?
Solved

Separate Networks

Posted on 2014-02-19
7
Medium Priority
?
211 Views
Last Modified: 2014-04-14
Hello,

I have a computer repair business and am having alot of issues with infected computers that are brought in for service. We need to put them on the network in order for us to remove infections and clean them up. The problem is that I am getting blacklisted which is causing my Exchange server to not be able to send email. I am also getting reports that there are Trojans on my network. Well there are indeed infected machines on my network that are being cleaned up. Our environment is a handful of fileservers, domain controller, exchange server, cloud backup servers. We currently are using Verizon fios and there router they provide. We have 2 24 port gigabit switches as well. 1 static verizon IP. What would be the most cost effective way for us to separate the network so we have our domain computers on 1 network and the infected ones here for repair on another? Again, the infected machines also need internet access?

Thanks,
John
0
Comment
Question by:jands
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 1

Accepted Solution

by:
ldrose537 earned 2000 total points
ID: 39870371
I have two primary recommendations:

1) keep infected workstations off the network while doing initial cleanup. Find some cleanup tools that you can copy onto a CD, and run them initially - get the machine as clean as possible first. I understand that some of the more prominent virus removal tools are "online," but connecting an infected machine to a production network is not good practice.

2) look into creating a second firewalled VLAN - requiring modification on the router and one of the switches; this will be a little involved, and if you don't take care of point one, you will still possibly run into the same issue of being blacklisted.
0
 
LVL 11

Expert Comment

by:BillBondo
ID: 39870531
I agree with ldrose537. Many programs available for cleaning the computer off line as well as slaving the drive to a machine for online programs.
0
 

Author Comment

by:jands
ID: 39870587
I cannot agree more and this is why im doing something about it guys. Just looking for some advice.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 56

Expert Comment

by:McKnife
ID: 39870592
I would also recommend not to network those but use windows 8 "to go" [USB Stick installation of win8 enterprise (trial)] for cleaning operations.
0
 
LVL 1

Expert Comment

by:ldrose537
ID: 39870662
John,

here is a link to some possible options for cleanup:

http://www.techrepublic.com/blog/five-apps/five-portable-antivirus-and-antimalware-tools-to-carry-with-you-at-all-times/

Otherwise, check around for bootable Scanning tools. They are out there. You might have to dig around for a solution or solutions that work best with the varied systems you encounter.

Linda
0
 
LVL 1

Expert Comment

by:ldrose537
ID: 39870841
Regarding VLAN

You said: "We currently are using Verizon fios and there router they provide."

They should be able to answer questions regarding setting up a Virtual LAN (VLAN), whether it is possible with their equipment, and what it would take.

An additional thought: Keep in mind that with the "1 static verizon IP" all internal traffic, regardless of the VLAN configuration will be routed outside that IP, and that IP will be flagged/blacklisted with any continuing issues. So if you really want to isolate your production network from the potentially infected machines, you might want to contact Verizon and ask about getting an additional static IP (it may turn out to be a total of 5, depends on how Verizon does this).

Regardless, you'll want to talk to your provider and explain what you are trying to do, as it is a more involved setup. They should be able to help.

Linda
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39931452
if you have 1 static IP, you probably have a NAT router that can do some firewalling. tell us what you have, you probably don't have to add anything else. if you don't have any usable network equipent, you probably have an old spare machine that can act as a router and dhcp server. for a few machines and such a use, a pentium with 16Mb of ram would be enough.

either dedicate a switch or create a specific isolated vlan for the guest hosts, and then configure your existing equipment or spare machine to route them differently. we'll be able to help more once we know what you have at hand.

remember to
- NEVER allow outgoing port 25 for infected machines if you expect your own server not to be blacklisted and your ISP not to ditch you
- NEVER stick infected (or actually any foreign host) on your own network

also beware that using whatever cleanup tools wether online or not is probably inefficient. once a machine is strongly infected, formatting it is definitely a much more cost-effective way to remove malware (and even that is not always sufficient)
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question