DHCP server and security

[Patt]

My wife is a librarian, and her LAN is a bit messed up, and I'm more of a programmer than a network admin, so here's my question:

Her DHCP assigns dynamic addresses to the computers on her LAN (or so she says). She has people coming into the library who want to connect up laptops to the internet connection. She has no problem with this, so long as she knows there aren't any major security concerns. Can anyone help me with what security concerns might be involved, or what specific information I would need to determine whether or not this would be secure?

 

[JackMDS]

It can be a very BAD idea to do so.

If the LAN is set for sharing between computers and there is No restrictions and passwords the Visitors can copy, change, mess-up, etc. the entire library computerized system. Even if there are restrictions it might entice some of the "Visitors" to try their Hacking Skills.

A simple solution might be to install a Wireless Cable/DSL Router plugged into the Network creating a None secure secondary Wireless Network that would be available to visitors. While securing the Library Wireless to the max.

Link to: Wireless Security.

:sun:

 

[Patt]

Originally posted by: JackMDS
It can be a very BAD idea to do so.

If the LAN is set for sharing between computers and there is No restrictions and passwords the Visitors can copy, change, mess-up, etc. the entire library computerized system. Even if there are restrictions it might entice some of the "Visitors" to try their Hacking Skills.

A simple solution might be to install a Wireless Cable/DSL Router plugged into the Network creating a None secure secondary Wireless Network that would be available to visitors. While securing the Library Wireless to the max.

Link to: Wireless Security.

:sun:

Not talking wireless necessarily, as everything there is wired only at the moment, and with no budget to make it more modern. Small town.

 

[yoda291]

I can say with 95% probability that just letting people plug into the network is insecure.

What I would do (read: my opinion), is to segment off the public users into their own vlan/subnet with the internet connection either piped in from a proxy server or through a firewall.

The reasoning is this, if you let random people onto your network in a place where they can establish a connection to another machine, then you have to assume that machine will be compromised. I'm assuming none of this is in place?

Secondly, if you allow people unrestricted access to the internet using their own machines, then you are essentially giving them unrestricted access to your public internet presence...which means, if I plug into the library and try to hack someone through your internet connection, it will come back and bite you in the rear. Think of it this way, would the library let me use their telephone to do whatever i wanted with?

Essentially, what has to happen, is that these users "plugging in" have to be put somewhere on the network where they have access to nothing. Then, you pipe in services like internet connections in a controlled and monitored fashion. having said that, it shouldn't be TOO difficult to actually do, but I would chalk it up as too much trouble for being nice.

Hope this helps.

 

[Patt]

I was thinking the same thing, and your telephone analogy, Yoda, was brilliant. I think my wife is trying to be too accomodating ... it isn't like they don't have terminals already set up for internet usage, it is just people who want to use their own laptops that are the issue.

I think with a bit of research I could figure out how to isolate them on the network, but then again, the amount of computer work far and away trumps the value of the free membership I have received, and I'll try to let this one slide on by.

:beer: Cheers.

 

[cleverhandle]

Ditto that. You're asking for trouble letting any random stranger jump on your LAN. Heck, being a library it's a perfect place for aspiring crackers to test their skills - they can take their time, come back whenever they like, and assume (probably correctly) that there aren't any security-savvy people keeping an eye on the logs.

As Jack suggested, if you want to provide access to visitors' machines you'll need a secondary network that's well-separated from the main network. You could do this with VLAN's in the switch and router infrastructure if you have the equipment and expertise, or set up a wireless network to hang off the original one. Or simply decide that visitors need to use the library's machines if they want access.

 

[JackMDS]

No need to be too concrete, of my mentioning of Wireless.

I think that it is very nice to allow such a service in the Library, this part of what Libraries are for in modern days,:thumbsup: and with some basic precaution it can be done (like keeping a log of name date ant time that people are using the connection just like you do when you give a book).

Wireless will let people with Wireless laptop (which is basically waht most people) to log On and no need to deal with messy cable and Switches that eventually would brake from plug in and out.

I would use an 802.11b Wireless Cable DSL/Router. 802.11b will discourage File transfer since it is Slow.

To plug an 802.11b Router to the existing system shouldn?t cost more then $20.

Even a Poor Library night be able to afford $20 to buy the Router (provided you volunteer your good service to install it).

If Wireless is out of the question the same idea can be used with Wires Router (probably $15 investment)

:sun:

 

[spidey07]

I'm with jack - provide a open wireless network segmented from the "inside" network.

 

[skyking]

The trouble with dropping a typical wireless router onto an existing RFC 1918 network as a client?
The typical wireless router (or wired router, for that matter) will pass traffic across to the wan port and into the upstream network, and not just to the gateway. I have not found one yet that won't allow me to ping machines upstream accross the wan port, or even print to a print server on the next class "C"
I wish they were sophisticated enough to prevent that, but they don't.
That is still too much of a risk for my liking, even though the basic windows networking visibility is gone. it would take something like a real firewall or router that is configureable to get the traffic to pass the way I'd want it.

 

[JackMDS]

Quote" The typical wireless router (or wired router, for that matter) will pass traffic across to the wan port and into the upstream network, and not just to the gateway".

Yeah, in a Big Network where you have to put the add-on as a Client somewhere it would be this way.

In small flexible Network you can plug the Add-On (Wired or Wireless) directly to the Modem and plug your main Network as a client to add-on Router.

The Visitors can not go Downstream to your main Network against the Router's NAT.

:sun:

 

[skyking]

That works. Then your main network is getting double nat action, and I find THAT annoying

It would be nice to have a real 3 NIC router that does that stuff, for around $50. Dreaming!

 

[spidey07]

Originally posted by: skyking
That works. Then your main network is getting double nat action, and I find THAT annoying

It would be nice to have a real 3 NIC router that does that stuff, for around $50. Dreaming!

there are specialy routers out there for exactly this scenario - a few hundred bucks. even offer authentication for the wireless side all in one box.

 

[JackMDS]

Double NAT is annoying for a very active large Network. For a Humble Library, I doubt that it will pose any annoyance.

But as long as we are playing a little with the idea, there is an inexpensive solution if you can get from you ISP free (or for few $ a month) a second external IP.

You get an SMC 7004vbr (about $30) and an 802.11b Access Point (about $30).

You plug the AP to the Router and you put the Router onto the Modem, and plug the Main Network Router into the SMC 7004VBR.

You put the IP of the Main Network in the DMZ using one External IP, and you let the second IP work Normally with the Router/AP combo.

Note*

The SMC 7004VBR let you put up to 10 computers on the DMZ provided you have independent External IP for them.

:sun:

 

[helo7050]

there are HUGE security conserns. . .they have access to the LAN once they plug in..

 

[Patt]

Thanks for all the suggestions ... I now have a pretty good frame of reference to research from. Since a lot of my time is already donated to the library, I'll see whether or not it is worth it to go to the hassle at this time. I am curious though, as to the ins and outs, so I do plan to research based on the info I've been given by all of you.

 

[thriemus]

There is an easy way around this.

Setup all the library computers using static ip address and give the server two ip address on different subnets, then setup a DHCP pool for outside users granting them only internet access. Set the server to block all shares to the range of ip address in the free web access dhcp pool and a policy on the library computers to deny any access to the range of ip address in the web dhcp pool. This will separate the two groups of computers. What I have said isnt complete but its a good starting point for you to secure the network. Also are you giving them proxy access or a network gateway?

EDIT: If you dont want to give the library computers static ip address then you could setup 2 dhcp pools and allocate the library computers dhcp reservations and setup the correct amount of ip address's in the pool for all of the library computers. Then create another pool for the internet access only computers.