Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

separating networks for security

  • 12-05-2010 11:49am
    #1
    Registered Users, Registered Users 2 Posts: 865 ✭✭✭


    Hi all,

    I'm sure almost everyone has come across this at some stage...

    Scenario 1
    You get a computer which is virus infected. You proceed to connect it to your router to download various virus/spy/malware removal tools or update installed programs. Unknown to you, the infection has made it's way onto your personal computer also attached to the same router.

    Scenario 2
    The computer is soooo infested, it's unusable Windows wise. You decide to put the HDD into your computer as a slave for data backup and then format/reinstall. Unknown to you, the infection has made it's way from the slave drive onto your computer.


    Scenario 2 is avoidable by having a standalone dedicated PC for data copying...provided you make sure the PC is clean when you slave the clean installed Windows drive to copy the user's data back (ghost image and separate data partition might be an option here)

    The crux of my post is putting an infected computer (unknown to you) on your network. From a networking point of view, is there a way to have a single Internet connection feeding into 2 switches which are isolated in a way that switch A is for your computers and switch B is for computers in for repair?

    I have a Linksys WRT54G router running DDWRT at my disposal. Could this act as a firewall in between the switches to block nasties but allow Internet bandwidth through to switch B. Would having a 192.168.*.* scheme on switch A and a 10.*.*.* scheme provided by the DDWRT router on switch B be of any advantage?

    Any help or suggestions greatly appreciated. Thx


Comments

  • Closed Accounts Posts: 921 ✭✭✭mehmeh12


    Must you use windows to download?-i am of course advocating the use of linux period.


  • Closed Accounts Posts: 695 ✭✭✭FusionNet


    totally possible just not usually cheaply as thats a business scenario the switches are usually quite expensive. Im sure someone will have a cheap way of doing it but cheap usually means flakey...

    I would presume both your PC's have excellent antivirus have they?


  • Closed Accounts Posts: 921 ✭✭✭mehmeh12


    FusionNet wrote: »
    totally possible just not usually cheaply as thats a business scenario the switches are usually quite expensive. Im sure someone will have a cheap way of doing it but cheap usually means flakey...

    I would presume both your PC's have excellent antivirus have they?

    Antivirus these days are a joke. I mean really?


  • Closed Accounts Posts: 695 ✭✭✭FusionNet


    Not true, MOST anti Virus packages are a joke but there are about three or four max in the world that are actually worth having..

    As an easy fix you could get both your machines up to top spec and working condition, then image the discs abd that way a re-install is easy...

    How much are you willing to spend to seperate traffic?


  • Registered Users, Registered Users 2 Posts: 865 ✭✭✭humaxf1


    I use linux boot discs where possible, but some machines refuse point blank to boot to ubunru 8.04-10.04, crunchbang etc etc. How many Live Cd's can you have before you run out of storage space. If it's a Windows issue with a customer's PC, obivously I have no choice but to boot into Windows.

    AV? Well as we all know, you are never protected 100% no matter which product you have installed. Fair enough that some are much better than other products. At one stage I didn't bother running AV on my personal laptop/tower at home. Creators of viruses know how to bypass the popular products out there and they go undetected. NIS20** comes to mind! Then came along security essentials which is light on resources and does me fine. If I get whacked by a nasty nasty virus I can live with it.

    "Joe Soap" doesn't understand fully what has happened when they get whacked. Once I had a customer go into a major rant about symantec endpoint protection and how it let a virus through onto his computer. He was going to complain to Symantec and goto the top in symantec (who he knows). Just had to bite my tongue...after all my boss sold him SEP LOL.

    Anyhow, back on topic... Spending major amounts of money wouldn't be an option. I dont sign the cheques plus the powers to be wouldn't spend christmas. Are you suggesting managed/smart switches Eoghan?

    thx


  • Advertisement
  • Closed Accounts Posts: 695 ✭✭✭FusionNet


    Ya a managed switch would probably be the most stable. I can ask what the retail is on one so at least you have a ball park figure what the worst case scenario is.. I dont supply myself but a company I deal with do. It would be a Netgear model we would normally use..

    As regard AV, we use Eset as it has one of the smallest CPU foot prints and is also in the top 3 or 4 in the world. Personally from using most of them it has been the least intrusive and the fastest for patches...


  • Registered Users, Registered Users 2 Posts: 865 ✭✭✭humaxf1


    No harm in asking and finding out I suppose...thx

    Came across an article in a newletter I'm subscribed to today,

    http://www.zdnet.com/blog/hardware/update-new-attack-bypasses-every-windows-security-product/8268


  • Registered Users, Registered Users 2 Posts: 1,477 ✭✭✭azzeretti


    What you are looking for is simple enough provided your router has the ability to VLAN the switch interfaces on it. If it doesn't have any builtin LAN interfaces you would have to create a virtual interface and create a VLAN there. You would then need to have a managed switch and assign 2 VLANs across the interfaces on it with the same tagging IDs as the ones on the router.

    Its certainly do-able and easy enough too, but I am not sure you kit will help you.


  • Registered Users, Registered Users 2 Posts: 1,691 ✭✭✭JimmyCrackCorn


    With Vlans its doable to separate the pcs. Linksys routers do this just fine.

    But to be honest there is no real excuse for getting your machine riddled with viruses unless your doing dodgy stuff, like pron, warez and not updating your pc.


    Btw these days its pen drives and sloppy friends/users that cause me the most issues.


  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    Although it's something of a "long way round", you could use a linux box with Vmware to do this. Configure your VMWare machines with their own subnet and use your linux box as the "router" for this subnet, only allowing traffic out to the web and nowhere else. When a machine comes in, you image the disk and mount it to Vmware. Then repair the OS/damage and copy the image back to the original disk.

    You can set up a Vmware environment so the virtual machines are completely unaware of the host and the host's network. If a machine is *really* screwed, you can completely isolate it and use a USB drive for copying the data off.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,629 ✭✭✭NullZer0


    Cisco 2950 - VLANS.
    Vyatta or IPCOP


  • Closed Accounts Posts: 5,635 ✭✭✭xsiborg


    just on the OP's original question, I have the Belkin N1 Vision and it allows for two separate networks, or say one main network and then a guest network. it was one of the main reasons why I bought this particular router because like yourself I wanted to keep all my own machines on their own separate network and still give machines I was working on, access to the internet for updates and so on.

    for backups and so on I use a USB caddy to transfer files and folders to my netbook that I upgraded with a 500GB hard drive, partitioned into a C: (50GB) and D: (450GB) partition (D: also acts as a mapped network drive). I use the netbook simply because it doesnt take much to reinstall, and it goes everywhere with me, my little workhorse- an Advent 4211c... :)


Advertisement