Koozali.org: home of the SME Server

Ideas for a SAFE network segment?

Offline allun

  • **
  • 46
  • +0/-0
    • http://www.protechnz.com
Ideas for a SAFE network segment?
« on: March 30, 2006, 02:12:28 AM »
Can anyone suggest ideas for the following situation?  Ideally a software only solution would be great, although I think I'm resigned to a physically seperate network to some extent.....anyway here's the deal:

We have an office network, and as part of the company's work we often get laptops and PC's in to the office to repair/upgrade, and visitors asking if they  can plug laptops in to the network.

We have never really been confortable allowing this, and do a few sanity checks before connecting a PC, as well as monitoring them for suspicious activity thru server tools and having a quick look at the machine ourselves.

What I would like to do is have a sandboxed bit of network where we can plug in an unknown PC and allow it to have internet access (to update virus definitions for example) and ideally file sharing access so that a visitor can use our printers, shares etc.

Anyone done something similar?  The first thing that comes to mind id to put a smoothwall or similar box between our network and the "unknown" network, and allow only port 80 through.  Sometimes though, it would be really good to allow file sharing....maybe by opening smb ports to specific machines only?

Ideas would be appreciated!

Allun
...

Offline Boris

  • *
  • 783
  • +0/-0
Ideas for a SAFE network segment?
« Reply #1 on: March 30, 2006, 10:23:24 PM »
allowing access to the shares defeats the whole purpose of the "safe segment"

I would get a small/cheap hardware residential router/firewall and connect unknown PCs to it until they are checked, sanitized and updated. Then, if access to your shared resources required, its safer to reconnect them to internal network.
...

Offline beakersloco

  • ***
  • 142
  • +0/-0
Ideas for a SAFE network segment?
« Reply #2 on: May 10, 2006, 10:39:37 AM »
You should not have any issues with  infected machines as long as you dont access any files on your  network.  I have had all manor of infected PCs on my network with no problems. I simply connected them to install AVG antivirus and most times this took care of it ... of course thier were a few times when I ended up formating the system as AVG would not get rid of the virus.

 I did not access any files to my network shares(it helps that all my shares require a password) . I created a web directory for any files that I needed to it was no different then connecting to a webside and I have not had any issues from infected PCs  infecting my network.
All that's necessary for the forces of evil to win in the world is for enough good men to do nothing.???" Edmund Burke -Irish orator, philosopher, & politician


For the battle is not yours, but God's.   2 Chronicles 20:15