• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 218
  • Last Modified:

Separate Networks

Hello,

I have a computer repair business and am having alot of issues with infected computers that are brought in for service. We need to put them on the network in order for us to remove infections and clean them up. The problem is that I am getting blacklisted which is causing my Exchange server to not be able to send email. I am also getting reports that there are Trojans on my network. Well there are indeed infected machines on my network that are being cleaned up. Our environment is a handful of fileservers, domain controller, exchange server, cloud backup servers. We currently are using Verizon fios and there router they provide. We have 2 24 port gigabit switches as well. 1 static verizon IP. What would be the most cost effective way for us to separate the network so we have our domain computers on 1 network and the infected ones here for repair on another? Again, the infected machines also need internet access?

Thanks,
John
0
jands
Asked:
jands
1 Solution
 
ldrose537Commented:
I have two primary recommendations:

1) keep infected workstations off the network while doing initial cleanup. Find some cleanup tools that you can copy onto a CD, and run them initially - get the machine as clean as possible first. I understand that some of the more prominent virus removal tools are "online," but connecting an infected machine to a production network is not good practice.

2) look into creating a second firewalled VLAN - requiring modification on the router and one of the switches; this will be a little involved, and if you don't take care of point one, you will still possibly run into the same issue of being blacklisted.
0
 
BillBondoCommented:
I agree with ldrose537. Many programs available for cleaning the computer off line as well as slaving the drive to a machine for online programs.
0
 
jandsAuthor Commented:
I cannot agree more and this is why im doing something about it guys. Just looking for some advice.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
McKnifeCommented:
I would also recommend not to network those but use windows 8 "to go" [USB Stick installation of win8 enterprise (trial)] for cleaning operations.
0
 
ldrose537Commented:
John,

here is a link to some possible options for cleanup:

http://www.techrepublic.com/blog/five-apps/five-portable-antivirus-and-antimalware-tools-to-carry-with-you-at-all-times/

Otherwise, check around for bootable Scanning tools. They are out there. You might have to dig around for a solution or solutions that work best with the varied systems you encounter.

Linda
0
 
ldrose537Commented:
Regarding VLAN

You said: "We currently are using Verizon fios and there router they provide."

They should be able to answer questions regarding setting up a Virtual LAN (VLAN), whether it is possible with their equipment, and what it would take.

An additional thought: Keep in mind that with the "1 static verizon IP" all internal traffic, regardless of the VLAN configuration will be routed outside that IP, and that IP will be flagged/blacklisted with any continuing issues. So if you really want to isolate your production network from the potentially infected machines, you might want to contact Verizon and ask about getting an additional static IP (it may turn out to be a total of 5, depends on how Verizon does this).

Regardless, you'll want to talk to your provider and explain what you are trying to do, as it is a more involved setup. They should be able to help.

Linda
0
 
skullnobrainsCommented:
if you have 1 static IP, you probably have a NAT router that can do some firewalling. tell us what you have, you probably don't have to add anything else. if you don't have any usable network equipent, you probably have an old spare machine that can act as a router and dhcp server. for a few machines and such a use, a pentium with 16Mb of ram would be enough.

either dedicate a switch or create a specific isolated vlan for the guest hosts, and then configure your existing equipment or spare machine to route them differently. we'll be able to help more once we know what you have at hand.

remember to
- NEVER allow outgoing port 25 for infected machines if you expect your own server not to be blacklisted and your ISP not to ditch you
- NEVER stick infected (or actually any foreign host) on your own network

also beware that using whatever cleanup tools wether online or not is probably inefficient. once a machine is strongly infected, formatting it is definitely a much more cost-effective way to remove malware (and even that is not always sufficient)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now