Networking internet safe and non internet safe

[freelance84]

 

Wooo... another thing new i have to learn...

 

I need to set up an internal network (no internet access).

 

3 of the computers on the network will be using a switch to jump between the internet and the internal network (ie none of the computers whilst on the internal network will have any exposure to the internet). The other 4 will only ever have access to the internal network.

 

With the internet router we have at the moment, we can set any folder to be "sharing" and pass info between other members on the network. When I pull out the BB lead the network still works.

 

So, if anyone has any knowledge on this... Should i buy a switch or an additional modem?

 

 

[SparK_BR]

you buy an offboard network cards, and connect those to the modem on the internet enabled computers

OR

you can set up a proxy server (using windows server) sitting betwen the network and the modem and have it block/unblock network users (then you would have to setup domain based login, etc...)

[freelance84]

 

Hi,

 

I've attached a dwg of the setup we are trying to achieve:

 

Comp1>4 will only ever have access to each other (primarily the Data HDD) and have no access to the internet.

 

Comp6>7 will have access to the Data HDD via the switch OR access to the internet via the already configured broadband modem & router. This will be decided by the user by operating their "Ethernet switch box", thus comp6>7 will never have access to both the DataHDD and the internet at the same time.

 

(each computer is already network ready)

 

Is this going to be easy to set up and does anyone know of any 'idiots guide' to configuring this sort of a setup?

 

Thanks,

 

John

 

[attachment deleted by admin]

[Pikachu2000]

You should be able to configure the router to block internet access to certain machines based on MAC address. What is the purpose of allowing 'either/or' access to #6 and #7 like that?

[freelance84]

 

True, however we are going to be getting a switch as there is actually 8 computers accessing the DataHDD, and only 2 will ever need access to the internet.

 

So as we will be getting a switch to keep things speedy, do you think this is going to be feasible? Will the comps switching between the internet and the internal network encounter any problems that you might be able to think of?

[Pikachu2000]

Do you understand what an ethernet switch actually does? It isn't a box that you select between two connections, it's a layer 2 networking device that provides dedicated, full duplex bandwidth between two hosts, not a box with a selector on it.

[freelance84]

 

Yea I am again completely new into a field.

 

On my sketch, the 'switch boxes' I labelled are actually THESE which do switch between one Ethernet connection and the other (essentially the same as pulling out one lead and plugging in another).

 

The 'switch' i labelled in the center of the diagram I am thinking will be something like THIS.

 

Thus comp6 and comp7 i am hoping will be able to physically switch between the internal network and internet.

 

I am just wondering if there will be any issues i may have to contend with, for example will switching from one network to the other like that cause any problems?

[Pikachu2000]

 

Yea I am again completely new into a field.

 

On my sketch, the 'switch boxes' I labelled are actually THESE which do switch between one Ethernet connection and the other (essentially the same as pulling out one lead and plugging in another).

Those are primarily designed to allow using two devices on one port, not the other way around. I can think of absolutely no reason whatsoever to even consider using one of those, anyhow.

 

The 'switch' i labelled in the center of the diagram I am thinking will be something like THIS.

 

That looks like it should do the job just fine.

 

Thus comp6 and comp7 i am hoping will be able to physically switch between the internal network and internet.

 

I am just wondering if there will be any issues i may have to contend with, for example will switching from one network to the other like that cause any problems?

 

 

But why attempt to do what you're describing? That's what the router is there for.

[freelance84]

 

Long storey short, the manager simply does not want any access to the internet from a few computers as there may be sensitive data on there, and a software block to a certain port for example he sees as not that safe.

[Pikachu2000]

Then the manager is utterly clueless.

[freelance84]

Hmm, well what can i say to that.

 

He is requesting that HDD containing sensitive data only ever sits on a computer which never sees the internet, as is the case at the moment.

