[slarti]

I'm not all that hot at more than home networking, I mostly do web dev.

Situation:

--I have a client who has a small network, 12 XP & 2K clients with small business server
-- He had me setup a DSL connection, which he wants to have just three boxes get online, all in different rooms, one of them is actually on a different floor
-- He doesn't want to have anything else online. He doesn't want the server even plugged in to a comnputer that can get online, (he has a phobia of hackers)
--I have a Linux router/firewall which can disallow access to the server but the client does not trust firewalls.
--Neither one of us wants to install separate wiring(which will be a hassle) and separate computers just to get online.

I am trying to convince the client to use the existing architechure, what's the safest way to do this without installing new wiring and separate computers?

Thanks

 

[Bob Cerelli]

If you have computers that can get to the Internet, then make sure they have absolutely no access to any other computers on the network. Many viruses and worms can be spread this way.

There are a few ways to help with this.

Keep the computers that will be accessing the Internet on their own separate physical cabling. Then there is not connection between them and any other computers in the office.

If you can't do this then maybe:

Have different workgroup names for the computers that will access the Internet and those that won't.

Have different IP schemes for computers that will access the internet and those that won't (e.g. some with 10.0.0.x and some with 192.168.0.x)

 

[Jack Horner]

If he is using a router, you could set up static IPs, then using Port Filtering, block all the IPs except for the 3 he wants to get online. This would still allow file and printer sharing between all computers.

 

[Bob Cerelli]

slarti,

From your first post, it doesn't sound like you want file sharing between all computers:

"He doesn't want the server even plugged in to a comnputer that can get online"

Is that correct?

If the three computers that can access the Internet can access, and be accessed by any of the other computers, then from the description of your client's requirements, you might want to have their networking configured completely differently that all the other computers.

 

[slarti]

slarti,

From your first post, it doesn't sound like you want file sharing between all computers:

"He doesn't want the server even plugged in to a comnputer that can get online"

Is that correct?

If the three computers that can access the Internet can access, and be accessed by any of the other computers, then from the description of your client's requirements, you might want to have their networking configured completely differently that all the other computers.

Yes, I have told him that any computer connected to the web and the net will be at risk. I know that he really doesn't want to add more wiring and computers so I'm looking for the best way to secure it.

I've thought about the 10.10.x.x and 192.168.x.x and adding an additional router between the 3 online computers and the intranet. I have given static IPs to them and have locked down the firewall pretty well.

I'm just still not sure what is the best way to go. I have presented these options to him, but like I said I'm not all that experienced in more than home networking.

What is the risk level of separate net segments compared to just isolating the intranet by unplugging them? I know that firewalls are not 100% but it seems silly to install a new computer in each room and use monitor switches to bounce back and forth between the internet and intranet, but then again, the data is precious and if it gets corrupted or stolen....

How about this, is there a way to use the phone line that the DSL is running on the connect the computers to the web. I know that I can't put more than one DSL modem on the same line or it will collide, but is there a way to split the signal without dragging ethernet through the building?

I ask just because the client has asked me to balance security with cost and speed. Meaing that the additional installation of equipment is not desirable, but he wants the server inaccessible to break ins.

Sorry if I babble, Thanks for the help so far. I appreciate the advice.

 

[Bob Cerelli]

You don't need more wiring to get the computers on separate physical networks.

Use your existing router for the computers that you want to have Internet access.

Get a switch for the rest. The same wiring can be used. The only difference s what device they a plugged into.

You can assign whatever your want for the IP addresses since the two networks will be completely isolated from each other.

This would give you the greatest level of security in separating the two systems for a minimal cost.

 

[~Candy~]

I'm not all that hot at more than home networking, I mostly do web dev.

Situation:

--I have a client who has a small network, 12 XP & 2K clients with small business server
-- He had me setup a DSL connection, which he wants to have just three boxes get online, all in different rooms, one of them is actually on a different floor
-- He doesn't want to have anything else online. He doesn't want the server even plugged in to a comnputer that can get online, (he has a phobia of hackers)
--I have a Linux router/firewall which can disallow access to the server but the client does not trust firewalls.
--Neither one of us wants to install separate wiring(which will be a hassle) and separate computers just to get online.

I am trying to convince the client to use the existing architechure, what's the safest way to do this without installing new wiring and separate computers?

Thanks

You have a private message from me, please check it as soon as possible.

 

[Bob Cerelli]

slarti,

Hopefully I've explained a solution clearly.

1. You don't need any additional wiring.

2. Whatever the computers you don't want on the Internet are connected to now (router, switch etc.), just disconnect them from there and connect them to a new switch. A 16 port on should not cost more that something like $50.

3. There should be no need to change any IP settings unless the Linux box was also acting as a DHCP server. Even then it is not hard to assign IP address to just a few computers. With XP and Windows2000 you don't even need to reboot after doing it.

 

[~Candy~]

You have a private message from me, please check it as soon as possible.

Thank you for your prompt attention to my request. As mentioned, I have edited the thread to reflect your new user name. BTW, your last pm was blank

 

[slarti]

Thank you for your prompt attention to my request. As mentioned, I have edited the thread to reflect your new user name. BTW, your last pm was blank

Weird? I just said "You too".

 

[slarti]

slarti,

Hopefully I've explained a solution clearly.

1. You don't need any additional wiring.

2. Whatever the computers you don't want on the Internet are connected to now (router, switch etc.), just disconnect them from there and connect them to a new switch. A 16 port on should not cost more that something like $50.

3. There should be no need to change any IP settings unless the Linux box was also acting as a DHCP server. Even then it is not hard to assign IP address to just a few computers. With XP and Windows2000 you don't even need to reboot after doing it.

Thanks for the advice. I guess my main issue was to keep those computers on the network and let them go online as well, with as little threat to the server. So I think I'll bring it to him as having the whole intranet connected and then those three going through another switch and then out to the router. Thanks.

 

[Bob Cerelli]

This last bit of information - "to keep those computers on the network and let them go online as well" - is different than what was posted right from the beginning - "He doesn't want the server even plugged in to a comnputer that can get online". Can't have it both ways.

Going through another switch and out the router isn't going to solve much either. Either the the three computers will be connected to Internet and LAN at the same time or they will not.

 

[slarti]

OOps.

Sorry, I thought that I posted that in the situation at the begining. That was the whole problem that had me stumped. I was trying to get a way to be the most secure with two routers/switches to pass traffic through, etc. But I did tell him that ANYTHING connected to the network and the internet would be a potential breach.

Sorry about that. Thanks for your input. I think that I have enough to tell him that we need to go one way or the other. I was just wondering if I had missed someway to do this with the existing architechure.

 

[Bob Cerelli]

It's tough for people to figure out what they really want. Total security yet access to the Internet.

Kinda like wanting to have a house where you can go in and out, but make sure no one will ever burglarize it. Just can't be done.

But you can protect yourself against reasonable threats. But if the boss doesn't trust firewalls, anti-virus and anti-spyware software, it may be tough to have it both ways.

To continue the analogy, if you don't trust locks, then there aren't too many options available for securing your house that are going to allow you to continue to enter and leave them.

 

[slarti]

Thanks for all your advice. I think that I'll just take all the options to him, he's the one that is responsible for the safety of the network and so it rests with him.