Questions

Private notebooks and domain protection...

+
0 Votes
Locked

Private notebooks and domain protection...

tropolite
Hi
We are providing staff the ability to bring private notebooks to our site so they can use internet and IM after hours.

Running an ISA Server 2006 I want to be able 'manage' what access these unmanaged notebooks can access (prevent torrent downloads etc).

These privately owned notebooks do not join our domain but I should be able to manage them to an extent using the 'Site' node in Active Directory?

I was thinking that these notebooks could connect to a different, default subnet so that management of these can be achieved (and something like a quarantine subnet). But these are just thoughts at this stage and I'm unsure how I would go about it.

Just after a bit of advise if there's any out there...

Thanks in advance...

Cheers
  • +
    0 Votes
    Bizzo

    You could be creating a very dangerous situation for yourself here.

    Firstly, I don't think that these machines should have any access whatsoever to the company network, domain or resources. You have no idea if these machines are infected, whether they have any "inappropriate" content, or if they have any security/AV etc.

    You say that these machines do not join the domain, but what's stopping someone from trying?

    Assuming you get the machines connected (away from the domain and secure), what happens if a dozen or so employees are connected, and one person connects and infects all the other machines, making them all unusable, who will be held responsible?

    +
    0 Votes
    tropolite

    Hi Bizzo

    I appreciate the whole security risk etc, that's why I have posted here to see if smarter network guru's have a solution for me (as I have much to learn in this area of IT).

    The company wishes to allow these private notebooks access (mainly to general Internet resources - webmail, IM), as staff are on site 1 or 2 weeks at a time (remote mining co), even though I have cited the security risks.

    That is why I'm searching for a solution to place these 'guest' nodes into a 'quarantine type zone' so IT Admin will be able to throttle and approve resources they access.

    Surely there is a methodology out there for similar scenarios, but my expertise has not gone in this direction. Any guidance, or even direction to a website that will outline best practice would be very helpful to me.

    Thanks in advance...
    Cheers

    +
    0 Votes
    magic8ball

    While letting the notebooks connect to the network may not be the best idea, as you already know, I have a couple of ideas that might help you out. I would recommend setting aside an area that is for these computers to connect. An unused room with a switch or wireless router if you want to go that route.

    First if your firewall supports it set those notebooks up on a DMZ in that dedicated place. Basically a DMZ is an area that can access the internet but not the local network.

    Second you could look at a product called an Untangle server. This is an open source free product (although they do have some commercial add-ons, but you probably wont need those for this)that acts as a firewall, av, spam, spyware, web content filter. It installs its own os on a spare computer with two nics and one nic connects to your lan and the other nic connects to the switch where the notebooks would connect.

    I have use both and the untangle server is real easy to configure and would provide you with a great deal of control over the notebooks that connect through it.

  • +
    0 Votes
    Bizzo

    You could be creating a very dangerous situation for yourself here.

    Firstly, I don't think that these machines should have any access whatsoever to the company network, domain or resources. You have no idea if these machines are infected, whether they have any "inappropriate" content, or if they have any security/AV etc.

    You say that these machines do not join the domain, but what's stopping someone from trying?

    Assuming you get the machines connected (away from the domain and secure), what happens if a dozen or so employees are connected, and one person connects and infects all the other machines, making them all unusable, who will be held responsible?

    +
    0 Votes
    tropolite

    Hi Bizzo

    I appreciate the whole security risk etc, that's why I have posted here to see if smarter network guru's have a solution for me (as I have much to learn in this area of IT).

    The company wishes to allow these private notebooks access (mainly to general Internet resources - webmail, IM), as staff are on site 1 or 2 weeks at a time (remote mining co), even though I have cited the security risks.

    That is why I'm searching for a solution to place these 'guest' nodes into a 'quarantine type zone' so IT Admin will be able to throttle and approve resources they access.

    Surely there is a methodology out there for similar scenarios, but my expertise has not gone in this direction. Any guidance, or even direction to a website that will outline best practice would be very helpful to me.

    Thanks in advance...
    Cheers

    +
    0 Votes
    magic8ball

    While letting the notebooks connect to the network may not be the best idea, as you already know, I have a couple of ideas that might help you out. I would recommend setting aside an area that is for these computers to connect. An unused room with a switch or wireless router if you want to go that route.

    First if your firewall supports it set those notebooks up on a DMZ in that dedicated place. Basically a DMZ is an area that can access the internet but not the local network.

    Second you could look at a product called an Untangle server. This is an open source free product (although they do have some commercial add-ons, but you probably wont need those for this)that acts as a firewall, av, spam, spyware, web content filter. It installs its own os on a spare computer with two nics and one nic connects to your lan and the other nic connects to the switch where the notebooks would connect.

    I have use both and the untangle server is real easy to configure and would provide you with a great deal of control over the notebooks that connect through it.