Solved

Network Segregation

Posted on 2006-11-23
22
286 Views
Last Modified: 2012-05-05
I would like to add a computer from a different department onto our network such that they can access the Internet only.  For security reasons I want to make sure that they can only access the Internet and that no other resources on our network could be accessed from this workstation.  What is the cleanest way to do this?  I had considered setting a router inbetween and utilizing a separate subnet, but thought I'd pose the question to see what others thoughts would be.
0
Comment
Question by:gpsocs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 4
  • +2
22 Comments
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18003894
Which operating system do you use? Network isolation can be achieved with Group Policy or IPsec or both.
0
 

Author Comment

by:gpsocs
ID: 18003960
Windows XP Home for the workstation and Windows NT 4 Server.  The problem is that this workstation that needs to be locked down is not really within our right of admin as it belongs to another organization.  It would be best if we could protect the network at a higher level if possible.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18004001
Unfortunately none of my suggestions apply in your scenario. :D I would think that putting Windows XP on separate subnet would be easiest, because you do not have administrative control over it. Maybe someone else can come up with another idea.
0
Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18005002
Can you tell me a little more about your networking/IT environment?

The cleanest way is to bring in a seperate ADSL line and not join it to your network at all.
If you have to connect it to the backbone then a seperate vlan to isolate the box to the exit point is probably next on the list
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 18005240
If you are running a Layer3 switch, you might also consider a separate VLAN for this purpose...  (which is essentially a separate subnet..)  and not allow routing to your local LAN..

FE
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18006187
<<< If you have to connect it to the backbone then a seperate vlan to isolate the box to the exit point is probably next on the list >>>
Good idea FE :)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 18007039
Well, that is what I get when I don't fully read through all the comments, eh?  :)  so sorry, Keith!
0
 

Author Comment

by:gpsocs
ID: 18008644
Yeah, I have to run it with existing equipment and a new DSL line is not an option so essentially popping in a Linksys router and shoving them onto a different subnet seems like the cleanest solution in this scenario from what you're saying...  Correct?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18008670
lol, don't be daft Bill, how many times have I done it myself :)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 18011344
Yes, you could do it that way, using the WAN port of the second Linksys...  like this:

Internet <-->  Router <--> WAN Port of second Router <--> clients that can browse the LAN
                          |
                Clients that cannot browse the LAN, but can access the internet

Just don't open any ports on the second router, and it will not allow browsing into your LAN..
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 18011352
Oh, and remember, 2 separate subnets on the LAN side of the routers...  :)

Keith..  Yes, we sometimes get into a hurry to get outside and enjoy the beautiful, and fleeting nice days as we venture into Winter here in the Midwest USA!  :)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18011396
:)
0
 
LVL 30

Expert Comment

by:pgm554
ID: 18014659
Are you running the NT LAN as a domain?

If so ,because it is XP home,they cannot use any of the resources on the NT side because Home was never meant to be able to do that.

M$ busted it for a reason.

Only in workgroup mode can it attach to any resources.

Otherwise you are safe because of M$ marketing greed.
0
 
LVL 30

Expert Comment

by:pgm554
ID: 18014665
Why are they running M$ Home,it makes no sense in a corporate environment?
0
 
LVL 30

Expert Comment

by:pgm554
ID: 18014683
If you are that paranoid,then a cheap Linksys or Netgear router can give you a separate subnet for the XP home box.

Just give the router a static IP from your subnet and have the cheap router NAT out from a separate, different subnet on the cheap router.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18015141
pgm, please read the posts carefully from the asker and it will answer your questions...

Keith
0
 
LVL 30

Expert Comment

by:pgm554
ID: 18015645
Where in his posts does it answer as to whether they are running a domain or workgroup?

No workgroup setting,no good reason to be so paranoid.
So using a router could be a moot point.

And it still makes no sense to run XP home in a corporate setting.
Hence, the rhetorical question.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18017514
<<For security reasons I want to make sure that they can only access the Internet and that no other resources on our network could be accessed from this workstation. >>

<< The problem is that this workstation that needs to be locked down is not really within our right of admin as it belongs to another organization >>



0
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 500 total points
ID: 18018949
Agree..  It matters little whether you are running a Domain or Workgroup here...  if the admin does not wish to compromise his network with a computer outside his administrative sphere, he needs to isolate it, meaning a separate subnet that is not allowed access to his current subnet..  which is what we proposed above...

I am sure you know that even a Home XP box can be used to attack any domain... if only because it may come with malware or virii on it...  I could even put ethereal on the Home XP client and watch all the traffic, for heavens sake!  

FE
0
 

Author Comment

by:gpsocs
ID: 18125116
I appreciate the input all of you.  I went with FE's final note since he did encapsulate things concisely earlier, essentially concurring with what I had in mind.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 18127555
Thank you..  and a Happy Holiday Season to all!

FE
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18128592
O well.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Sometimes you might need to configure routing based not only on destination IP address, but also on a combination of destination IP address (or hostname) and destination port number. I will describe a method how to accomplish this with free tools. …
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question