We help IT Professionals succeed at work.

Best way to network a police department?

477 Views
Last Modified: 2010-04-10
Hello,

I have a friend who works at a Police Department and they have about 6 computers and a server.  

They want all the computers to be able to access the internet through their router, but really want 3 computers on one network (192.168.1.xxx) and the other 3 on another network (10.1.1.xxx) but with all computers having the internet access and access to the server.   Basically they don't want one side seeing the other...

Would you have to put two network cards in the server to accomplish this?  One card having the 192. and the other having the 10. schemes?

Really I think they could acheive what they want just by user restrictions or station restrictions... but they like the idea of two separate networks.

Thanks,

M.
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2004

Commented:
Depending on the server, it could be set up to act as a router in front of one of the LANs, but it would also have to do address translation which it probably won't. They need a router with 2 ethernet interfaces if they want both LANs to have internet access. You could also give the server 2 NICs as you suggested to give them both server access but that won't solve the internet access problem.

Commented:
> Would you have to put two network cards in the server to accomplish this?

Yes. The two LANS need physical separation, so you need separate defined NICs for routing.
No. If server is on one LAN, not the other, then it needs one NIC.
Probably, you want server on own LAN, different sunet than either department.
For internet access consider proxy server.
For security consider multiple firewalls and routers and approach building a DMZ

No one single answer, especially since you likely get also a tight budget, limiting options of what can be built

The router needs at least three NICs, two for local and one for international
CERTIFIED EXPERT
Top Expert 2004

Commented:
I assume that the internet side of the router is not Ethernet, but DSL or something.

The Cisco 870 series of routers will do everything you want. You don't have to configure the wireless piece, and you shouldn't unless you know how to make it very secure.

Commented:
                                                 Server with 2 Nics (Place a route here to route between networks)
                                                 -------------------------
                  (192.168.1.2)   (10.1.1.1)
                  |            |
          Cable/Dsl router               |            |
            ----------------      |            |
              192.168.1.1            |            |
                |            |            |      
                          |------------|    |            |      
                             Switch for 192. net              Switch for 10. net  (Gateway would be 10.1.1.1)
                                       -----------------                     --------------
                               |------|-----|                    |----|----|
                             sta1  sta2  sta3                   sta1  sta2  sta3

Your Cable/DSL router would also need a static route to get traffice back to the 10.x network

Author

Commented:
Mike,

Yeah I think they have cable or dsl... so I just plug that into the DMZ Port and then come out of 1 port to a switch with the 10.1.1.xxx machines and another port to another switch with the 192.168.1.xxx machines?

Cause I see the 870 only has 4 ports I think and we have 3 machines on each side of this network.

Where would I plug the server into though?  Just pick a side?

M.

Commented:
LOL - we'll now, that drawing didn't work out to well.... oh well.

Author

Commented:
Trey I thought you meant it to look like that... I was like... okay... hmmmm...  How is the network ever going to work if I cut up the network cable into all those little pieces?

: )

M.
CERTIFIED EXPERT
Top Expert 2004

Commented:
That router is capable of a lot. I would use one port for the server, which can be on a 3rd network by itself. If the switch they have supports vlans, then divide it in half and plug one port from each half into separate router ports. If not, buy one more little switch, or a bigger one that does support vlans. That still leaves one more port if the internet connection requires ethernet.

This is down the road, but remember that when connecting switches together you need a crossover cable (although that router may be smart enough to do it automatically).
This maybe be a bit better setup
Internet connection
      I
      I
  Router  
     I
     I
Managed  switch (Must be able to do VLANS)
      I                I
   subnet A      subnet B
    3 clients       3 clients

If they have a static IP it would be assigned to the outside interface of the router. If it is dynamic it will still be on the outside interface of the router.
The route will be the default gateway for the switch

On the outside interface of the swtich, the one going into the router, assign a static IP of
192.168.1.1 (This will be the default gateway for all the client machines)
On the switch assign the IP of 192.168.2.1 to the interface for subnet A
On the switch assign the IP of 192.168.3.1 to the interface for subnet B
.2 and .3 are totally different subnets (seperate networks)
On the clients assign the ip's to each client using DHCP.
You will need to make the swtich the DHCP server for each of the subnets so you will need 2 DHCP pools
192.168.2.x
192168..3.x
The router should be the DNS server IP on the clients.

Now on the switch create a static route to the router for each subnet to the server.
You should be good to go unless I missed somthing
CERTIFIED EXPERT
Top Expert 2004

Commented:
I think those lines represent wireless data flying through the air :-)

Author

Commented:

Trey,

What would the route statement look like?  I've actually never set one up before...  I've done port forwarding and VPN and NAT, but never did a static route.

