Questions

Network Tiers

+
0 Votes
Locked

Network Tiers

sabrefreak
I maintain a small-ish office (50 people) with an open policy. My bosses would like me to "tier" the system so that there is full access, email only, and no internet (for example) but that everyone can still see the server appliances.

Previously I tried doing this (with some tech advice) through the use of gpedit.msc and a bogus proxy server. It worked for a couple of days until someone discoverd that Firefox Portable (brought in a USB stick) had no difficulty beating it.

So, now, I'd like to try and do it through the router, or a series of routers if need be, although I'm certainly open to suggestions.

I have a Cisco 877 modem, a Linksys RV016 router, a host of static IPs, and some unmanaged switches.

The server appliances are a pair of Buffalo TeraStation's.

Many thanks in advance
(I thought I already posted this but it didn't appear in my profile, so if you see it duplicated, my apologies).
  • +
    0 Votes
    TobiF

    You need a real firewall.
    By default, cut off everything.

    Then define the exceptions needed for "mail access" (pop/smtp/imap etc, or only certain webmail hosts?)

    Next, figure out how you're going to tell these users apart.

    If you only have wired connections, then you could split different ports into different VLANs.

    Maybe you can sort users (or rather computers) based on MAC addresses.

    A last option would be login to a proxy, but you'd be playing catch up on a daily basis, when the passwords get shared.

    +
    0 Votes
    sabrefreak

    This is a good idea which I'd veered away from. What are some good firewalls to consider - hardware or software?

    +
    0 Votes
    TobiF

    Both...
    I'm into other things, but I've seen untangle being recommended. It's based on Linux. Ideally, you should put it on some PC with 2 ethernet cards, between the internet and your router.

    By the way, you need to think about how you're going to handle DNS. Either allow everyone outgoing UDP traffic to port 53 (which would open a small hole for tunneling data in and out) or redirect all requests for UDP/53 to your favorite dns, regardless of destination ip. (This all is of course in case you don't have your own internal DNS or DNS-Masq, in that case you can completely block this traffic, except when it originates from your dns server.)

    Oh, regarding webmail, you may need to build a long list of ip-adresses used for webmail servers. (I'm sure gmail uses a large number of IP addresses, for instance). And, while speaking of gmail, the logon procedure probably quickly touches some logon server with a different address. And, since logon server for sure, and possible the webmail server, as well, will be using https to port 443 (TCP) the URLs will be encrypted!

    +
    0 Votes
    seanferd

    Do these people have administrator privileges? If so, this has to be the first thing to change. If not, you must restrict them further.

    +
    0 Votes
    santeewelding

    Or, groping?

    +
    0 Votes
    sabrefreak

    Thanks - will bring this up. It should help alleviate some headaches down the road.

    +
    0 Votes
    sabrefreak

    Seanferd - forgot to mention this. The network was builot slowly from old programs that required everyone to have Admin rights (such as ACAD R13 and R14). Some of these old programs are still around, but not many. Anyways, everyone shares all the files all the time so that "bob" can work " bill's" drawing and such.
    I've read a post explaining Admin, Power User, and User rights. It states that "The Users group is the most secure, because the default permissions allotted to this group do not allow members to modify operating system settings or other users' data."

    If the user's can't modify each others work this seems of little use. Or is this easy to alter?

    Thx

    +
    0 Votes
    IC-IT

    Shared folders. The users can access any shared folder they have permissions on. It is not tied to their level of logon privileges.

    +
    0 Votes
    seanferd

    specific further rights can be granted to allow certain apps and such to function. Blanket admin privilege is unnecessary.

    But I do understand where you are coming from. Many older apps (and poorly designed newer apps) do frequently require escalated privileges of some sort.

