Isolate some computers from office network

Discussion in 'Mac OS X Server, Xserve, and Networking' started by RedTomato, Nov 25, 2009.

  1. RedTomato macrumors 68040

    RedTomato

    Joined:
    Mar 4, 2005
    Location:
    .. London ..
    #1
    Hiya

    The small charity I work for has set up a satellite office in a city pretty far away. We've rented an office there, and have just moved in 3 staff there.

    The problem is that all the other offices in the building can see our computers on the building network, and we can see theirs too.

    As some of our work involves supporting people with legal and social issues, there is an issue of security and confidentiality here. For our work, we have to be able to share our files between our 3 computers, and send files to our networked printer.

    I've spoken to the building manager who asked the building technician about the issue. The response I got was that we could pay for a 'WAN ethernet port' which I suppose will go on the rackmount servers / switches for the building.

    To be honest, this doesn't really make much sense to me. Can you help?
     
  2. blacka4 macrumors 6502

    Joined:
    Sep 28, 2009
    Location:
    Pittsburgh
    #2
    you can always set up a small file server with a mini to firewall off your office network
     
  3. RedTomato thread starter macrumors 68040

    RedTomato

    Joined:
    Mar 4, 2005
    Location:
    .. London ..
    #3
    Can't really afford that for only 3 staff (two of them are part-time anyway).

    I'm more interested in knowing what on earth the technican means by us paying for a WAN port :)

    x T
     
  4. daflake macrumors 6502a

    Joined:
    Apr 8, 2008
    #4
    I assume that he meant that you could have your own dedicated port to the outside world and he would segment the switch off for that.

    However, it may be easier for you guys to simply buy a cheap router and create a local network of your own. Then connect the router to the building network. This would put a small firewall between you guys and the rest of the network and could be done cheaply. That being said, if you are dealing with legal matters for folks, cheap is not a word you really should be using. You need to do the right thing and protect your clients.
     
  5. blacka4 macrumors 6502

    Joined:
    Sep 28, 2009
    Location:
    Pittsburgh
    #5
    or this would work also.
     
  6. RedTomato thread starter macrumors 68040

    RedTomato

    Joined:
    Mar 4, 2005
    Location:
    .. London ..
    #6
    Thanks for that. I have a couple of spare cheap routers here, so might do that. All 3 PCs would have to share a single 100mb LAN port back to the building server then to the internet, but at current speeds, that should be fine.

    I'm studying networking, but this is a new situation for me. I'm guessing at the setup of the small router here:

    - turn off DHCP so as not to bugger up the building network,
    - turn off NAT as the building's router deals with that
    - and in the firewall, block all incoming / outgoing on the WAN port that doesn't go to the IP of the building's router (which is more or less the default firewall setup on a cheap router)

    Looks right?

    We don't provide legal advice, but we support deaf people who are looking for jobs, or seeking welfare, or who need disability advice for their home or workplace etc. Legally, we have to maintain strong confidentiality.

    x RedTomato
     
  7. daflake macrumors 6502a

    Joined:
    Apr 8, 2008
    #7
    Fair enough...

    On the network side, no, there are some issues with what you posted.

    DHCP can be used as it only will affect the internal network that you create. All computers will connect to that local network and the WAN side of the router will connect to the building network. You can use DHCP or go static and it won't affect the building at all.

    NAT... Leave it on as it will be needed. NAT (http://en.wikipedia.org/wiki/Network_address_translation) is what will translate between the local network that you create (10.0.1.x or 192.168.1.x) to the building network. It will also provide some basic firewall protection. There generally is better firewall protection in most home routers today that provide SPI (Stateful Packet Inspection) (http://en.wikipedia.org/wiki/Stateful_firewall) so leaving that running will further protect you.

    All of this being said, I would speak with the building network guy and make sure that he won't have a problem with you hanging a local network off of his. I doubt that he would but it is best to ask. ;)
     
  8. ViViDboarder macrumors 68040

    ViViDboarder

    Joined:
    Jun 25, 2008
    Location:
    USA
    #8
    You can generally set the IP of the router itself as well. I would set that IP to the IP that one of your other computers was.

