Protect my computers at home from my kid's computer

We have a small network at home with 1 router (Linksys) for Internet access and various Windows 2000/XP machines. I would like to "isolate" my kid's computer from all other pc's so that any virus/spyware/netbios access,  etc on his computer could not reach our pc's. But I need to let him access the router for Internet access.

What do you suggest ?

We have antivirus and firewalls (Symanec) running on all machines. I'd still like an additionnal level of isolation just in case...

I was thinking about assigning his PC an IP address on a different network address than our PC's. (ex: him: 192.168.2.10 / all others: 192.168.1.* - the router is on 192.168.1.1). Would that help isolate him or not really. If it would, how do you set this up so that he can still use the router to access Internet.

Thanks.
ndidomenicoAsked:
Who is Participating?
 
Rick111Connect With a Mentor Commented:
You would have to configure his machine with a subnet of 255.255.255.128 and set him IP address as 192.168.1.128 or higher then his machine would aim for router when trying to access 192.168.1.1-127 which would stop direct netbios/virus attacks yes.

And/Or just block his IP address on the firewall you have setup on the local machines, this would drop all packets from his box and stop any infections.
0
 
Rick111Commented:
Without any additional hardware, no. You could start messing with group polices etc for additional protection but from the FW software you already have setup I wouldn't suggest messing around with GP's.

0
 
davidis99Commented:
While putting him on a different subnet (192.168.2 vs. 192.168.1) would be problematic, you could assign him a much higher number in the 192.168.1 range (192.168.1.225) then configure the local firewall software on each PC to treat only the lower numbers (192.168.1.1 through .10) as "trusted", or simply block traffic from his IP address to the other PCs through the firewall software.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
ndidomenicoAuthor Commented:
If I blocked his IP address in each of my PC's firewall,  would that also block viruses who use netbios vulnerabilities, shares, etc from attacking my pc's ?

Also, if he was on a different subnet, would that prevent him (viruses) from accessing the other pc's on another subnet, even ones that would not have a firewall running ?

Thanks
0
 
ZaheerMasterCommented:
The easiest way to do this would be to purchase a second router. Plus this second router into one of the ports on the first router. Then plug your kid's computer into the second router. You will then in effect have a 3-zone network: Red (the internet), Green (local, trusted) and Orange (local, not trusted).

Once you do this, try to ping your computer while at your kid's computer. You will not be able to access the green network, but any internet requests will be forwarded to the first router, which will then forward it onto the internet.

I have this exact setup with a Linksys router and a microsoft wireless router. This way if the wireless gets compromised, the attackers cannot touch my local network.

--Zaheer
0
 
davidis99Commented:
"If I blocked his IP address in each of my PC's firewall,  would that also block viruses who use netbios vulnerabilities, shares, etc from attacking my pc's ?"

If you configure each PC's firewall to block ALL traffic from his PC, then the type of exploit used should not matter.   Netbios works over TCP/IP port 137 and sometimes over port 445;  firewalls, when set to block all traffic, are blocking traffic on all ports.  As long as you're not running the NetBEUI protocol (which is not running by default on any NT/2000/XP PC) you shouldn't worry about this.

PCs on different subnets can still connect to each other, so a worm, if written properly, would probe first a single subnet, then other subnets within the LAN for vulnerable hosts.
0
 
ndidomenicoAuthor Commented:
Rick111 - I'm testing your solution with the netmask 255.255.255.128 - seems to work well! I assigned him Ip 192.168.1.150 / netmask 255.255.255.128 / gateway 192.168.1.1 (my router): I don't seem to be able to reach (ping) adresses from 192.168.1.2 - 192.168.1.127, but can ping 192.168.1.128 and higher.

Two Questions:
1) Why am i still able to ping 192.168.1.1 - my router - from his pc?. This is in fact fine with me since it gives him access to Internet, but I thought the netmask 255.255.255.128 would block access (hide ??) all addresses from 1-127. (I'm presently going through some articles on subnet masking to try to understand this a bit better).

