Solved

Can I use a managed switch to prevent certain IP addresses from accessing the internet?

Posted on 2008-10-29
5
285 Views
Last Modified: 2008-12-07
Our network has many computers with no reason to access the internet.  Can I configure a managed switch to block a group of IP addresses from sending or receiving any data to the firewall appliance?  In other words can I use the switch to say  this group of computers can only communicate within the LAN?  Or should I be using an entirely different approach?
0
Comment
Question by:captainrichard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 4

Expert Comment

by:Patrick49er
ID: 22836117
You can create a proxy setting on that workstation whereby it points to 127.0.0.1 for the Internet.  That will prevent those workstations from even attempting to reach the switch to go to the Internet.  As for the switch itself, I don't believe you can do it via IPs, but I do believe you can create blocked access from the MAC.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 22836544
access control is usually a router function, not a switch one - however, many switches are also routers.

what is "default route" set to on the machines?
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 150 total points
ID: 22837893
If your firewall is doing the NAT, you can block at the firewall based on IP address, not all firewalls can do DNS lookups on hosts. You can move computers to a seperate vlan that does not have a route to the internet. If your switch does layer 3 (ip/routing)you can block on the switch.
You can set a null route to the internet...
but the easiest way, is if they only have IE, setup a false proxy ip address, some IP on your lan that does not have proxy capabilities, and check the box for "disable for local lan" so you should still be able to get to your intranet sites.
-rich
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 150 total points
ID: 22838862
To be honest though, if you are going to go down the proxy route, it would be easier and better to establish a real proxy (such as squid) and implement access controls and logging there; then you can deny individual machines *any* access to the internet (by disabling NAT at the outbound router, and restricting it to just the proxy host) other than via the proxy you control.

you can use the various autoconfigure protocols (such as PAC files, or the appropriate DHCP settings) or group policy to push that to the workstations.
0
 
LVL 5

Accepted Solution

by:
rexxus earned 200 total points
ID: 22866748
If the groups of users has no requirement to access any resources outside of their subnet, you could set up two VLANs.

The first VLAN/subnet could be in the same subnet as the firewall and the DHCP options can provide a default gateway of the internal firewall appliance.

The second VLAN/subnet could be configured with no default gateway, or a default gateway of 127.0.0.1, so that no matter what their traffic can't leave the broadcast domain they are attached to.
0

Featured Post

Everything You Need to Know about Petya 2.0

Get an overview of the what, when and how of Petya 2.0  from our threat analyst Marc Labilerte, as well as a look at how WatchGuard Total Security Suite protected our customers from the recent attack!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question