 

If the sensitive data's only wall between it and the rest of the world is a 1 or a 0 in software sat on a switch, he sees that as not really good enough. Not much i can do about that.

 

I was just asking though if the solution i came up with might work or not

 

 

[JonnoTheDev]

This is real basic stuff in terms of networking. The switch boxes you talk about are nonsensical. You have 8 computers, yes. They all must be on the network, forget about access to what in terms of a physical network. Evertyhing on a network has to be hard wired in (or wireless these days).

 

So you need a 12 port (minimum) hub /switch in the center. Connect all PCs to it via CAT5 cable. Now plug your Router into the hub / switch via CAT5 also and connect the RJ11 or Coax socket (dependent on the type of broadband you have) into the phone line.

 

Now, the way I would setup such a small network would be to use fixed IP addresses. Do not have your Router giving out addresses over DHCP. You want a private range so for example you could give your PCs addresses from 192.168.10.2 - 192.168.10.9 Give the router a fixed IP of 192.168.10.1

 

In the TCP/IP settings for ach PC add the IP addresses and if you want them to access the Internet give them the gateway address of the router. Done, you now have a network.

 

Now if I want to be more secure on giving people Internet access and protecting my network (as anyone, who has a bit of IT nouse could add the gateway address of the router to give themselves access) I would insert a firewall between the router and the network. With this I can setup rules for incoming / outgoing traffic, block ports, etc and also restrict the IP addresses that can access the router (the web). So I could not allow PCs with the IP address of 192.168.10.2 / 3 to access the web via the firewall. What you would do to setup the firewall is give the routers original IP address of 192.168.10.1 and the router would be connected via CAT5 to the firewall's WAN port. The router would be then given an address on a completely different subnet from your network i.e 10.0.0.1 or a public address of lets say 212.36.52.145. The firewall forwards traffic between the public network and router. A PC on the network can never talk directly to the router without passing through the firewall.

 

Some routers have IP blocking, firewalls etc built into them if you do not want to have a separate box, but for any network I would always have a firewall protecting the private LAN.

 

I have attached a file to show you how simple this looks.

 

[attachment deleted by admin]

[SparK_BR]

ok, let me tell you something to your IT manager:

unless you put a fixed IP on the network computers AND you port forward a service on the router to the computer

There's no way, an outsider will ever see there's a computer after the modem! ever!

just, close your modem ports, enable the config panel only for local network (default) put a good password on it and plug everyone on the modem

 

now if you don't trust the people inside the company... then you have an HR issue.

[freelance84]

I have attached a file to show you how simple this looks.

 

Sorry for the late reply. Thanks, thats pretty in depth and helps, cheers.

 

The issue is still unresolved. At present we have two comps with no access to the net, the rest have access to the net. I havent managed to convince the man on top that we can set up a system as you described and it be totally secure (or as secure as the system we have at the moment).

 

There's no way, an outsider will ever see there's a computer after the modem! ever!

 

I know. Not my decision at the end of the day. I'll keep trying tho, as it is an arse the way things are set up at the moment.

[JonnoTheDev]

I havent managed to convince the man on top that we can set up a system as you described and it be totally secure

Of course it will be. Like I stated, get a firewall! This is real basic stuff. Most networks are setup like this, why would yours be any different?

[thehippy]

Cisco and Juniper switches are certified to DoD, FIPS, IEEE and ISO security specs, I see little reason to distrust that kind of security.  Get a good business class switch, setup int/ext VLANs (Or two physical switches if the man is uber paranoid) with a proper hardware based packetfilter/firewall and get a NAC/VPN/security gateway to bridge the networks and enforce a rigid pre-scan and update policy on clients requesting access to the internal network.  Update your client and server machines on the internal network to use IPSec or ipv6 to utilize encryption, so blackboxes/dropboxes can't sniff the ethernet lines for data.

 

And only $3000-$4000 later, a moderate level security solution is achieved.  Probably less than $500 if you ebay some EoL products.