2) If I can't ping an IP address, does this indicate me that I'm not risking infecting this IP's pc with worms/viruses coming from my computer ? I'm referring to davidis99's note in this thread: "PCs on different subnets can still connect to each other, so a worm, if written properly, would probe first a single subnet, then other subnets within the LAN for vulnerable hosts."
If this is true, then using the subnet technique does not really protect me from worms/viruses originating from my kid's computer.

0
 
cjinsocal581Commented:
Once you have reviewed the above suggestions, read through the follwoing docuement to see if anything can assist.

http://secureconditions.com/articles/NetworkSecurityGuidelinesNSA.pdf

Regards,

Good luck and stay secure.

CJ
0
 
Rick111Commented:
1. I'm not sure, I'd forgotten the fact your router would belong to subnet 1 so access from subnet 2 should not be possible, as it would need a router on it's own network to access 192.168.1.1

2. I'm not experienced with coding, but as this is only a 'software' solution, telling the OS not to access the other subnet without using the router, it's probably possible a worm written correctly could access subnet 1. That said it is still an additional layer of protection and I would assume most basic worms would only be writtern to atttack the local subnet.

I will be looking into point 1 as I thought I had a good idea about masking and what you said you've setup goes againt what I've been taught.
0
 
ndidomenicoAuthor Commented:
Rick111- I've retested using 192.168.1.150/255.255.255.128 and he is able to ping 192.168.1.1 and his Internet access works fine. But he cannot ping 192.168.1.2 - 127. Is it because his gateway is defined as 192.168.1.1 ?
0
 
Rick111Commented:
I've tested it here in work and have the same results, I can ping my gateway, but when I try and ping 192.168.1.2-127 it routes through my gateway which is what you'd expect but I don't understand how you can have a gateway on another subnet.

The whole idea of a gateway is that it is the route you use when trying to connect to an IP which is on a network other than your local subnet.

*After further testing I've found if you use 255.255.128.0 and trying to set your default gateway on the other subnet it does not work, which is what I'd expect... for some reason you can use a router on another subnet when you use a classless mask on the fourth octect. lovely

For yourself, depending on what level of security/isolation you want for your kids computer I'd suggest the following..

>Set a static IP on your kids machine and block all traffic from that IP on your software firewalls. Job done but it will need to be done on a per machine basis and you're relying on software protection.

>Disable file and print on your machines you would like to protect, limiting possible attacks but also limiting the ability of your other machines accessing shares.

>Buy a firewall with 3 zones (nic ports), setup one as the internet, one as trusted and the other isolated with access only to the internet.

I'd just go for the first option and leave the subnetting idea as it's not required as long as you block his IP at the firewall level.
0
 
ndidomenicoAuthor Commented:
Thanks Rick111.
I think I will go following your recommendation (first option). But on one machine I need to protect, I only have XP SP2 firewall, nothing else, and I cannot find in the XP firewall a way to block a specific IP address, only ports and programs.
I should probably create a new question about this issue. Quite a bit of time has already been spent on my initial question by you guys, and already happy with what you've given me so far...
0
 
Rick111Commented:
I'd advise turining off SP2 firewall and getting www.kerio.com personal firewall which is free and a lot more customizable.
0
 
ndidomenicoAuthor Commented:
Thanks for the help. I will look at kerio as suggested. In comparaison with Sygate Personnal Firewall, any thoughts ?
0
 
Rick111Commented:
I prefere kerio, more customizable. Sygate is easier to use though, so personal prefrence. Bare in mind I've not used Sygate for over 6 months so any advancements etc I'm not aware of.

Cheers
0
 
ndidomenicoAuthor Commented:
Thanks very much.

Case Closed !
0
 
ZaheerMasterCommented:
You might want to try smoothwall express (www.smoothwall.org). It's free, runs on any old pc, and if you have 3 NIC cards you can make a 3-zone network without any additional investment. Pretty good bang for the buck.

--Zaheer
0
All Courses

From novice to tech pro — start learning today.