    That way the router doesn't stand out like a sore thumb on the building's network.

    Then, make sure you plug the building's network into the WAN port of your office router. If you have on Wifi, turn off SSID broadcasting.

    Leave on DHCP so it will assign IPs to all your office computers. This is only if you want them to be dynamic, which I see no reason not to. The fact that the building is in the WAN port will separate you from their network and your IPs won't conflict.
     
  9. dyn macrumors 68030

    Joined:
    Aug 8, 2009
    Location:
    .nl
    #9
    I think he means you get a dedicated internet connection which you can use for your own little network. In that case you need stuff like a firewall and a switch. If you get a wan port with a proper external ip-address than this could a much nicer solution than using a firewall/router within the existing network because you won't have problems with things like double NAT. Consider it to be same as getting dsl for your office (consisting of 3 people). You'll need to get a firewall/router anyway so it's more a question whether you want to use it in the existing network or use it with the dedicated wan port. Please think a bit further than just how much it'll cost right now, think about the future as well (what if the others move elsewhere? what if you start expending the staff to 4, 5, 6 ?).
     
  10. RedTomato thread starter macrumors 68040

    RedTomato

    Joined:
    Mar 4, 2005
    Location:
    .. London ..
    #10
    OK I was supposed to talk to the technican on the phone today, but that didn't happen - had to do it through email. Turns out to be a bit of a communication problem - I have to email the building manager, who is non-technical, then she talks to the technician, who talks to her, then she emails me back with some garbled version of what she thinks the technician said. :confused:

    Long story short, it turns out to be stupid building manager, emailing me with the suggestion I 'buy a WAN port from the technican' when what she actually means is he suggests I get a router with a WAN port - plug it into the building network via the WAN port, and connect our machines on the LAN side. Similar to what daflake said.

    (Actually I met her on a site visit and she was really nice, let me have a look around the building server room, which she shouldn't have done really.)

    Here in the UK most cheap home routers are also ADSL modems, meaning they have an ADSL port, but no WAN port. Next time I'm in the main office, I'll have a look through our spare routers to see if we have any non-ADSL ones.

    A bit of googling shows that a LAN port can be converted to a WAN port through telnetting into the router and fiddling about with the settings and subnetting it. I'm not keen on doing that for a workplace-critical piece of equipment, plus it's setting a time-bomb for whoever follows me in my job. If we don't have anything suitable, I'll go and buy a new non-ADSL wireless router with a WAN port.
     
  11. Queso macrumors G4

    Joined:
    Mar 4, 2006
    #11
    I did a similar setup for a company in Johannesburg. I used a Cisco 800 series router (an 803 I recall), which acted as a four-port switch for the computers in the office. NAT was turned on, the firewall was active, and a split-tunnel IPSec VPN was configured so that traffic to the main office went encrypted out the host company's firewall and across the Internet. In the meantime Internet browsing went out locally.

    I think a similar setup could easily be done with some cheaper routers, although the VPN encryption would probably end up being PPTP based. If you use Cisco of course ezvpn with network-extension mode would mean you could actually support the remote computers from your central office, if you enabled the remote desktop functions that is.

    Make sure the host company are OK with the wireless side before enabling that though. Most companies really don't like it.
     
  12. belvdr macrumors 603

    Joined:
    Aug 15, 2005
    #12
    I second this. If you are sending data across insecure networks and you are concerned about privacy, you need to ensure you encrypt those transmissions. Currently, I'd recommend using AES-256 or higher for encryption.
     
  13. dyn macrumors 68030

    Joined:
    Aug 8, 2009
    Location:
    .nl
    #13
    If you have an old (spare) computer laying around somewhere you could put 2 or more nics in that machine and run something like m0n0wall or pfsense on it. You may have more features with that kind of setup than you'd have with some router.
     

Share This Page