    +
    0 Votes
    CG IT

    which allows you to vlan.

    vlans can be a great way to segregate hosts into network segments and allow or deny access to other network segments

    you can also use ACLs

    +
    0 Votes
    sabrefreak

    I will pass these suggestions off to my bosses tomorrow and see what they say.
    Thank you for the insight.
    I may yet be back :)

    +
    0 Votes
    seanferd

    I certainly hope they listen. Nothing like having your company brought to its knees by a bit of malware. Especially with folks bringing in USB drive which may have who-knows-what on them.

    I also hope that whatever you are allowed to implement works out for the best.

    Cheers!

  • +
    0 Votes
    TobiF

    You need a real firewall.
    By default, cut off everything.

    Then define the exceptions needed for "mail access" (pop/smtp/imap etc, or only certain webmail hosts?)

    Next, figure out how you're going to tell these users apart.

    If you only have wired connections, then you could split different ports into different VLANs.

    Maybe you can sort users (or rather computers) based on MAC addresses.

    A last option would be login to a proxy, but you'd be playing catch up on a daily basis, when the passwords get shared.

    +
    0 Votes
    sabrefreak

    This is a good idea which I'd veered away from. What are some good firewalls to consider - hardware or software?

    +
    0 Votes
    TobiF

    Both...
    I'm into other things, but I've seen untangle being recommended. It's based on Linux. Ideally, you should put it on some PC with 2 ethernet cards, between the internet and your router.

    By the way, you need to think about how you're going to handle DNS. Either allow everyone outgoing UDP traffic to port 53 (which would open a small hole for tunneling data in and out) or redirect all requests for UDP/53 to your favorite dns, regardless of destination ip. (This all is of course in case you don't have your own internal DNS or DNS-Masq, in that case you can completely block this traffic, except when it originates from your dns server.)

    Oh, regarding webmail, you may need to build a long list of ip-adresses used for webmail servers. (I'm sure gmail uses a large number of IP addresses, for instance). And, while speaking of gmail, the logon procedure probably quickly touches some logon server with a different address. And, since logon server for sure, and possible the webmail server, as well, will be using https to port 443 (TCP) the URLs will be encrypted!

    +
    0 Votes
    seanferd

    Do these people have administrator privileges? If so, this has to be the first thing to change. If not, you must restrict them further.

    +
    0 Votes
    santeewelding

    Or, groping?

    +
    0 Votes
    sabrefreak

    Thanks - will bring this up. It should help alleviate some headaches down the road.

    +
    0 Votes
    sabrefreak

    Seanferd - forgot to mention this. The network was builot slowly from old programs that required everyone to have Admin rights (such as ACAD R13 and R14). Some of these old programs are still around, but not many. Anyways, everyone shares all the files all the time so that "bob" can work " bill's" drawing and such.
    I've read a post explaining Admin, Power User, and User rights. It states that "The Users group is the most secure, because the default permissions allotted to this group do not allow members to modify operating system settings or other users' data."

    If the user's can't modify each others work this seems of little use. Or is this easy to alter?

    Thx

    +
    0 Votes
    IC-IT

    Shared folders. The users can access any shared folder they have permissions on. It is not tied to their level of logon privileges.

    +
    0 Votes
    seanferd

    specific further rights can be granted to allow certain apps and such to function. Blanket admin privilege is unnecessary.

    But I do understand where you are coming from. Many older apps (and poorly designed newer apps) do frequently require escalated privileges of some sort.

    +
    0 Votes
    CG IT

    which allows you to vlan.

    vlans can be a great way to segregate hosts into network segments and allow or deny access to other network segments

    you can also use ACLs

    +
    0 Votes
    sabrefreak

    I will pass these suggestions off to my bosses tomorrow and see what they say.
    Thank you for the insight.
    I may yet be back :)

    +
    0 Votes
    seanferd

    I certainly hope they listen. Nothing like having your company brought to its knees by a bit of malware. Especially with folks bringing in USB drive which may have who-knows-what on them.

    I also hope that whatever you are allowed to implement works out for the best.

    Cheers!