ndidomenico
asked on
Protect my computers at home from my kid's computer
We have a small network at home with 1 router (Linksys) for Internet access and various Windows 2000/XP machines. I would like to "isolate" my kid's computer from all other pc's so that any virus/spyware/netbios access, etc on his computer could not reach our pc's. But I need to let him access the router for Internet access.
What do you suggest ?
We have antivirus and firewalls (Symanec) running on all machines. I'd still like an additionnal level of isolation just in case...
I was thinking about assigning his PC an IP address on a different network address than our PC's. (ex: him: 192.168.2.10 / all others: 192.168.1.* - the router is on 192.168.1.1). Would that help isolate him or not really. If it would, how do you set this up so that he can still use the router to access Internet.
Thanks.
What do you suggest ?
We have antivirus and firewalls (Symanec) running on all machines. I'd still like an additionnal level of isolation just in case...
I was thinking about assigning his PC an IP address on a different network address than our PC's. (ex: him: 192.168.2.10 / all others: 192.168.1.* - the router is on 192.168.1.1). Would that help isolate him or not really. If it would, how do you set this up so that he can still use the router to access Internet.
Thanks.
Without any additional hardware, no. You could start messing with group polices etc for additional protection but from the FW software you already have setup I wouldn't suggest messing around with GP's.
While putting him on a different subnet (192.168.2 vs. 192.168.1) would be problematic, you could assign him a much higher number in the 192.168.1 range (192.168.1.225) then configure the local firewall software on each PC to treat only the lower numbers (192.168.1.1 through .10) as "trusted", or simply block traffic from his IP address to the other PCs through the firewall software.
ASKER
If I blocked his IP address in each of my PC's firewall, would that also block viruses who use netbios vulnerabilities, shares, etc from attacking my pc's ?
Also, if he was on a different subnet, would that prevent him (viruses) from accessing the other pc's on another subnet, even ones that would not have a firewall running ?
Thanks
Also, if he was on a different subnet, would that prevent him (viruses) from accessing the other pc's on another subnet, even ones that would not have a firewall running ?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The easiest way to do this would be to purchase a second router. Plus this second router into one of the ports on the first router. Then plug your kid's computer into the second router. You will then in effect have a 3-zone network: Red (the internet), Green (local, trusted) and Orange (local, not trusted).
Once you do this, try to ping your computer while at your kid's computer. You will not be able to access the green network, but any internet requests will be forwarded to the first router, which will then forward it onto the internet.
I have this exact setup with a Linksys router and a microsoft wireless router. This way if the wireless gets compromised, the attackers cannot touch my local network.
--Zaheer
Once you do this, try to ping your computer while at your kid's computer. You will not be able to access the green network, but any internet requests will be forwarded to the first router, which will then forward it onto the internet.
I have this exact setup with a Linksys router and a microsoft wireless router. This way if the wireless gets compromised, the attackers cannot touch my local network.
--Zaheer
"If I blocked his IP address in each of my PC's firewall, would that also block viruses who use netbios vulnerabilities, shares, etc from attacking my pc's ?"
If you configure each PC's firewall to block ALL traffic from his PC, then the type of exploit used should not matter. Netbios works over TCP/IP port 137 and sometimes over port 445; firewalls, when set to block all traffic, are blocking traffic on all ports. As long as you're not running the NetBEUI protocol (which is not running by default on any NT/2000/XP PC) you shouldn't worry about this.
PCs on different subnets can still connect to each other, so a worm, if written properly, would probe first a single subnet, then other subnets within the LAN for vulnerable hosts.
If you configure each PC's firewall to block ALL traffic from his PC, then the type of exploit used should not matter. Netbios works over TCP/IP port 137 and sometimes over port 445; firewalls, when set to block all traffic, are blocking traffic on all ports. As long as you're not running the NetBEUI protocol (which is not running by default on any NT/2000/XP PC) you shouldn't worry about this.
PCs on different subnets can still connect to each other, so a worm, if written properly, would probe first a single subnet, then other subnets within the LAN for vulnerable hosts.
ASKER
Rick111 - I'm testing your solution with the netmask 255.255.255.128 - seems to work well! I assigned him Ip 192.168.1.150 / netmask 255.255.255.128 / gateway 192.168.1.1 (my router): I don't seem to be able to reach (ping) adresses from 192.168.1.2 - 192.168.1.127, but can ping 192.168.1.128 and higher.
Two Questions:
1) Why am i still able to ping 192.168.1.1 - my router - from his pc?. This is in fact fine with me since it gives him access to Internet, but I thought the netmask 255.255.255.128 would block access (hide ??) all addresses from 1-127. (I'm presently going through some articles on subnet masking to try to understand this a bit better).
2) If I can't ping an IP address, does this indicate me that I'm not risking infecting this IP's pc with worms/viruses coming from my computer ? I'm referring to davidis99's note in this thread: "PCs on different subnets can still connect to each other, so a worm, if written properly, would probe first a single subnet, then other subnets within the LAN for vulnerable hosts."
If this is true, then using the subnet technique does not really protect me from worms/viruses originating from my kid's computer.
Two Questions:
1) Why am i still able to ping 192.168.1.1 - my router - from his pc?. This is in fact fine with me since it gives him access to Internet, but I thought the netmask 255.255.255.128 would block access (hide ??) all addresses from 1-127. (I'm presently going through some articles on subnet masking to try to understand this a bit better).
