• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 392
  • Last Modified:

2 NICs, how can only one can be enabled at a time

Hi experts,

I not sure if this can be done, but i'll ask anyway.  We use 2 different networks in our office, one internal lan and another that has a connection to the internet.  What I would like to do is allow each user to have the ability to switch back and forth between the 2 networks, but limiting him to only connect to one or the other.

Are there any utilites, scripts, or any other solutions that would only allow one of the NICs to be anabled at a time?
0
pwi11
Asked:
pwi11
  • 7
  • 5
  • 4
  • +3
3 Solutions
 
pwi11Author Commented:
Also, all machines are running Windows XP.
0
 
pgm554Commented:
Seems a bit like overkill and micro managing of you network resources to have 2 NIC's in each machine.

Is their a reason why you want to do this?

For people to use your internal LAN ,they do need to login don't they?
As for the internet access they don't need to be logged in to the internal LAN (authenticated) to use the internet.
Because it is XP,they could login in to the local machine and get out to the internet that way with never having to login to the main (internal ) LAN.  
0
 
pwi11Author Commented:
The internal network contains sensitive information that resides on network storage. When connected, the users can access this data, but cannot store the data locally on their pc's. If the user is connected to this network, there must ne no possiblity of intrusion from the outside, hence the need to keep the networks separate.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
kfullartonCommented:
Is there a firewall in place?  Typically, this is how an administrator would prevent intrusion from the outside.  Otherwise, if you ensure that IP forwarding is disabled, packets will not be routed from one network to another.

1. Start Registry Editor (Regedit.exe).
2. In Registry Editor, locate the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
3. Set the following registry value:
Value Name: IPEnableRouter
Value type: REG_DWORD
Value Data: 0

This will disable IP forwarding.
 
0
 
kfullartonCommented:
To answer your original question, I don't know of a way to do that but thought this info might be useful.
0
 
pgm554Commented:
So if you create a separate local user account on XP and they log in locally, they should not be able to use or see the data on your network storage.
They do need to be logged in to see you NAS right?
Most good NAS's have some kind of authentication mechanism to allow users to see(or not) anything out there.
I work with Adaptec Snap Servers ,and users don't get to see what I don't want them to see.

Are you running some kind of peer to peer network?
If so ,you now see why real netwoks (client server)are much more secure.
If that's the case,I reccommend that you look at something a bit more secure.
0
 
pgm554Commented:
With XP you could create a local user account (guest) and lock down the account to the point where the only program they could use would be IE, no explorer or network neighborhood.So they would be unable to browse for anything or see anything except for the internet.
0
 
pwi11Author Commented:
I am running a client/server network.  I also have a very strict forewall policy running on our Cisco 1700 series router.  I am not too worried about intrusions, but our security policy requires that sensitive information must be disconnected from the internet.

I have found a few products that address the same need that we have:

Voltaire's 2-in-1 PC & 2-in-1 Net

2-in-1 PC is a PCI card that turns a single physical system into two separate "virtual" systems, each on a different network. Each virtual system has its own resources (which are not shared) and is connected only to a single network. This is accomplished by having two network cards in the PC, one for each network. Each of the network cards then connects to a jack on the 2-in-1 card, which in turn connects to the two networks. At any given time, only one 2-in-1 card (or network card) connection can be active.

Market Central's SecureSwitch

SecureSwitch is the core product in Market Central's suite of security offerings. It is simply a network switcher in its most straightforward implementation. It is designed much like the common keyboard/video/mouse (KVM) switches, except that it deals exclusively with network connections.


As I said before, both network connections cannot be enabled at the same time.  pgm554, I agree that using a local logon would prevent users from connecting to the NAS, but how could I prevent network users from accessing the internet but at the same time allow local users to do so?
0
 
al-hasanCommented:
You can create two hardware profiles, and in each one disable the network card which is not used. This way a user can select only one way at boot-up.
Still, all this way sounds strange; I would go the way with firewall and IDS etc. as mentioned above. If some user catches a virus or a malicious program onto his computer, and later logs into the network it will be endangered. So better get a whole security concept to protect your network.

