Public Internet Access while protecting private network

By gregs ·
We have a private network with hard wired jacks throughout the building along with some wireless access with WPA protection. The network is based on 2003 and the 10/100/1000 Switches do not have mac address filtering. The firewall between the internet and the private network is a netscreen 5gt. This unit has the ability to create a separate zone on one of it's other ports.

Now I know I can create a simple public access point by creating a public zone on the netscreen and connecting a switch with a couple of wireless access points for public access. This keeps folks off of our private network and all is well. HOWEVER anyone could just plug their computer into any one of our hard wired network jacks and get a DHCP assigned to them from the 2003 server and potential caused problems on our network.

What would you recommnend putting in place to protect our 2003 server(s) and our clients from folks that may just plug their computer into a network jack??? We obviously have antivirus tools and the such in place, but I would like to completely deny any sort of network access from these units.

This is a church location so the network jacks are easily accessible throughout the building so I cannot physically block public access.


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Domain or Workgroup?

by ThumbsUp2 In reply to Public Internet Access wh ...

Can you create a private domain for all of YOUR computers, instead of using the default Workgroup? A domain would require a domain administrator password to join each computer TO the domain. Then individual "fly by" computers being plugged into either the hard wird jacks or catching a wireless access point will not be able to access any of the computers ON the domain and they'll still be able to access the internet.

If you must use a workgroup instead of a domain, try assigning static IP addresses for each computer (with specific MAC addresses assigned for each one) using a block of numbers that only YOU know, like maybe through Each computer's MAC address is assigned to one specific IP address and always gets that same address no matter where they're connected. Then, "fly by" computers connecting to any jack or wireless would first have to know what block of IP addresses you're using and ALSO need to have their own computer's MAC address authorized in order to get an IP address within your same sub-net. If I remember correctly, this will give the outsiders internet access but they won't be able to see the computers in your sub-net. I may be wrong though. It's been so long since I've done it that way.

Collapse -

Domain or Workgroup?

by gregs In reply to Domain or Workgroup?

This is a 2003 Domain so I know no one has authenticated rights to anything, but I am more concerned about security attacks... trojans, viruses, worms, security holes, and so forth. I wished my routers had mac address filtering (which I know is not really a secure method), but would help block general users that plug into the hardwired ports... meaning someone would have to do some work to do some damage.

Collapse -

Port Security

by mjfera In reply to Public Internet Access wh ...

Hi Greg --

Two things you can look at:

1) Put all the publicly accessible ports into their own VLan. No traffic can pass between this "public" VLan and your secure network without first passing through a Layer 3 device (i.e. Firewall, Router). If there are machines of yours that you want to be accessible from those "public" ports, you can use DHCP reservations to ensure they (and only they) get "allowed" IP addresses. You can allow those reserved IP addresses through your Layer 3 device using ACL's.

2) If your switches allow for it, you can look at Port Security. The other alternative is to disable all the switch ports that are servicing these empty wall jacks.

Hope this helps.

Collapse -

Port Security

by gregs In reply to Port Security

My original thought until I realized these managed switches didn't have mac address filtering was to have public wired ports (Green Jack) and private wired ports (Red Jacks) setup so that that the switch used mac filtering on the private ones to only allow devices I know about plugged into them and then leave the public wired ports open and have them all be a VLAN to segregate them, HOWEVER this stinking switch (Netgear Gigabit Managed Switch) did not have the MAC address filtering.

So at this point my only level of blocking is the DHCP Reservations you have mentioned which only does so much.

I thought about putting a SMALL (8port) gigabit managed hub with mac address filtering between the servers and the other switch so I could use the mac address filtering to stop traffic from the public computers from reaching the servers, but not sure if this would work.

Summary, Wirelessly I think I am golden... wired is the issue and DHCP Reservations would help to a small degree and perhaps if I could put a mac address filtering switch between the server and normal switches that may help even more.

Other thoughts?

Collapse -

DHCP Reservation = MAC Filtering

by mjfera In reply to Port Security

A DHCP reservation is functionally equivalent to a MAC Address Filter. Reservations are set based on MAC addresses, so there is no chance any host other than those you specify can pick up the reserved addresses.

Here's a scenario that I'm sure would be quite secure for you.

VLAN "private" /24
** Those ports that are behind closed doors

VLAN "public" /24
** Those ports that are publicly accessible

DHCP Scope "public"
Address Space: -
Exclude: -
Reservations: -

Router Int0
Router Int1

access-list 101 permit ip

Interface Config (Int1):
int1# access-group 101 in

This configuration is pretty tight. It would be even stronger with a stateful firewall in place of the router. It allows only the reserved addresses across the router into the private network, and the exclusions make it flexible in-case your needs change. If there is a way to fool DHCP into serving up a protected address to an insecure machine, I'm not aware of it.

Collapse -

DHCP Reservation = MAC Filtering

by gregs In reply to DHCP Reservation = MAC Fi ...


I think I can do a variation of this. Here is the configuration of the location:

Jacks On Walls going to Switch.
Wireless access (WPA) going to Switch.
Switch Connected to Server.
Switch Connected to Router.
Windows 2003 Network.
Windows 2003 Server providing DHCP for Private.
Netscreen 5GT with 2 zones ability.

- I could setup a second zone (public) on the router and let it provide DHCP 192.168.2.x.
- I could VLAN the switch for the 192.168.2.x and connect Wireless Access Points and have some of the wall jacks available.
- I could then set DHCP on windows 2003 to use ONLY reservations.

Now the downside is technically a rogue computer could be plugged into the VLAN for the private network and even though it may not get a DHCP address they are still on the network and could listen for traffic or set a fixed IP and try to get on network or simply try to inject some sort of malware. Granted this may not be a major concern in this environment, but I had hoped to find a way to keep any public traffic from hitting the private network at all... even if they plugged into a private wall jack.

I think I follow what you are saying above, but it sounds like even the private domain computers would be going through the routers public port, but allowed access to the private side due to the access list.

Related Discussions

Related Forums