2) If I can't ping an IP address, does this indicate me that I'm not risking infecting this IP's pc with worms/viruses coming from my computer ? I'm referring to davidis99's note in this thread: "PCs on different subnets can still connect to each other, so a worm, if written properly, would probe first a single subnet, then other subnets within the LAN for vulnerable hosts."
If this is true, then using the subnet technique does not really protect me from worms/viruses originating from my kid's computer.
Once you have reviewed the above suggestions, read through the follwoing docuement to see if anything can assist.
http://secureconditions.com/articles/NetworkSecurityGuidelinesNSA.pdf
Regards,
Good luck and stay secure.
CJ
http://secureconditions.com/articles/NetworkSecurityGuidelinesNSA.pdf
Regards,
Good luck and stay secure.
CJ
1. I'm not sure, I'd forgotten the fact your router would belong to subnet 1 so access from subnet 2 should not be possible, as it would need a router on it's own network to access 192.168.1.1
2. I'm not experienced with coding, but as this is only a 'software' solution, telling the OS not to access the other subnet without using the router, it's probably possible a worm written correctly could access subnet 1. That said it is still an additional layer of protection and I would assume most basic worms would only be writtern to atttack the local subnet.
I will be looking into point 1 as I thought I had a good idea about masking and what you said you've setup goes againt what I've been taught.
2. I'm not experienced with coding, but as this is only a 'software' solution, telling the OS not to access the other subnet without using the router, it's probably possible a worm written correctly could access subnet 1. That said it is still an additional layer of protection and I would assume most basic worms would only be writtern to atttack the local subnet.
I will be looking into point 1 as I thought I had a good idea about masking and what you said you've setup goes againt what I've been taught.
ASKER
Rick111- I've retested using 192.168.1.150/255.255.255.
I've tested it here in work and have the same results, I can ping my gateway, but when I try and ping 192.168.1.2-127 it routes through my gateway which is what you'd expect but I don't understand how you can have a gateway on another subnet.
The whole idea of a gateway is that it is the route you use when trying to connect to an IP which is on a network other than your local subnet.
*After further testing I've found if you use 255.255.128.0 and trying to set your default gateway on the other subnet it does not work, which is what I'd expect... for some reason you can use a router on another subnet when you use a classless mask on the fourth octect. lovely
For yourself, depending on what level of security/isolation you want for your kids computer I'd suggest the following..
>Set a static IP on your kids machine and block all traffic from that IP on your software firewalls. Job done but it will need to be done on a per machine basis and you're relying on software protection.
>Disable file and print on your machines you would like to protect, limiting possible attacks but also limiting the ability of your other machines accessing shares.
>Buy a firewall with 3 zones (nic ports), setup one as the internet, one as trusted and the other isolated with access only to the internet.
I'd just go for the first option and leave the subnetting idea as it's not required as long as you block his IP at the firewall level.
The whole idea of a gateway is that it is the route you use when trying to connect to an IP which is on a network other than your local subnet.
*After further testing I've found if you use 255.255.128.0 and trying to set your default gateway on the other subnet it does not work, which is what I'd expect... for some reason you can use a router on another subnet when you use a classless mask on the fourth octect. lovely
For yourself, depending on what level of security/isolation you want for your kids computer I'd suggest the following..
>Set a static IP on your kids machine and block all traffic from that IP on your software firewalls. Job done but it will need to be done on a per machine basis and you're relying on software protection.
>Disable file and print on your machines you would like to protect, limiting possible attacks but also limiting the ability of your other machines accessing shares.
>Buy a firewall with 3 zones (nic ports), setup one as the internet, one as trusted and the other isolated with access only to the internet.
I'd just go for the first option and leave the subnetting idea as it's not required as long as you block his IP at the firewall level.
ASKER
Thanks Rick111.
I think I will go following your recommendation (first option). But on one machine I need to protect, I only have XP SP2 firewall, nothing else, and I cannot find in the XP firewall a way to block a specific IP address, only ports and programs.
I should probably create a new question about this issue. Quite a bit of time has already been spent on my initial question by you guys, and already happy with what you've given me so far...
I think I will go following your recommendation (first option). But on one machine I need to protect, I only have XP SP2 firewall, nothing else, and I cannot find in the XP firewall a way to block a specific IP address, only ports and programs.
I should probably create a new question about this issue. Quite a bit of time has already been spent on my initial question by you guys, and already happy with what you've given me so far...
I'd advise turining off SP2 firewall and getting www.kerio.com personal firewall which is free and a lot more customizable.
ASKER
Thanks for the help. I will look at kerio as suggested. In comparaison with Sygate Personnal Firewall, any thoughts ?
I prefere kerio, more customizable. Sygate is easier to use though, so personal prefrence. Bare in mind I've not used Sygate for over 6 months so any advancements etc I'm not aware of.
Cheers
Cheers
ASKER
Thanks very much.
Case Closed !
Case Closed !
You might want to try smoothwall express (www.smoothwall.org). It's free, runs on any old pc, and if you have 3 NIC cards you can make a 3-zone network without any additional investment. Pretty good bang for the buck.
--Zaheer
--Zaheer