Network Tiers

By sabrefreak ·
I maintain a small-ish office (50 people) with an open policy. My bosses would like me to "tier" the system so that there is full access, email only, and no internet (for example) but that everyone can still see the server appliances.

Previously I tried doing this (with some tech advice) through the use of gpedit.msc and a bogus proxy server. It worked for a couple of days until someone discoverd that Firefox Portable (brought in a USB stick) had no difficulty beating it.

So, now, I'd like to try and do it through the router, or a series of routers if need be, although I'm certainly open to suggestions.

I have a Cisco 877 modem, a Linksys RV016 router, a host of static IPs, and some unmanaged switches.

The server appliances are a pair of Buffalo TeraStation's.

Many thanks in advance
(I thought I already posted this but it didn't appear in my profile, so if you see it duplicated, my apologies).

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Firewall needed

by TobiF In reply to Network Tiers

You need a real firewall.
By default, cut off everything.

Then define the exceptions needed for "mail access" (pop/smtp/imap etc, or only certain webmail hosts?)

Next, figure out how you're going to tell these users apart.

If you only have wired connections, then you could split different ports into different VLANs.

Maybe you can sort users (or rather computers) based on MAC addresses.

A last option would be login to a proxy, but you'd be playing catch up on a daily basis, when the passwords get shared.

Collapse -


by sabrefreak In reply to Firewall needed

This is a good idea which I'd veered away from. What are some good firewalls to consider - hardware or software?

Collapse -

RE: hardware or software?

by TobiF In reply to Interesting

I'm into other things, but I've seen untangle being recommended. It's based on Linux. Ideally, you should put it on some PC with 2 ethernet cards, between the internet and your router.

By the way, you need to think about how you're going to handle DNS. Either allow everyone outgoing UDP traffic to port 53 (which would open a small hole for tunneling data in and out) or redirect all requests for UDP/53 to your favorite dns, regardless of destination ip. (This all is of course in case you don't have your own internal DNS or DNS-Masq, in that case you can completely block this traffic, except when it originates from your dns server.)

Oh, regarding webmail, you may need to build a long list of ip-adresses used for webmail servers. (I'm sure gmail uses a large number of IP addresses, for instance). And, while speaking of gmail, the logon procedure probably quickly touches some logon server with a different address. And, since logon server for sure, and possible the webmail server, as well, will be using https to port 443 (TCP) the URLs will be encrypted!

Collapse -

Firefox Portable (brought in a USB stick)

by seanferd In reply to Network Tiers

Do these people have administrator privileges? If so, this has to be the first thing to change. If not, you must restrict them further.

Collapse -


by santeewelding In reply to Firefox Portable (brought ...
Collapse -


by sabrefreak In reply to Firefox Portable (brought ...

Thanks - will bring this up. It should help alleviate some headaches down the road.

Collapse -

User Rights

by sabrefreak In reply to Firefox Portable (brought ...

Seanferd - forgot to mention this. The network was builot slowly from old programs that required everyone to have Admin rights (such as ACAD R13 and R14). Some of these old programs are still around, but not many. Anyways, everyone shares all the files all the time so that "bob" can work " bill's" drawing and such.
I've read a post explaining Admin, Power User, and User rights. It states that "The Users group is the most secure, because the default permissions allotted to this group do not allow members to modify operating system settings or other users' data."

If the user's can't modify each others work this seems of little use. Or is this easy to alter?


Collapse -

Look into

by IC-IT In reply to User Rights

Shared folders. The users can access any shared folder they have permissions on. It is not tied to their level of logon privileges.

Collapse -


by seanferd In reply to User Rights

specific further rights can be granted to allow certain apps and such to function. Blanket admin privilege is unnecessary.

But I do understand where you are coming from. Many older apps (and poorly designed newer apps) do frequently require escalated privileges of some sort.

Collapse -

might consider using managed switches

by CG IT In reply to Network Tiers

which allows you to vlan.

vlans can be a great way to segregate hosts into network segments and allow or deny access to other network segments

you can also use ACLs

Related Discussions

Related Forums