Thanks,

M.
CERTIFIED EXPERT
Top Expert 2004

Commented:
That's going to depend on the brand of router, they're all different.
Michael FrederickRegional IT Manager III

Commented:
Hold on guys.

I am a consultant for a Police Department and there are DOJ regulations that you have to go by if the station is connecting in anyway to the DOJ.

You first need to see what applications the department is running that are DOJ. What machines are running these applications. Any machine running a DOJ app can not have internet access at all.
Michael FrederickRegional IT Manager III

Commented:
If you need help with this, we will have to do this outside of this forum.
CERTIFIED EXPERT
Top Expert 2004

Commented:
That's a policy issue that has nothing to do with the question really. As near as I can tell, all he's doing is modifying an existing setup that already provides everyone internet access. The police station made the request and they ought to check into any legal issues, not diablo-26.

Commented:

Route add 10.1.1.0 mask 255.255.255.0 10.1.1.1 -p
Route add 192.168.1.0 mask 255.255.255.0 192.168.1.2 -p
Michael FrederickRegional IT Manager III

Commented:
If he makes changes to the network and does not consult the DOJ the departments apps will not work. 90% of the time officers have no clue as to how things work. That is why they hire us. Any changes that we recommend or make revolve around the orgnization which includes policy. It would be neglect on the consultants part not to check everything out. I am not saying that the recommendations in this post are not correct in a normal corporate situation, but this is not a normal corporate situation. The DOJ controls the IP network, the router, just about every. They have to approve any and all changes related to the network.

Commented:
I'm a SA at a Sheriff's Dept - about 400 users. TEK does have a point in that you might want to question what is running on those 10.1.1.x machines. That looks like a subnet that State, or NCIC might assign. At our facility the DOJ can kiss my a$$ ;), but State does have say so on any machines accessing their databases. The Police dept you are working with diablo, should have a person assigned as TAC (Terminal Agency Coordinator) if they have NCIC (National Crime Information Center). That person should be able to tell you which machines to leave alone. I can see why TEK wanted to throw in a little warning. If he's done consulting for law enforcement agencies he knows that Police officers and Deputies will LIE to no end if it means getting internet access on their PC. If it says "FREE! I AM SPYWARE" anywhere on a web page they will download it, install it and email it to every other officer in the county. <grin> lol
Michael FrederickRegional IT Manager III

Commented:
My point, thank you for backing me on this!
you cop shop guys are assuming that there are DOJ apps on the systems. You raise good points but his cops really just want to do internet orders of their fav Krispy Kreme's

Commented:
I also do some work with police departments. I sympathize with likely budget issues, but ANYTHING at a PD is sensitive, DOJ or otherwise. Personnel info, calls for service, call lists - EVERYTHING is sensitive or could become so if there's suddenly a big case. I would be VERY concerned about trying to put these on the same network.

That said, I think you're making it to complicated. First off, two NIC's in a single server is really dangerous if you don't know how to protect them and we are having this conversation . . . One NIC becomes a gateway for the other network.

Just get you an inexpensive, managed switch. I know Linksys makes one for <$300. There are others out there that will give you layer 2 protection and allow separate VLans. The Cisco stuff is pretty pricey, but Linksys and other small office stuff is pretty reasonable.

Then you split the switch into two separate networks (VLans). They can both get their Internet from a single source, but never see each other. If you need separate DHCP services, you can put an inexpensive consumer router on one side.

Remember the whole thing is only as secure as the weakest link.

Author

Commented:
Thanks for all the help guys... yes this is just a tiny township office.  Nothing very big and I'm not sure of all the apps they're running, but I know one is called CODY and they also mentioned an old DOS based program...  So we're not talking state of the art here.

I know one of the things is they bought a corporate antivirus and they want their server to house the main component and then the client PC's tap into that.  Like the corporate version of Norton.

I actually work for a school district and own my own business, so I don't work at this place nor am I a cop.  I'm just trying to help them do what they want to do.  Sounds like the VLAN idea might be good.  How would you make the server available to both sides of the network though?  Or can you do that with the Linksys box you were talking about?  

I've actually never setup a VLAN before... I've done plenty of routers and point to point VPN and stuff like that, but have never needed to do a VLAN anywhere.   Is it a pretty straight forward process using the Linksys?

Thanks a lot for all the helpful info!

Matt
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Top Expert 2004
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.