dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3157
share rss forum feed

gsaunders

join:2004-07-09
Salem, VA

[Other] How to segregate public and private access on network.

We have an office with about 20 computers.
We have several netgear network switches (has vlan support, but not mac address filtering).
We have 3 Linksys WRT54G wirless access points (Currently secured).

Here is the problem:
We want to protect our private network (both physical and wirless). Right now anyone could plug a computer into a network jack and get access to the internet and be on the same network as our servers. We do not want public computer (packets / data) to even be able to hit our servers or other private computers. What would you suggest being done to do this? Can you VLAN based on mac address? Meaning can a list of mac addresses all go to one vlan from one port and then all other unknown mac addresses that might attach to the same port go to another vlan?

We ultimately need to allow access via wireless access points as well. We have 3 Linksys WRT54G's right now.

Here was a thougt on a poor man's solution. This is a church so we can't afford high end Cisco stuff.

1) Have a router with two internal NICs. One for Private, one for public access. All data ends up going out the same cable broadband.

2) Have managed (lower cost switches) like netgear that have mac address filtering which only allow staff computers on all ports, but the ones designated open. Create separte VLAN for the open ports and have those all go to the second NIC on the firewall for public access.

3) Hook up a single wireless access point to the open VLAN and set up standard security that can be handed out to staff to give to visitors that need access... or we need a way to have it open, but require some sort of web interface they must login through so we can track things.

Hopefully I you see what we are wanting.

Thanks in advance.

Greg


aryoba
Premium,MVM
join:2002-08-22
kudos:4

2 edits

Re: [Other] How to segregate public and private access on networ

said by gsaunders:

We want to protect our private network (both physical and wireless). Right now anyone could plug a computer into a network jack and get access to the internet and be on the same network as our servers. We do not want public computer (packets / data) to even be able to hit our servers or other private computers.
You could set the servers and private computers to be within their own broadcast domain or VLAN (subnet). In other words, you want to separate servers, private computers, and guest computers (if permitted) to have dedicated subnet. A firewall should be in place to restrict which IP address can access server subnet and which IP address can't.

In addition, there should be some authentication server that can verify if certain machines are considered private computers, either wired or wireless. Such authentication server could be let's say RADIUS server. If the network is Windows based, then you can also setup Active Directory credential for authentication.

I personally won't do MAC Address authentication. Although such authentication is technically possible, it is not scalable especially when there are more and more machines within the network.


janderso1
Jim
Premium,MVM
join:2000-04-15
Saint Petersburg, FL
reply to gsaunders

To make option one work you must be able to prevent guests from being able to physically access ports on your private wired network. If this can be accomplished then you can use a router such as a Zywall 2 plus to create separate private and guest networks. You would also need another wireless access point/router for guest wireless access.
--
Jim Anderson



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

Can you provide more detail on how the users relate to each other. Which groups should have access to which parts and also delineate if users within a group should not have access to each others PCs (ie no LAN).


gsaunders

join:2004-07-09
Salem, VA

said by Anav:

Can you provide more detail on how the users relate to each other. Which groups should have access to which parts and also delineate if users within a group should not have access to each others PCs (ie no LAN).
There are only two groups of users. Private (Staff) and Public (Guests and Church Lay people).

On the wireless side of things I could easily put up one or two wireless devices that are connected directed off of the 2nd NIC of the firewall/router and this would prevent anyone on those wireless devices to get to the private side.

But we cannot secure the physical jacks as they are all over the building and in rooms that are like classrooms or are not locked.

So my first hurdle is blocking any public computer that gets plugged into one of these physical ports. How would the network know which computer is a public vs a private. It is too late to check via login isn't it, because by then DHCP has already handed out the IP.

It is an interesting problem. The only thing I could see was the mac address possibility, but as mentioned it isn't very scalable as I would have to manually update it... which to be honest in this environment isn't that big of a deal.

gsaunders

join:2004-07-09
Salem, VA
reply to aryoba

said by aryoba:

said by gsaunders:

We want to protect our private network (both physical and wireless). Right now anyone could plug a computer into a network jack and get access to the internet and be on the same network as our servers. We do not want public computer (packets / data) to even be able to hit our servers or other private computers.
You could set the servers and private computers to be within their own broadcast domain or VLAN (subnet). In other words, you want to separate servers, private computers, and guest computers (if permitted) to have dedicated subnet. A firewall should be in place to restrict which IP address can access server subnet and which IP address can't.

In addition, there should be some authentication server that can verify if certain machines are considered private computers, either wired or wireless. Such authentication server could be let's say RADIUS server. If the network is Windows based, then you can also setup Active Directory credential for authentication.

I personally won't do MAC Address authentication. Although such authentication is technically possible, it is not scalable especially when there are more and more machines within the network.
Can you expand up this a bit. How would I automate the computers being in their own VLAN (subnet). Everything is handled via DHCP so presumably a public computer plugged into a physical connection would just look like any other computer. I can't secure the network jacks so I know there are times a public computer is plugged in there.

gsaunders

join:2004-07-09
Salem, VA
reply to janderso1

said by janderso1:

To make option one work you must be able to prevent guests from being able to physically access ports on your private wired network. If this can be accomplished then you can use a router such as a Zywall 2 plus to create separate private and guest networks. You would also need another wireless access point/router for guest wireless access.
Yes... I definitely plan on a firewall with 2 internal nics that can be separated into private and guest... the problem is blocking guests that plug into a hard wired port on the wall.

AND if I do have a public wireless... I could either make it open or provide staff with the public key they can hand out to guests... which could be problematic anyway. I would almost rather have a web authentication that would allow open access, but force the person to register and so forth... not sure what I would do there.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

Wifi is easy.
The wired jacks all over the place is a problem.

