whoopie
@bellsouth.net
| What is the best way to isolate a single PC on a LAN?
Short scenario:
I want to connect an untrusted (probably infected) PC to my LAN for internet access but want to make sure this computer isn't able to communicate with other PCs within the LAN. What would be the best way to go about this? I just want to make sure the infected PC will not attempt to spread its crap to other PC within the network. |
|
rawwhide
Zer0
Premium
join:2000-09-03
Zero
clubs: | Isolate it on a separate router. |
|
winsyrstrife
River City Bounce
Premium
join:2002-04-30
Brooklyn, NY
clubs: | reply to whoopie
Another solution is a separate VLAN, if your switch / router is capable of this feature. |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
 ·Verizon Online DSL
 ·Verizon FIOS
| reply to whoopie
What makes the other PCs vulnerable to the 'crap' ?
Good passwords on accounts, no unpassworded writable shares, guest access disabled, up-to-date patching, integral firewall enabled = risk is close to zero.
(You might have trouble with some of that on 'home' versions of the OS, in particular disabling guest access). |
|
Graycode
join:2006-04-17
 ·net2phone
| reply to whoopie
We had those concerns when my kid has people over for gaming / LAN parties. Also I don't trust the computers of some of my own friends, some practice safe-Hex but others don't.
We use at least two NAT routers. Untrusted computers connect to the primary router, while another NAT router protects the trusted family computers.
ISP -- Primary Family /-- Family PC 1
Router --- Router |-- Family PC 2
| \-- Family PC 3
|
Switch /-- Untrusted PC 1
Or |-- Untrusted PC 2
Router \-- Untrusted PC 3
The family router is wired. We'd open the untrusted segment for wireless when the untrusted gamers arrived. |
|
wolfy339
join:2005-04-30
Edmonds, WA
| said by Graycode  :
ISP -- Primary Family /-- Family PC 1
Router --- Router |-- Family PC 2
| \-- Family PC 3
|
Switch /-- Untrusted PC 1
Or |-- Untrusted PC 2
Router \-- Untrusted PC 3
Borrowing Graycode 's example for a minute: you can add firewall rules at either the primary router or the family router to block all traffic between the untrusted computer and the trusted segment of your LAN. Example: your trusted network is 192.168.2.0/24 and your untrusted network is 192.168.3.0/24 you can tell the primary or family router to drop all from 192.168.2.0 to 192.168.3.0 and to drop all from 192.168.3.0 to 192.168.2.0. Make sense?
--
Computer: PIII/733, 512MB DDR RAM, ATI Xpert2000, 60&320GB HDDs, Windows XP PRO SP3, Mcafee 2009 AV/FW, Creative SB Live, Samsung SyncMaster 2443BWX, Verizon DSL 768/128 w/ Westell 6100 C90 |
|
whoopie
@bellsouth.net
| reply to whoopie
My router/gateway is a 2wire 2701HG-B. I had a feeling that I was prolly going to have to add another router. I have to fix my friend's PCs due to the monthly malware infection and just want to be able to plug it in and get to work without having to lockdown my own PCs. All my computers are password protected, running AV/Firewall and are fully patched, but I still don't like the idea of an infected PC being connected to the same network. |
|
angussf
Premium
join:2002-01-11
Tucson, AZ
| said by whoopie :
My router/gateway is a 2wire 2701HG-B. I had a feeling that I was prolly going to have to add another router. I have to fix my friend's PCs due to the monthly malware infection and just want to be able to plug it in and get to work without having to lockdown my own PCs. All my computers are password protected, running AV/Firewall and are fully patched, but I still don't like the idea of an infected PC being connected to the same network.
If you used a real router like IPCop or pfsense instead of your ISP-provided 2wire "router", you wouldn't need a second router. With IPCop you set up a "GREEN" lan of trusted machines, a "BLUE" lan of machines you don't know about, and the two can't see each other but both can see the Internet. IPCop is a free linux firewall that runs on any old PC (well, maybe not an 8088 or an 80286, but anything fairly recent  ) -- it doesn't even need a keyboard or monitor once it's running. You need three network cards to set up a RED/GREEN/BLUE network (RED is the Internet-facing NIC), and then separate switches on GREEN and BLUE. See more at »ipcop.org/ -- and there is great support on the IPCop-users mailing list. I run IPCop at home, at my office, and at client sites.
I routinely set up "routers" like the 2wire in bridged mode and let IPCop do the real routing. IPCop supports PPPoE logins for ISPs that require it.
Another possibility is a managed switch which supports VLANs. But managed switches with VLAN support ain't cheap.
--
Angus S-F
GeoApps, Tucson, Arizona, USA
»geoapps.com/
»www.linkedin.com/in/angussf |
|
whoopie
@bellsouth.net | I have heard of those, but I don't have a spare PC around to set one up on. |
|
Drunkula
Premium
join:2000-06-12
Denton, TX
·Verizon FIOS
| reply to whoopie
Yeah it's very nice to have a spare PC (or embedded device) with 3 or more NICs in it. I used to have my wireless access on a separate 192.168.x.x subnet and all my wired computers on 10.9.x.x subnet. The only traffic I allowed between the two was TCP port 22 from the wired to wireless.
--
There are 10 types of people that understand binary numbers. Those that do - and those that do not... |
|
pvale
Lurk, Lurk, Lurk,They Call Me The Lurker
join:2000-03-29
Washington, MO
clubs:
 ·Charter Pipeline
| reply to whoopie
I have a Linksys WRT54-TM router running DD-WRT V24. There is a tutorial on DD-WRT's site on how to set up a guest wireless that has access to the net, But no access to any of the other machines. I believe there is also a tutorial about how to separate one of the wired ports into a separate VLAN also.
Perry |
|
rawwhide
Zer0
Premium
join:2000-09-03
Zero
clubs:
·AT&T DSL Service
| reply to whoopie
said by whoopie :
I have to fix my friend's PCs due to the monthly malware infection and just want to be able to plug it in and get to work without having to lockdown my own PCs.
You can just turn off your other computers!!
--
To talk much and arrive nowhere is the same as climbing a tree to catch a fish. |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
·Optimum Online
·Vonage
| said by rawwhide :said by whoopie :
I have to fix my friend's PCs due to the monthly malware infection and just want to be able to plug it in and get to work without having to lockdown my own PCs.
You can just turn off your other computers!! HA, I was just going to say the same thing!! 
--
You can chain my body to the earth, but still my spirit flies!
KEEP THE GOVERNMENT OUT OF HEALTHCARE
14,350 DEADLY TERROR ATTACKS SINCE 9/11 |
|
whoopie
@bellsouth.net | reply to rawwhide
Well, that is an obvious solution but I'd like use of those computers while working on the infected one. |
|
rawwhide
Zer0
Premium
join:2000-09-03
Zero
clubs:
·AT&T DSL Service
| Unplug them from the network. You can still use them. If you still want them to be connected then the cheap way out is to firewall your own computers. Since you seemingly don't have a hardware solution as suggested above then a software solution may solve your problem. Setup a software firewall on all you PCs. I say may because not all firewalls are created equal.
--
To talk much and arrive nowhere is the same as climbing a tree to catch a fish. |
|
