Windows Server TechCenter >
Windows Server Forums
>
Security
>
Subnetting a network to provide data security.
Subnetting a network to provide data security.
- I am running a Windows 2000 Server with Active Directory. 10 seats total. 2 DC's and one file server on one network. My managers have requested four of the ten seats be 'isolated' from access to/from the internet. He requested a 'stand alone networked computer' What he meant was any computer that acesses restricted data is not to have access to/from the internet. In speaking with the previous admin of this network, he suggested I install a new switch, set up a site in my AD, and assign the appropriate subnets to the site. My question -- is this really going to isolate said machines from the internet?? What else am I going to need to configure to totally block outside access? I still want all machines to have access to the entire LAN. Any help you could offer would be great - also, what are some good reference books for Active Directory and/or Server 2000?? I am relatively new to network admin -- 10 months experience on this job with just a Network + certification . . .
Answers
- basically, this is a good design. with a separate switch (or the same one with two VLANs configured) you would get the desired result of blocking their access to outside network. the problem would be, that the two networks would have to be connected with a router device which would then be required to enable their communication between the restricted subnet and the rest of the LAN. the router would also have to be configured in a way that prevents the restricted computers from accessing the internet - the simplest method would be to NOT configure the router with a default gateway nor any other static routes.
ondrej.- Marked As Answer byJoson ZhouMSFT, ModeratorTuesday, October 27, 2009 6:55 AM
- Hello,
Why not get a router with a packet filter? It will give you a lot of flexibility. Multitech's RF-830 or SonicWall's TZ-200 are relatively inexpensive and you can use the packet filter feature to decide who gets access to what and keep all the PC in a single subnet and provide greater security.
I have this deployed in multiple scenarios where clients do not want users to surf the web. I use the MAC address filter to isolate PC's into IP groups then create a rule to block incoming/outgoing access to the WAN port from that group.
Cheers
Miguel Fra / Falcon ITS
Miguel Fra www.falconits.com- Marked As Answer byJoson ZhouMSFT, ModeratorTuesday, October 27, 2009 6:55 AM
All Replies
- basically, this is a good design. with a separate switch (or the same one with two VLANs configured) you would get the desired result of blocking their access to outside network. the problem would be, that the two networks would have to be connected with a router device which would then be required to enable their communication between the restricted subnet and the rest of the LAN. the router would also have to be configured in a way that prevents the restricted computers from accessing the internet - the simplest method would be to NOT configure the router with a default gateway nor any other static routes.
ondrej.- Marked As Answer byJoson ZhouMSFT, ModeratorTuesday, October 27, 2009 6:55 AM
- The switch that was suggested was a netgear FS116 -- would that have the proper routing capabilities to enable communication between the two networks?
- probably not, at first sight looks like a pure switch without routing capabilities. also consider using something with 1 Gbps instead of this 100 Mbps device.
as a router, you could also use the Active Directory domain controller (DC) that you already have deployed. If it had two NICs, the computer could stand between the two subnets, on each NIC having different IP subnet. You would then go to the Routing and Remote Access (RRAS) console and configure it as a router. Then, you would have to use the Static TCP/IP filters in the RRAS to prevent the restricted LAN outside access.
Although, this is NOT recommended soultion to make DCs anything else than being just DCs, especially having multihomed DCs can pose additional configuration problems for DNS records etc.
SOMETHING ELSE: you probably must have a currently running router. If you don't want to spend additional money, you could as well have some level of security (SOME only, because IP addresses can be simply spoofed) if your current router supports IP filters. You would leave the network in a single subnet scenario and create just the filters on the current router. You may also improve the thing by NOTconfiguring default gateways on the restricted clients.
ondrej. as a router, you could also use the Active Directory domain controller (DC) that you already have deployed. If it had two NICs, the computer could stand between the two subnets, on each NIC having different IP subnet. You would then go to the Routing and Remote Access (RRAS) console and configure it as a router. Then, you would have to use the Static TCP/IP filters in the RRAS to prevent the restricted LAN outside access.
This is the option that confused me. He did mention using one of the DC's . . connecting something to the other NIC in the DC. Ok - I understand that part. I have two DC's -- the #2 will be on the restricted LAN, the #1 (primary) will be the one needing to fill in as a router. As far as what we use currently for a router??? Other equipment we have includes a 3Com switch and a linux box for a firewall. I am not sure what device does the routing. . . .
Although, this is NOT recommended soultion to make DCs anything else than being just DCs, especially having multihomed DCs can pose additional configuration problems for DNS records etc.- in that case the Linux box does the routing.
- Hello,
Why not get a router with a packet filter? It will give you a lot of flexibility. Multitech's RF-830 or SonicWall's TZ-200 are relatively inexpensive and you can use the packet filter feature to decide who gets access to what and keep all the PC in a single subnet and provide greater security.
I have this deployed in multiple scenarios where clients do not want users to surf the web. I use the MAC address filter to isolate PC's into IP groups then create a rule to block incoming/outgoing access to the WAN port from that group.
Cheers
Miguel Fra / Falcon ITS
Miguel Fra www.falconits.com- Marked As Answer byJoson ZhouMSFT, ModeratorTuesday, October 27, 2009 6:55 AM
