Untrusted device on internal network

Bing_IRL

Hi there,

I've got an internal gigabit network that I have to allow untrusted devices on to. Basically, external vendors are supplying their own broadband connection on site and they can access their our device through this (their device has two onboard network cards, one for their broadband line and one for our network). I need to allow this device on to our network and be able to ftp content from them. How can I allow this to happen while blocking them from anything else? There could be up to 4 of these 3rd party suplpiers.

Cheers,
Bing

munkus

Bing_IRL wrote: »

Hi there,

I've got an internal gigabit network that I have to allow untrusted devices on to. Basically, external vendors are supplying their own broadband connection on site and they can access their our device through this (their device has two onboard network cards, one for their broadband line and one for our network). I need to allow this device on to our network and be able to ftp content from them. How can I allow this to happen while blocking them from anything else? There could be up to 4 of these 3rd party suplpiers.

Cheers,
Bing

Few questions



1) Have you implemented Vlans on your network?

2) what make and model of firewall do you have?

The only way to do this securely is to have the inside Nic of their server in a Vlan separate to you production network. If you have spare interfaces on your firewall you can treat this network as a DMZ. In the firewall policies, only allow FTP traffic to pass between your production network and this new DMZ vlan.

If you put then on the same network as your work PCs you'll be wide open for a fiver.

Bing_IRL

I havn't got VLANS enabled on the network but I think it is supported. The components aren't the best... Draytek 2820N router and Netgear GS724T "Smart Switch".

The only firewall that is active is running on the draytek. Should I look at something like a sonicwall?

Thanks!

munkus

Bing_IRL wrote: »

I havn't got VLANS enabled on the network but I think it is supported. The components aren't the best... Draytek 2820N router and Netgear GS724T "Smart Switch".

The only firewall that is active is running on the draytek. Should I look at something like a sonicwall?

Thanks!

Had a look at the firewall there, looks like it would be fine. You'll have to web into it and create a new Vlan and apply it to one of the free lan ports. Choose an IP address range for the new Vlan, Gateway IP will be configured on this interface. Set dhcp from here as well.

create the new vlan on the switch and plug the new firewall port into it.

plug laptop into another port on this new Vlan and try to ping the gateway IP. If it works next....

on the firewall, create new firewall policies that allow the original production network access new network but only allow ping and Ftp.

Bing_IRL

Just so I can understand...

A VLAN is like sticking another switch in there and creating another network. If I was to get another switch, configure a port on the router to a VLAN, connect that switch to that port - everything on that switch would be on that VLAN?

I can then limit connectivity to just ftp (by opening just port 21?) between those networks?

munkus

Ya, that could work. Vlans are very easy to set up on a switch though. Backup the config of the firewall before you start to play around with it, so you can restore if it all goes tits up.

Bing_IRL

Back again!!

I've had a look at using the WAN routing on the Draytek but it's only a 10/100 connection so would be too slow.

I think my best option is to just bite the bullet and buy a router. What would be the best bang for buck option? It doesn't need to deal with any internet or any of that. If I could get something that can act as a firewall as well that would be great!

Thanks,

same ol sh1te

Bing_IRL wrote: »

Back again!!

I've had a look at using the WAN routing on the Draytek but it's only a 10/100 connection so would be too slow.

I think my best option is to just bite the bullet and buy a router. What would be the best bang for buck option? It doesn't need to deal with any internet or any of that. If I could get something that can act as a firewall as well that would be great!

Thanks,

Do you have a connection faster than 100mbit? Otherwise there's no bottleneck. Drayrek are a decent brand tbh.

Bing_IRL

Not on to the internet but I do need to move very large files from one subnet to the other. We're talking minimum 120gig files. Would something like the Drayte Vigor2860n suit? It supports multiple subnets.

Should I be looking to some of the baby Cisco routers? I'd like to get a bit of experience with them also.

same ol sh1te

Bing_IRL wrote: »

Not on to the internet but I do need to move very large files from one subnet to the other. We're talking minimum 120gig files. Would something like the Drayte Vigor2860n suit? It supports multiple subnets.

Should I be looking to some of the baby Cisco routers? I'd like to get a bit of experience with them also.

Check out the Mikrotik RB750 and RB951, would do everything a Cisco can do for about 35 quid, big thread about configuring them here
http://touch.boards.ie/thread/2056718566/1/#post80066213
http://www.interprojekt.com.pl/mikrotik-routerboard-rb750gllevel-64mb-gbit-p-1130.html
http://www.interprojekt.com.pl/mikrotik-routerboard-rb951g2hnd-level-128mb-p-1370.html