Solved

Smart Switch and IP Blocking

Posted on 2009-07-13
15
533 Views
Last Modified: 2012-05-07
Hi,

We have a number of sites connected via radio links around the site, but effectiviley its just 1 network running on 10.0.0.***, at each site we have the radio connector which is attached to a switch, then devices are attached to the switch (this is applied at each site)

We wanted it so at each site only certain ip address's are allowed to talk through to the switch, so would it be possible to add a smart switch at each site and have it so:

RADIO CONNECTOR > SMART SWITCH (this would only allow certain ip address's from the other side of the radio connector to pass > SWITCH > DEVICES

Am I making sense?>
0
Comment
Question by:Fruit_Box
  • 8
  • 7
15 Comments
 
LVL 21

Expert Comment

by:from_exp
ID: 24846656
what do you mean by smart switch? what switch model do you have?
Anyway, I would suggest to make such limitations on routers - on wireless connectors, I suppose in your case. Again model name is needed here.
0
 
LVL 2

Author Comment

by:Fruit_Box
ID: 24846853
ProSafe® 8-Port Gigabit Smart Switch
GS108T for example
0
 
LVL 21

Expert Comment

by:from_exp
ID: 24846923
I don't think you will be able to block certain traffic towards AP.
0
 
LVL 2

Author Comment

by:Fruit_Box
ID: 24846936
but what about the built in ACL security, like for example the ProSafe® 24-port Gigabit Stackable Smart Switch
GS724TS has the ability to ACL filtering to permit or deny traffic based on MAC addresses or IP addresses.

http://www.netgear.com.au/au/Product/Switches/Advanced-Smart-Switc/GS724TS
0
 
LVL 21

Expert Comment

by:from_exp
ID: 24846998
here is a manual for your device:
ftp://downloads.netgear.com/files/GS108T_UM_11Feb08.pdf

there are no options how to drop traffic passing though the switch.
0
 
LVL 2

Author Comment

by:Fruit_Box
ID: 24847309
ok so what unit could i use to do ip dropping at switch level
0
 
LVL 21

Expert Comment

by:from_exp
ID: 24847457
I would suggest changing your network topology:
separate clients at each site with firewall (you can use almost any netgear firewall, I suppose) from wireless infrastructure.
Please understand, that I can suggest you to use cisco switches to do the job, but home-level routers can also do the job. The only thing to consider - ability to disable NAT (network address translation) for router.
If you are using point-to-multipoint wireless solution, then you really need to limit traffic unnecessary traffic within wireless segment, because all wireless participants share their bandwidth.

so my solution would  be:
site 1 network 192.168.1.0/24
site 2 network 192.168.2.0/24
site 3 network 192.168.3.0/24
core wireless network with 10.0.0.0/24
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 2

Author Comment

by:Fruit_Box
ID: 24848717
thanks for the time on this, however changing the network topology is a no go, the network is pretty much one giant network ring working on ip addressing only, simple network.

Im thinking a firewall at each site and add firewall rules to only allow a certain group of ip addresses to pass, then also because we can use firewall we can also block some pointless traffic like dns, etc etc.

what you think.
0
 
LVL 21

Expert Comment

by:from_exp
ID: 24849162
hm
possibly, I have poorly explained, but introducing firewalls at each site means segmenting network according provided method of mine.
Otherwise you can't put part of a network behind a firewall without loosing connectivity between it's parts.

Please understand, that when you have a firewall between networks, it means that each side of a firewall must have it's own subnet.
can you please, draw a quick scheme of your network.
at least with several sites. Please show IP's of equipment and network addresses.
0
 
LVL 2

Author Comment

by:Fruit_Box
ID: 24855928
please find attach diagram, very simple as you can see, but it is a very simple network that runs totally off IP


so what we would need is a solution that can be applied at each site where you could enter a group of ip addresses to stop them communicating, for example at the site 10.0.0.20-25, the smart switch could be configured to drop all traffic that comes from 10.0.0.40-45 ip addresses, but not 10.0.0.30-25 etc, but each site could be configured with its own set of rules. hope this makes sense, there must be an easy solution for this.

a layer 3 switch with IP ACL built in should do the trick right?


Drawing1.jpg
0
 
LVL 21

Expert Comment

by:from_exp
ID: 24857770
Hi L3 can do the stuff, but again, switches are designed to switch and route traffic (L3), if you want something to be blocked  you should use firewalls, because IP ACLs in IP switches are not that flexible.
so I still stick to my provided solution
0
 
LVL 2

Author Comment

by:Fruit_Box
ID: 24858000
ok thanks, i would rather go down the firewall path, but we really cant change the infrastructure,

without changing the topology could you recommand any other solution

0
 
LVL 21

Accepted Solution

by:
from_exp earned 500 total points
ID: 24858503
what kind of APs do you have?
0
 
LVL 2

Author Comment

by:Fruit_Box
ID: 24858865
they arnt ap like a smb would use, they are line of sight HR radio's, run at about 10mb, the radios or the network isnt the problem, the design we have works well for the information we use (this setup is used to monitor plc's, so we are not running a domain off it etc), but yeah its getting to a point where its easier to just out source someone at $120 an hour to get this all fixed up.
0
 
LVL 2

Author Closing Comment

by:Fruit_Box
ID: 31603149
over it
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now