• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 293
  • Last Modified:

Network Segregation

I would like to add a computer from a different department onto our network such that they can access the Internet only.  For security reasons I want to make sure that they can only access the Internet and that no other resources on our network could be accessed from this workstation.  What is the cleanest way to do this?  I had considered setting a router inbetween and utilizing a separate subnet, but thought I'd pose the question to see what others thoughts would be.
0
gpsocs
Asked:
gpsocs
  • 7
  • 6
  • 4
  • +2
1 Solution
 
Toni UranjekConsultant/TrainerCommented:
Which operating system do you use? Network isolation can be achieved with Group Policy or IPsec or both.
0
 
gpsocsAuthor Commented:
Windows XP Home for the workstation and Windows NT 4 Server.  The problem is that this workstation that needs to be locked down is not really within our right of admin as it belongs to another organization.  It would be best if we could protect the network at a higher level if possible.
0
 
Toni UranjekConsultant/TrainerCommented:
Unfortunately none of my suggestions apply in your scenario. :D I would think that putting Windows XP on separate subnet would be easiest, because you do not have administrative control over it. Maybe someone else can come up with another idea.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Keith AlabasterEnterprise ArchitectCommented:
Can you tell me a little more about your networking/IT environment?

The cleanest way is to bring in a seperate ADSL line and not join it to your network at all.
If you have to connect it to the backbone then a seperate vlan to isolate the box to the exit point is probably next on the list
0
 
Fatal_ExceptionCommented:
If you are running a Layer3 switch, you might also consider a separate VLAN for this purpose...  (which is essentially a separate subnet..)  and not allow routing to your local LAN..

FE
0
 
Keith AlabasterEnterprise ArchitectCommented:
<<< If you have to connect it to the backbone then a seperate vlan to isolate the box to the exit point is probably next on the list >>>
Good idea FE :)
0
 
Fatal_ExceptionCommented:
Well, that is what I get when I don't fully read through all the comments, eh?  :)  so sorry, Keith!
0
 
gpsocsAuthor Commented:
Yeah, I have to run it with existing equipment and a new DSL line is not an option so essentially popping in a Linksys router and shoving them onto a different subnet seems like the cleanest solution in this scenario from what you're saying...  Correct?
0
 
Keith AlabasterEnterprise ArchitectCommented:
lol, don't be daft Bill, how many times have I done it myself :)
0
 
Fatal_ExceptionCommented:
Yes, you could do it that way, using the WAN port of the second Linksys...  like this:

Internet <-->  Router <--> WAN Port of second Router <--> clients that can browse the LAN
                          |
                Clients that cannot browse the LAN, but can access the internet

Just don't open any ports on the second router, and it will not allow browsing into your LAN..
0
 
Fatal_ExceptionCommented:
Oh, and remember, 2 separate subnets on the LAN side of the routers...  :)

Keith..  Yes, we sometimes get into a hurry to get outside and enjoy the beautiful, and fleeting nice days as we venture into Winter here in the Midwest USA!  :)
0
 
Keith AlabasterEnterprise ArchitectCommented:
:)
0
 
pgm554Commented:
Are you running the NT LAN as a domain?

If so ,because it is XP home,they cannot use any of the resources on the NT side because Home was never meant to be able to do that.

M$ busted it for a reason.

Only in workgroup mode can it attach to any resources.

Otherwise you are safe because of M$ marketing greed.
0
 
pgm554Commented:
Why are they running M$ Home,it makes no sense in a corporate environment?
0
 
pgm554Commented:
If you are that paranoid,then a cheap Linksys or Netgear router can give you a separate subnet for the XP home box.

Just give the router a static IP from your subnet and have the cheap router NAT out from a separate, different subnet on the cheap router.
0
 
Keith AlabasterEnterprise ArchitectCommented:
pgm, please read the posts carefully from the asker and it will answer your questions...

Keith
0
 
pgm554Commented:
Where in his posts does it answer as to whether they are running a domain or workgroup?

No workgroup setting,no good reason to be so paranoid.
So using a router could be a moot point.

And it still makes no sense to run XP home in a corporate setting.
Hence, the rhetorical question.
0
 
Keith AlabasterEnterprise ArchitectCommented:
<<For security reasons I want to make sure that they can only access the Internet and that no other resources on our network could be accessed from this workstation. >>

<< The problem is that this workstation that needs to be locked down is not really within our right of admin as it belongs to another organization >>



0
 
Fatal_ExceptionCommented:
Agree..  It matters little whether you are running a Domain or Workgroup here...  if the admin does not wish to compromise his network with a computer outside his administrative sphere, he needs to isolate it, meaning a separate subnet that is not allowed access to his current subnet..  which is what we proposed above...

I am sure you know that even a Home XP box can be used to attack any domain... if only because it may come with malware or virii on it...  I could even put ethereal on the Home XP client and watch all the traffic, for heavens sake!  

FE
0
 
gpsocsAuthor Commented:
I appreciate the input all of you.  I went with FE's final note since he did encapsulate things concisely earlier, essentially concurring with what I had in mind.
0
 
Fatal_ExceptionCommented:
Thank you..  and a Happy Holiday Season to all!

FE
0
 
Keith AlabasterEnterprise ArchitectCommented:
O well.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 7
  • 6
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now