Solved

Network Segregation

Posted on 2006-11-23
22
282 Views
Last Modified: 2012-05-05
I would like to add a computer from a different department onto our network such that they can access the Internet only.  For security reasons I want to make sure that they can only access the Internet and that no other resources on our network could be accessed from this workstation.  What is the cleanest way to do this?  I had considered setting a router inbetween and utilizing a separate subnet, but thought I'd pose the question to see what others thoughts would be.
0
Comment
Question by:gpsocs
  • 7
  • 6
  • 4
  • +2
22 Comments
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18003894
Which operating system do you use? Network isolation can be achieved with Group Policy or IPsec or both.
0
 

Author Comment

by:gpsocs
ID: 18003960
Windows XP Home for the workstation and Windows NT 4 Server.  The problem is that this workstation that needs to be locked down is not really within our right of admin as it belongs to another organization.  It would be best if we could protect the network at a higher level if possible.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18004001
Unfortunately none of my suggestions apply in your scenario. :D I would think that putting Windows XP on separate subnet would be easiest, because you do not have administrative control over it. Maybe someone else can come up with another idea.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18005002
Can you tell me a little more about your networking/IT environment?

The cleanest way is to bring in a seperate ADSL line and not join it to your network at all.
If you have to connect it to the backbone then a seperate vlan to isolate the box to the exit point is probably next on the list
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 18005240
If you are running a Layer3 switch, you might also consider a separate VLAN for this purpose...  (which is essentially a separate subnet..)  and not allow routing to your local LAN..

FE
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18006187
<<< If you have to connect it to the backbone then a seperate vlan to isolate the box to the exit point is probably next on the list >>>
Good idea FE :)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 18007039
Well, that is what I get when I don't fully read through all the comments, eh?  :)  so sorry, Keith!
0
 

Author Comment

by:gpsocs
ID: 18008644
Yeah, I have to run it with existing equipment and a new DSL line is not an option so essentially popping in a Linksys router and shoving them onto a different subnet seems like the cleanest solution in this scenario from what you're saying...  Correct?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18008670
lol, don't be daft Bill, how many times have I done it myself :)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 18011344
Yes, you could do it that way, using the WAN port of the second Linksys...  like this:

Internet <-->  Router <--> WAN Port of second Router <--> clients that can browse the LAN
                          |
                Clients that cannot browse the LAN, but can access the internet

Just don't open any ports on the second router, and it will not allow browsing into your LAN..
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 18011352
Oh, and remember, 2 separate subnets on the LAN side of the routers...  :)

Keith..  Yes, we sometimes get into a hurry to get outside and enjoy the beautiful, and fleeting nice days as we venture into Winter here in the Midwest USA!  :)
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18011396
:)
0
 
LVL 30

Expert Comment

by:pgm554
ID: 18014659
Are you running the NT LAN as a domain?

If so ,because it is XP home,they cannot use any of the resources on the NT side because Home was never meant to be able to do that.

M$ busted it for a reason.

Only in workgroup mode can it attach to any resources.

Otherwise you are safe because of M$ marketing greed.
0
 
LVL 30

Expert Comment

by:pgm554
ID: 18014665
Why are they running M$ Home,it makes no sense in a corporate environment?
0
 
LVL 30

Expert Comment

by:pgm554
ID: 18014683
If you are that paranoid,then a cheap Linksys or Netgear router can give you a separate subnet for the XP home box.

Just give the router a static IP from your subnet and have the cheap router NAT out from a separate, different subnet on the cheap router.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18015141
pgm, please read the posts carefully from the asker and it will answer your questions...

Keith
0
 
LVL 30

Expert Comment

by:pgm554
ID: 18015645
Where in his posts does it answer as to whether they are running a domain or workgroup?

No workgroup setting,no good reason to be so paranoid.
So using a router could be a moot point.

And it still makes no sense to run XP home in a corporate setting.
Hence, the rhetorical question.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18017514
<<For security reasons I want to make sure that they can only access the Internet and that no other resources on our network could be accessed from this workstation. >>

<< The problem is that this workstation that needs to be locked down is not really within our right of admin as it belongs to another organization >>



0
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 500 total points
ID: 18018949
Agree..  It matters little whether you are running a Domain or Workgroup here...  if the admin does not wish to compromise his network with a computer outside his administrative sphere, he needs to isolate it, meaning a separate subnet that is not allowed access to his current subnet..  which is what we proposed above...

I am sure you know that even a Home XP box can be used to attack any domain... if only because it may come with malware or virii on it...  I could even put ethereal on the Home XP client and watch all the traffic, for heavens sake!  

FE
0
 

Author Comment

by:gpsocs
ID: 18125116
I appreciate the input all of you.  I went with FE's final note since he did encapsulate things concisely earlier, essentially concurring with what I had in mind.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 18127555
Thank you..  and a Happy Holiday Season to all!

FE
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18128592
O well.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

FIPS stands for the Federal Information Processing Standardisation and FIPS 140-2 is a collection of standards that are generically associated with hardware and software cryptography. In most cases, people can refer to this as the method of encrypti…
Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now