Perhaps it may be possible to separate wired jacks under ones control and ones that are not. Those that are not could be placed in a group that has services that are scheduled. In other words, only certain services allowed and only for certain hours.

The zywall 2plus as noted above is relatively inexpensive and can do this, actually can have three separate groups.

The problem is if someone wants to use one of these jacks after hours or full services and is a legitimate staff user????

A login method as described often is solved by using a hotspot router, but not sure it really fits here.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


LLigetfa

join:2006-05-15
Fort Frances, ON
kudos:1
reply to gsaunders

Managed switches can have their ports locked down to a specific MAC. This will stop the casual guest from "borrowing" the ethernet cable from the printer. For better security, you can setup the network with 802.1X security.
»en.wikipedia.org/wiki/802.1x
--
Strange as it seems, no amount of learning can cure stupidity, and formal education positively fortifies it. -- Stephen Vizinczey


aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to gsaunders

said by gsaunders:

said by aryoba:

said by gsaunders:

We want to protect our private network (both physical and wireless). Right now anyone could plug a computer into a network jack and get access to the internet and be on the same network as our servers. We do not want public computer (packets / data) to even be able to hit our servers or other private computers.
You could set the servers and private computers to be within their own broadcast domain or VLAN (subnet). In other words, you want to separate servers, private computers, and guest computers (if permitted) to have dedicated subnet. A firewall should be in place to restrict which IP address can access server subnet and which IP address can't.

In addition, there should be some authentication server that can verify if certain machines are considered private computers, either wired or wireless. Such authentication server could be let's say RADIUS server. If the network is Windows based, then you can also setup Active Directory credential for authentication.

I personally won't do MAC Address authentication. Although such authentication is technically possible, it is not scalable especially when there are more and more machines within the network.
Can you expand up this a bit. How would I automate the computers being in their own VLAN (subnet). Everything is handled via DHCP so presumably a public computer plugged into a physical connection would just look like any other computer. I can't secure the network jacks so I know there are times a public computer is plugged in there.
Any decent DHCP server should be able to hand out IP address from specific subnet. If your switch or router isn't supporting UDP Broadcast Forwarding for centralized DHCP server, then your only choice is to have several DHCP servers where each subnet has its own DHCP server.

Let's say you have to have multiple DHCP servers. Following setup is one way that you can have.


Internet
|
Internet Router
| 10.0.0.1/24
|
Unmanaged Switch
|
+---------------+----------------+
| | |
| 10.0.0.2/24 | 10.0.0.3/24 |
Router 1 | Router 2
| 10.0.1.1/24 | 10.0.2.1/24 |
| | |
Unmanaged Switch | Unmanaged Switch
| | |
LAN 1 | LAN 2
(Private: Staff) | (Public: Guests)
10.0.1.0/24 | 10.0.2.0/24
users | users
| 10.0.0.4.24
Router 3
| 10.1.0.1/24
|
Unmanaged Switch
|
LAN 3
Servers
10.1.0.0/24

* Set Router 1 and Router 2 as DHCP server for LAN 1 and LAN 2 users respectively
* Both Router 1 and Router 2 act also as firewall to permit or to deny access to LAN 1, 2, 3, or the Internet.
* There will be authentication server in LAN 3 (i.e. RADIUS server or Active Directory Domain Controller server if your network is Windows based) to authenticate users with username and password to verify if specific user is considered Staff member (Private) or Guest.
* This authentication server also restricts which user can access which IP address. You can set let's say Staff to be able to access both servers and the Internet while Guest is only able to access the Internet.

With this setup, you or authentication server can tell if user that is coming from specific IP address is considered Staff or Guest. If somehow a Guest tries to connect from Staff computer let's say, there is still authentication process to verify if the user is logging as Guest or Staff from the credential entered in.

muiredised
ESSE QUAM VIDERI

join:2007-06-11
Tacoma, WA
kudos:1
reply to gsaunders

So you have some servers that you want to limit access to privileged clients. You have a physical network that cannot necessarily be tightly controlled. Can you control the physical network of the servers? By that I mean, can you put all of your servers behind one of your routers? If so then a VPN solution might work well.

 
                +------------+
                |  WRT54G    |
                |  UNSECURED |
                +------------+
                  (10.0.0.1)
                      |
                      |
          +---------------------+
          |                     |
     (10.0.0.2)                 |
    +----------+            +------------------+
    |  WRT54G  |            |  UNCONTROLLED    |
    | SECURED  |            |  "PUBLIC" LAN    |
    +----------+            +------------+-----+
     (10.0.1.1)                          |      \
          |                     +--------+---+   +-------+
    +---------------+           | PRIVILEGED |   | GUEST |
    |               |           | PC(USE VPN)|   | PC    |
(10.10.1.X)    (10.10.1.X)      +------------+   +-------+
+---------+    +---------+       (10.10.0.x)    (10.10.0.x)
|  VPN    |    | OTHER   |       & via tunnel
| SERVER  |    | PRIVATE |       (10.10.1.x)
+---------+    | SERVER  |
               +---------+
 
 

Again, this initially assumes you can physically segregate your servers from the rest of the physical network. One of your WRTs acts as a firewall between your "private LAN" and your "public LAN". This allows privileged wireless clients to access your secured WRT54G only if you provide them the WPA information. Guests can have unsecured wireless access to the public portion of your LAN. If you have a computer plugged into the unsecured physical network then you can utilize VPN to tunnel into your "private LAN". This also solves the problem of having plain text private info traversing a public network.

If you are unable to physically segregate all of your servers you can still use this solution as long as care is taken in the configuration of the server. The services have to be configured to only respond to requests from the subnet/virtual adapter used by the VPN and firewalls have to be configured carefully.

Just food for thought....

--
Assiduus usus uni rei deditus et ingenium et artem saepe vincit