Adding a hardware firewall inside a network?

[sabka]

How can I add a hardware firewall insisde a workgrouped network to isolate a computer ?
Is there an easy way to do this?

What equipment should I be looking for?
Thanks!

Edit: The whole network resides behind a router as well. So that would mean:
WAN -- router --- network -- firewall -- isolated PC

 

[q2261]

may I ask what you wish to accomplish?

 

[spiridion]

it would be easier if you just blocked the ip address or mac address of the pc instead of adding a firewall to block just 1 pc. like q2261 said what exactly are you trying to do?

 

[sabka]

Sure...I want to protect one area of the network from the other.
I know I could setup and use Active Directory & trusted domains...but we're only working with a workgroup.
Also, restricting MACs won't be sufficient.

One area should not have access to that particular area (3 computers) and besides disabling print/file sharing, I want to enhance the security perimiter around that computer (it's accounting).

 

[Fuzznuts]

why not put that machine on a different subnet to the others. or use local policies to secure the system a firewall in this case seems a waste of time. if the data is that sensitive wtf is it doing on the same network as normal desktop machines. or simply pull the network cable out the NIC. a firewall is kinda pointless in this scenario i would guess.

 

[sabka]

Well,

there is a NAS on the other part of the network and I want the accounting group to be able to access that as well.
So I thought I could put them on a different workgroup - protected by passwords.
And in addition, have a firewall to intercept any attempts to access that network as well.

 

[sabka]

Ohh. let me clarify (I know I mistypes a few times above):

I want to isolate 3 computers (on the workgroup "accouting") from the rest of the network (called "group").
There is a NAS (network attached storage) in the "group" network that has to be accessed by everyone (both "accounting" and "group" workgroups).

 

[skyking]

software firewalls will work, with static IP's.

 

[reicherb]

Originally posted by: sabka
Ohh. let me clarify (I know I mistypes a few times above):

I want to isolate 3 computers (on the workgroup "accouting") from the rest of the network (called "group").
There is a NAS (network attached storage) in the "group" network that has to be accessed by everyone (both "accounting" and "group" workgroups).

Here is the easiest solution I see. Put the 2 groups on separate subnets. Add a second NIC to the NAS or bind a second IP address to the current NIC if it's supported. Assign the NAS an address on each subnet. Depending on your infrastructure you could take it even a step further and create a separate VLAN for each group. VLANs are not designed for security, but they do offer a level of isolation.

 

[sabka]

Originally posted by: reicherb


Here is the easiest solution I see. Put the 2 groups on separate subnets. Add a second NIC to the NAS or bind a second IP address to the current NIC if it's supported. Assign the NAS an address on each subnet. Depending on your infrastructure you could take it even a step further and create a separate VLAN for each group. VLANs are not designed for security, but they do offer a level of isolation.

That's a good idea.
So how would I go about setting up two subnets?
Just use subnet 255.255.255.0 for the "group" and 255.255.255.252 for "accounting" (for 3 stations)?

 

[Fuzznuts]

no subnets of 255.255.255.255 = the machine with ip address only.

move the networkk id up one octet say you had 192.168.0.1/255.255.255.0 put the other machine on 192.168.1.1/255.255.255.0 this will seperate them also ensure that the box that will have both nics has ip forwarding disabled or youll be back at square on.

it is off in xp by default so if youve not turned it on already dont worry.

edited for speelling

 

[n0cmonkey]

Yeah, a firewall is a great way to help limit the traffic. Putting it on its own subnet and what not is good, but incomplete.

 

[sabka]

Originally posted by: Fuzznuts
no subnets of 255.255.255.255 = the machine with ip address only.

move the networkk id up one octet say you had 192.168.0.1/255.255.255.0 put the other machine on 192.168.1.1/255.255.255.0 this will seperate them also ensure that the box that will have both nics has ip forwarding disabled or youll be back at square on.

it is off in xp by default so if youve not turned it on already dont worry.

edited for speelling

OK, I get it !!!
So can different subnets just not access each other or are they pretty much invisible to each other as well?

 

[Fuzznuts]

the only way they can see each other is through a router or gateway that is connected to both subnets. seeing as ip forwarding is disabled in xp ( ip forwarding turns xp into a really simple router it can route to ip ranges directly attached to it) they wont be able to see each other.

basically no they cant try to ping either side of the network from the opposite subnet you will see that it fails.

 

[chsh1ca]

Originally posted by: Fuzznuts
the only way they can see each other is through a router or gateway that is connected to both subnets. seeing as ip forwarding is disabled in xp ( ip forwarding turns xp into a really simple router it can route to ip ranges directly attached to it) they wont be able to see each other.

basically no they cant try to ping either side of the network from the opposite subnet you will see that it fails.

Or through someone changing their network configuration. Subnetting isn't a secure way of going about things, unless you feel 100% confident that nobody can change the network config of the 3 computers in group (through local sec. policies, and so forth). Making them physically separate networks is a better more secure alternative as then there is no possibility of accessing the accounting machine.

 

[reicherb]

That is true, but also more expensive. I guess sabka needs to decide if he is trying to stop malicious access or accidental access.

 

[sabka]

Alright, tried the following:

With a router's DHCP on... I set:

1.) router subnet mask to 255.255.255.0
2.) IPs are 192.168.1.100 (-130)
3.) I wanted to set up a new subnet by using the same subnet-mask (255.255.255.0) and IP 192.168.2.100

This did not work

Any suggestions?

 

[iceslice]

 

[iceslice]

That was pretty awsome of me to just post a blank page for my first post.. </sarcasm>

Anyway, you have a second router for a second set of DHCP to the other 3 computers?
Does your router support DHCP on two subnets? You will need to bind a second ip to that router for the second subnet gateway, and i don't think many entry-level routers support that (my crappy linksys one doesn't).

 

[sabka]

Welcome iceslice,

I only have 1 router (Linksys 54g) and only want to use DHCP on one subnet. The other one can be static IPs out of the DHCP range.

Hmm..so you think my router couldn't support a 2-subnet configuration?