?
Solved

Physicallly blocking Internet access?

Posted on 2007-10-19
19
Medium Priority
?
264 Views
Last Modified: 2010-04-19
In a school we have a domain controller/fileserver patched into a switch/hub. All users (teachers/staff) are also patched into this switch as is the router (gateway). A classroom is patched into its own switch/hub and this in turn in patched into the switch above. Is there a way of setting some sort of physical switch where I can exclude/switch out the classroom from accessing the router/gateway while leaving it access to the server with  everyone else access to server and router? Would a second network card in the server work and how. Server runs MS Server 2003, clients all XP. Server provides DNS, DHCP.
0
Comment
Question by:jimcallan
  • 7
  • 5
  • 4
  • +2
19 Comments
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 20112431
Create a 2 separate vlans for internal use on yur network. One for Internal and one for traffic leaving the Lan(IE:Internet)   Then make sure that vlan isn't in the access-list for your gateway allowing it Internet access. This would allow all traffic besides those users specified in that vlan to access the Internet.
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 20112439
*** Ignore the word "INTERNAL" from the first sentence above.
0
 
LVL 7

Expert Comment

by:dlangr
ID: 20112459
Add the extra network card, put it on another subnet.

example: Your normal network is 192.168.1.x , netmask 255.255.255.0 put the second network card on 192.168.2.x , netmask 255.255.255.0 for the classroom network. Connect all classroom computers to the second network. By default, traffic will not be routed between the 2 networks.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 2

Expert Comment

by:michaelhooper
ID: 20112482
how many classroom machines are you talking about?.....if not that many then just set them with static addresses and leave out the gateway...
0
 
LVL 7

Expert Comment

by:dlangr
ID: 20112556
it's not really secure that way
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 20112611
2 VLANs.... One for internal traffic only and one for both.... This way you dont have to vary your address pool into separate subnets.
0
 
LVL 2

Expert Comment

by:samirise
ID: 20112817
I agree that leaving off the gateway would be easiest and lowest on TCO.
0
 
LVL 7

Expert Comment

by:dlangr
ID: 20113120
we are talking about a school, they might, but i think they don't want to mess with vlan's and won't have a router that actually supports it.
0
 
LVL 7

Expert Comment

by:dlangr
ID: 20113126
leaving the gateway off will work, but can be easily circumvented and at schools there are a lot of creative ppl, an extra network card to create a seperate network wich is still connected to the server is what i would go for.
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 20113533
dlangr is on the right track here. This is the reason I am supporting my theory on the different Vlans... Im not 100% sure what type of equipment and or the variables (equipment size, revisions, firmware, availability, etc..) there is on premises at the this particuliar school, but.... This seems to be the simplest "Secure" method to ensure not only network and data security, but to also ensure users can access the resources they need too for daily operation/Usage to guarantee school productivity.....
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 20113609
2 VLANs... I can give you the config if you know the equipment....... Or, atl east direct you to a public site that can get you your config............
0
 

Author Comment

by:jimcallan
ID: 20114364
Many thanks for all the suggestions. I'm not sure how to go about vlan, sounds quite complex, but I did try a second network card some weeks ago. I kept getting an error about multiple gateways. I then had a problem following a raid disk failure and subsequent rebuild. I could not demote the DC or even force a demotion so had to reformat and startfrom scratch so maybe now I could try the 2nd NIC suggestion? The classroom has 30 clients, the router is a Cisco 871 router. The IP address scheme is 87.36.34.0 - 254. I assume the 2nd NIC would have to be configured slightly different as dlangr suggests but do I include the router IP in both NIC's or is this why I get the multiple gateway warning? How would I configure the gateway on both NIC's or in DNS or wherever?
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 20115321
Do you manage the 871 router? If so, its not that difficult. Vlans are very simple and in your case be the best solution....
Virtual LAN. Group of devices on one or more LANs that are configured (using management software) so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLANs are based on logical instead of physical connections, they are extremely flexible.

Go here and read:
http://net21.ucdavis.edu/newvlan.htm
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 20115359
My argument is below:

This is a school where kids now can get pretty creative in manipulating your network. I suggest this because of what you are trying to accomplish. Simply using a second NIC does resolve your problem but leaves you vulnerable..

You currently have a LAN set up in that school and all users can access your Intranet(your local lan) resources and the Internet. By creating (2) Virtual lans you would allow one group access to only those Intranet resources(Inside the school ONLY)  while allowing the second vlan to access both inside and outside(Intranet & Internet).
0
 
LVL 7

Accepted Solution

by:
dlangr earned 500 total points
ID: 20115900
I did not notice before the server is an DC, how could i have missed that.

I strongly recommend against the second network card now i do. DC's do not like to be multihomed. This also means the network will not be physically seperated.

You are left with 2 options:

- Go with VLAN's, it's more secure.
- Configure the first network card  (instead of adding another one) with an second ip in another range and connect the classroom switch to the same switch as the server. You will then not have an physically seperated network, and risk the students changing ip settings (or use an laptop with an ip in the range of the normal network) to gain access to the network, if they find out that you did not physically devide the networks. Also you would have to manually configure them with an static ip in the other range (without the gateway).

I am sorry for the confusion. Warlock was right on track. I Just wanted to provide you with an easy solution.



0
 

Author Comment

by:jimcallan
ID: 20117701
Many thanks folks.
To Warlock, the router is managed by a govmnt body managing Internet access to schools so it may not be possible to do this but I will read up and make inquiries.
To dlangr, I remember something somewhere with the caution you advise on mutliple cards in a DC.
Students have a pretty locked down setup with Group Policy so I don't think they can upset the apple cart too much! If I set up the NIC with a 2nd IP do I do this under the advanced option and just add? The current NIC uses a static IP. Will I then set up static IP on the clients to point at the  new IP and how will all that address the gateway and the file server? Lots of questions - just groping my way through this.
Again many thanks for all the input.
0
 

Author Comment

by:jimcallan
ID: 20117710
Just clarify things a bit. I don't want to permanewntly block access to the Internet to the class. I want a situation where when students are suppossed to be doing work, e.g. on databases, they are not covertly signing onto the internet but that when the teacher wants to give them access, we can switch them over. I had this setup before when the class had its own file server and I installed an on/off switch on its cable to the router. Now that there is a single fileserver for all users in the school and a single router I would have to try implement his at the server somehow.
0
 
LVL 2

Expert Comment

by:michaelhooper
ID: 20118155
jimcallan....looking at your last comment consider this since you are looking for something you can easily turn off/on

put a small  4 port hub/switch between the switch the classroom pc's plug into and the switch that connects them to the gateway.....when you just want the classroom pc's to talk to each other just turn off the small hub/switch...you could even drop a cat 5 cable into the classroom so the small hub would be in the classroom for easy access....when you want them to get to the internet turn it on.....you can get these pretty cheap most anywhere...
of course you couldnt turn it off until after all pc's have booted as they will not be able to reach the dhcp server/dc when its off......but once they are booted then power it off....voila no internet access....turn it back on and surf away
0
 

Author Comment

by:jimcallan
ID: 20118268
michaelhooper
Unfortunatley the switch that connects to the gateway also connects to the fileserver which is the DC. Group Policy redirects students My Docs to the file server. Classroom has its own sw/hub with CAT 5 link to sw/hub linking to fileserver and gateway. Although your solution would work in blocking the INternet it would also prevent access to the file server?
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Netscaler #MSSQL #Load Balance
Learn about cloud computing and its benefits for small business owners.
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses
Course of the Month12 days, 19 hours left to enroll

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question