Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Mixed network environments: Domains and Worgroups

Posted on 2007-10-13
6
Medium Priority
?
198 Views
Last Modified: 2010-04-02
Here is my situation.

We have one Server running Windows 2003 Standard, Exchange 2003, DHCP, SAV 9.0 and the back up software.

We have 72 computers with only basic user privileges assigned so the staff can't mess things up. 10 of those 72 computers are in a training room and will need to be managed by non-IT staff who need full administrative privileges on them in order to add or remove programs and do whatever they like to them. They also need to be able to access the internet.

To keep the network safe, my idea was to do the following for those 10 computers

1. sign up for a separate broadband service (cable, DSL or FIOS)
2. install a simple DHCP router and connect them to it (Linksys, Netgear, etc.)
3. change the computers over to a local workgroup from the domain
4. reconfigure the Symantec Antivirus programs to get updates from the Symantec online server instead of our internal server
5. create a local administrator account on each computer for the non-IT staff so they can do what they please on those computers


My question... Is it possible to bypass step 1 (keep the 10 computers tapped into the network's DHCP structure so they can get online) without exposing our network to security risks such as worms and what not? In all likelihood, some if not all of the 10 computers will eventually get infected or become compromised as the non-IT staff do not have much knowledge in managing security and the computers will be used by the public.

Any feedback would be appreciated.

Thank you.

Clark
0
Comment
Question by:killyman
  • 3
  • 3
6 Comments
 
LVL 2

Expert Comment

by:jeffreydn
ID: 20072234
You have a couple different options... What you basically want to do is keep these 10 computers on a separate network. You have a few different options...

1. Does your current router/firewall have an extra or DMZ port on it? you could set up a separate subnet for these 10 computers and tell the firewall to block traffic from that extra port...

2. Do you have the option of adding an additional IP address to your internet connection? You could setup the second network just as you outlined above, only instead of signing up for a new internet connection, use your existing one and just give the new router a second IP address. Then, those additional computers would be treated just like any other strange computer out there on the net as far as your corporate firewall is concerned, but you wouldn't be paying double for internet connectivity.

If you have really high-end switches and such, you could setup vlans and all that, but I don't think that is relevant in this scenario...
0
 

Author Comment

by:killyman
ID: 20073327
Jeff,

Thanks for your quick reply.

We have a Symantec Firewall/VPN 200  model and it does seem to have the option to use DMZ. So, do you mean we would connect the consumer router (Linksys or Netgear) to that DMZ port and then use a basic switch in the room with the 10 computers?

Description about the DMZ option form the manual follows.

......................................................................................................................
Exposed Host (DMZ)
This screen will let you define a custom server accessible from the outside by the Symantec
Firewall/VPN 's external WAN IP address. The unit redirects all requests not explictily allowed by
a virtual server rule to the exposed host. The Symantec Firewall/VPN then redirects the request to
your internal local IP address for the virtual server. You should first check the Virtual Servers
screen to make sure your server is not already predefined. For security reasons, make sure the
exposed machine is locked down to prevent illegal access and compromise of the system.
......................................................................................................................

Not sure about your second suggestion. Do you mean a second WAN IP port? Our firewall has that option, but I'd have to check with our ISP to see if we can get or already have the option of using another static IP address. I believe we have a block of them.

Our server is currently managing the DNS and DHCP, not the firewall. So on WAN IP port 1 in our firewall we have the DNS set to go to our server. If we hook the additional router up to WAN IP port 2, we can set the DNS manually to that of our ISP. But, I'm not sure how we would then contain or direct the WAN IP port 2 to the 10 computers.

Clark
0
 
LVL 2

Accepted Solution

by:
jeffreydn earned 1000 total points
ID: 20076133
Ok, if you have a block of IP addresses and have one available to spare, I am going to recommend you not use the extra port on your firewall/router and you hook up a "home" router/firewall to the network and let it get one of the extra IP addresses.

To do this, you will need a hub (or switch) to split the connection from your isp's network out port. For example, if you have a DSL line with a DSL modem, chances are there is an ethernet cable that goes from the DSL modem to your firewall WAN port. You will want to put a hub in the middle there...

           (ISP Device)
                     |
                 (Hub)
                 /       \
    Existing         New Broadband
    Firewall          Router/Firewall
          /                   \
private net            new lab network

This will keep your new lab network separate from your internal network -- they will have the same access on the outside of your firewall as any other internet citizen (or felon). The only thing you have to worry about is the fact that you are sharing bandwidth to the internet with the new lab network.

Also, I don't know your setup, but if you get a wireless broadband router, you can enable or disable the wireless features as needed... since this is a separate "non secure" connection, you could offer it for visiting (eg, non-managed) laptops / guests.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 

Author Comment

by:killyman
ID: 20080637
Jeff,

You're right on about that second option. I just spoke with our ISP and confirmed that we have a block of 29 static WAN IP addresses we can use including the one we are already using right now for our network.

So, the game plan is to buy a hub/switch and put that between our ISP modem (T1 connection) as you outlined in your diagram.

            (ISP Device)
                     |
                 (Hub)
                 /       \
    Existing         New Broadband
    Firewall          Router/Firewall
          /                   \
private net            new lab network

I'll probably get something basic like a Linksys WRT54G router and disable the wireless service on it. Then I'll assign for the WAN IP one of the free Static IP address we have from our ISP and put in the DNS from our ISP as well as the subnet mask.

The training room has several network jacks in it that feed into our main server room's patch panel which then in turn feed into our switches connected to our server.

Tell me if I'm correct in this assumption... I should disconnect all but one of those connections from the training room to patch panel. The one remaining connection should go directly from the patch panel port assigned to the training room to the new Linksys WRT54G LAN port instead of our internal network switches. On  the training room side where the one active Ethernet port remains, I will use a simple hub/switch for the 10 computers. My diagram appears below.

            (ISP Modem)
                     |
             (New Hub)
                 /       \
    Existing         Linksys WRT54G
    Firewall          Router-Firewall
          /                           \
private net            server room patch panel
                                          \
                         simple hub or switch in lab room
                                              \
                                    10 lab computers

Do you have any recommendations for the Hub/Switch that we will use between the ISP Modem and our current network firewall and the new Linksys one for the lab?

Thanks.
0
 
LVL 2

Expert Comment

by:jeffreydn
ID: 20081061
For unmanaged hubs/switches, I have been happy with the Netgear products.

For your T1 <-> wiring closet connection, I would go with a 5 port device, like
Netgear FS105NA ProSafe 5 Port 10/100Mbps Ethernet Switch
http://www.amazon.com/jiffynet/dp/B00002EQCW/

And for the actual lab room, I'd hook this up to one of the ports on the wrt54g
NETGEAR FS116 16 Port Fast Ethernet Switch with Auto Uplink (10/100)
http://www.amazon.com/jiffynet/dp/B000063UZW/

Though really, anything you have lying around that is reliable would work. You don't need to worry about 10/100, because your T1 connection is only 1.5. Also, inside your wiring closet, I would color code your cables... eg, pick a color for "outside" connections, so that you don't accidentally confuse the cable linking the lab with a normal internal connection.
0
 

Author Comment

by:killyman
ID: 20090693
Thanks Jeff. I ordered the parts you recommended and will get everything set up as soon as they arrive. Thanks for your great feedback and insight!

Clark
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question