Regards,
has.
0
 
pwi11Author Commented:
al-hasan,

After looking into using hardware profiles, it seems to me that the user must restart the pc in order to change the profile.  In addition, if the local user is assigned local administrator access, there would be nothing to prevent the user from changing hardware settings, i.e. enabling the 2nd NIC.  Am I correct?
0
 
kfullartonCommented:
If the user has admin access, there's nothing you can do to the local machine to prevent changes.  If you don't want them messing with settings, take away the admin rights.
0
 
pgm554Commented:
Use a proxy server.
You can force local network users to use certain ports and not have access to the internet(but they could use the intranet).
You can also enforce surfing policies,email, FTP and such.
A lot of firewall appliaces can do this as well as standalone products (M$ ISA,Squid for Linux,Novell Bordermanager).
0
 
al-hasanCommented:
pwi11: as kfullarton stated already, with admin privileges a user can mess up anything. And the restart is necessary for the profiles to work, sure.

Another thought just hit me: you could run two systems at the same time, via VMware f.ex. - one system connects to the internet, and the other one to the LAN. Both run simultaneously and demand heavy hardware resources. Again, nice to think about, nice to plan, but totally unpracticable to realize for daily use.

Regards,
has.
0
 
pseudocyberCommented:
It seems to me the reason for doing this doesn't make sense.  So, between your users and the Internet - is there a firewall?  Are they using some little SOHO router?

They could plug BOTH nics in, enable ICS, routing, or briding and connect your "private" network to the Internet.

Perhaps there's some business justification or hardware that I'm unaware of.
0
 
al-hasanCommented:
>>  Use a proxy server. << (by pgm554)
That is the way to go, in combination with a dedicated firewall. Make a plan about who (user groups) needs to access what and when, realize it, or have it realized in hard- and software.
You want to be able to manage your network.

Regards,
has.
0
 
pwi11Author Commented:
Maybe i'm not explaining our setup clearly, and please if you believe that I can accomplish my goals in any other way please let me know.

Our main (internet connected) network is a client-server network that runs behind a Cisco 1760 router that has a configured Cisco IOS Firewall configured with very strict ACLs.  The networks security is a major priority, and many steps have been done to ensure that the firewall setting are appropriate.

Our second network is totally disconnected from the internet due to sensitive data.  The networks are also on separate domains.

What I would like to do is have user pc's connected to both networks, but only connect to one or the other at any given time.  No sensitive information will be stored on the users's pc, but they will have access to Network Storage containing sensitive data, with the ability to read and write.

When a user wishes to use the internet, the internal network connection should be completely disabled.

I have looked into proxy servers, in particular MS ISA Server 2004.

Do proxy servers have the ability to restrice internet access according to domain\username?  For instance, if I created a user WebUser on our primary(internet enabled) domain and had users log into their pc's using this account when they wanted to access the internet, would this be possible?

Again, any suggestions are greatly appreciated.
0
 
al-hasanCommented:
pwi11: thanks for clarifying. Basically you have working what we suggested to you.
Now I do not know a solution to your question.

The ISA proxy can authenticate users. So creating the 'webuser' for internet access only is a good idea.

Regards,
has.
0
 
pwi11Author Commented:
Thanks everyone.

I think I may try to go the proxy server route.  I have read that ISA Server can be set up to allow internet access for specified users.  I will create a user (WebUser) on my internet domain, allowing only this user internet access.

Since this user will not be a member of our internal (sensitive) domain, he will not have access to secure data.

Using this method, I will be filtering traffic once on the Cisco router/firewall and again on the ISA server, providing double protection for these users.

Sound good?
0
 
al-hasanCommented:
pwi11: sounds good.
Additionally you might like to think about running your sensitive network on a different system compared to the first one. So if your normal network runs on Windows, your sensitive one could run on Netware f.ex. - few hackers would be skilled enough to get there. Just some food for thoughts for the future.

Regards,
has.
0
 
PennGwynCommented:
We did something like this with a VPN to connect to the secure internal LAN, configured so that no traffic is allowed to anywhere else when the VPN client is running.

0
 
pwi11Author Commented:
Thanks for all the help.  I'm going to split points between pgm554, kfullerton, and al-hasan.  Since pgm554 suggested the proxy server, which is what i'm going to try to implement, he'll get 200, 150 to the other 2.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

  • 7
  • 5
  • 4
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now