpenVPN relies on the other (it is still simpler than other VPN solutions).

OpenVPN has client software for many OSs, but not for windows9x(me).

schase02Author Commented:
hmm, interesting points.

I'm now believing I'm going to have to let a nix box handle the DHCP to capture any unwanted traffic - While the ability for non-AD computers getting on the lan is a concern - the bigger concern is someone browsing porn, warez, etc on our lan.

Anyone ever try IP Cop?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.