separating networks for security

humaxf1 · 12-05-2010 12:49pm #1

Hi all,

I'm sure almost everyone has come across this at some stage...

Scenario 1
You get a computer which is virus infected. You proceed to connect it to your router to download various virus/spy/malware removal tools or update installed programs. Unknown to you, the infection has made it's way onto your personal computer also attached to the same router.

Scenario 2
The computer is soooo infested, it's unusable Windows wise. You decide to put the HDD into your computer as a slave for data backup and then format/reinstall. Unknown to you, the infection has made it's way from the slave drive onto your computer.

Scenario 2 is avoidable by having a standalone dedicated PC for data copying...provided you make sure the PC is clean when you slave the clean installed Windows drive to copy the user's data back (ghost image and separate data partition might be an option here)

The crux of my post is putting an infected computer (unknown to you) on your network. From a networking point of view, is there a way to have a single Internet connection feeding into 2 switches which are isolated in a way that switch A is for your computers and switch B is for computers in for repair?

I have a Linksys WRT54G router running DDWRT at my disposal. Could this act as a firewall in between the switches to block nasties but allow Internet bandwidth through to switch B. Would having a 192.168.*.* scheme on switch A and a 10.*.*.* scheme provided by the DDWRT router on switch B be of any advantage?

Any help or suggestions greatly appreciated. Thx

mehmeh12 · 12-05-2010 12:53pm

Must you use windows to download?-i am of course advocating the use of linux period.

FusionNet · 12-05-2010 12:57pm

totally possible just not usually cheaply as thats a business scenario the switches are usually quite expensive. Im sure someone will have a cheap way of doing it but cheap usually means flakey...

I would presume both your PC's have excellent antivirus have they?

mehmeh12 · 12-05-2010 1:04pm

FusionNet wrote: »

totally possible just not usually cheaply as thats a business scenario the switches are usually quite expensive. Im sure someone will have a cheap way of doing it but cheap usually means flakey...

I would presume both your PC's have excellent antivirus have they?

Antivirus these days are a joke. I mean really?

FusionNet · 12-05-2010 1:07pm

Not true, MOST anti Virus packages are a joke but there are about three or four max in the world that are actually worth having..

As an easy fix you could get both your machines up to top spec and working condition, then image the discs abd that way a re-install is easy...

How much are you willing to spend to seperate traffic?

humaxf1 · 12-05-2010 1:41pm

I use linux boot discs where possible, but some machines refuse point blank to boot to ubunru 8.04-10.04, crunchbang etc etc. How many Live Cd's can you have before you run out of storage space. If it's a Windows issue with a customer's PC, obivously I have no choice but to boot into Windows.

AV? Well as we all know, you are never protected 100% no matter which product you have installed. Fair enough that some are much better than other products. At one stage I didn't bother running AV on my personal laptop/tower at home. Creators of viruses know how to bypass the popular products out there and they go undetected. NIS20** comes to mind! Then came along security essentials which is light on resources and does me fine. If I get whacked by a nasty nasty virus I can live with it.

"Joe Soap" doesn't understand fully what has happened when they get whacked. Once I had a customer go into a major rant about symantec endpoint protection and how it let a virus through onto his computer. He was going to complain to Symantec and goto the top in symantec (who he knows). Just had to bite my tongue...after all my boss sold him SEP LOL.

Anyhow, back on topic... Spending major amounts of money wouldn't be an option. I dont sign the cheques plus the powers to be wouldn't spend christmas. Are you suggesting managed/smart switches Eoghan?

thx

FusionNet · 12-05-2010 2:33pm

Ya a managed switch would probably be the most stable. I can ask what the retail is on one so at least you have a ball park figure what the worst case scenario is.. I dont supply myself but a company I deal with do. It would be a Netgear model we would normally use..

As regard AV, we use Eset as it has one of the smallest CPU foot prints and is also in the top 3 or 4 in the world. Personally from using most of them it has been the least intrusive and the fastest for patches...

humaxf1 · 12-05-2010 3:21pm

No harm in asking and finding out I suppose...thx

Came across an article in a newletter I'm subscribed to today,

http://www.zdnet.com/blog/hardware/update-new-attack-bypasses-every-windows-security-product/8268

azzeretti · 18-05-2010 11:36am

What you are looking for is simple enough provided your router has the ability to VLAN the switch interfaces on it. If it doesn't have any builtin LAN interfaces you would have to create a virtual interface and create a VLAN there. You would then need to have a managed switch and assign 2 VLANs across the interfaces on it with the same tagging IDs as the ones on the router.

Its certainly do-able and easy enough too, but I am not sure you kit will help you.

JimmyCrackCorn · 18-05-2010 11:44am

With Vlans its doable to separate the pcs. Linksys routers do this just fine.

But to be honest there is no real excuse for getting your machine riddled with viruses unless your doing dodgy stuff, like pron, warez and not updating your pc.

Btw these days its pen drives and sloppy friends/users that cause me the most issues.

seamus · 18-05-2010 12:05pm

Although it's something of a "long way round", you could use a linux box with Vmware to do this. Configure your VMWare machines with their own subnet and use your linux box as the "router" for this subnet, only allowing traffic out to the web and nowhere else. When a machine comes in, you image the disk and mount it to Vmware. Then repair the OS/damage and copy the image back to the original disk.

You can set up a Vmware environment so the virtual machines are completely unaware of the host and the host's network. If a machine is *really* screwed, you can completely isolate it and use a USB drive for copying the data off.

NullZer0 · 18-05-2010 11:26pm

Cisco 2950 - VLANS.
Vyatta or IPCOP

xsiborg · 24-05-2010 9:24pm

just on the OP's original question, I have the Belkin N1 Vision and it allows for two separate networks, or say one main network and then a guest network. it was one of the main reasons why I bought this particular router because like yourself I wanted to keep all my own machines on their own separate network and still give machines I was working on, access to the internet for updates and so on.

for backups and so on I use a USB caddy to transfer files and folders to my netbook that I upgraded with a 500GB hard drive, partitioned into a C: (50GB) and

(450GB) partition (D: also acts as a mapped network drive). I use the netbook simply because it doesnt take much to reinstall, and it goes everywhere with me, my little workhorse- an Advent 4211c...

separating networks for security

Comments