How to isolate 5 computers on a network?

[deepakvrao]

Hi Guys,

Noob here so please bear with me.

Just set up a data cabling in my new hospital building. Have incoming broadband to a router which is connected to a switch [I think that's what it is called, and is being installed today]. From there I have cabling to 14 point in the building.

I want people who connect at any point to have internet access, but 5 points [hospital office, my office and reception, lab, pharmacy] should have computers which can access a server in the office. All are running either Win 8 or XP.

How can I set a local network for these 5 computers which cannot be accessed by the other people? Anyway to set up a group which needs a password to login etc?

 

[Red Squirrel]

Read up on VLANs, that's what you'll want to do. Each network will be on it's own VLAN, at the router/firewall you can then set ACLs for what can access what. I use pfsense at home and have several vlans, one for my main network, one for wireless, one for public wireless, etc... and in the firewall I can set rules such as allow wireless to access port 80 on a specific IP on wired network, and so on.

The easiest way to explain a vlan is that it's basically a virtual sub switch. The cable going to the firewall would be a trunk, which is like having each sub switch connect to a separate firewall port. Each packet is tagged with the ID of the vlan it came from or is going to, and then the firewall will treat it accordingly by looking at the rules.


Though, you do mention hospital... I hope you did not land yourself in something over your head, since hospital networks can be very complicated because you're having to interface with other people's stuff too. Like some other departments might have their own networks too and everything has to play well together. There's also the issue of patient data safety, be extra sure you're taking that into account, and get people who know more than you about networking to check your work too.

 

[imagoon]

It depends on what "cannot access" means. If you mean, can't get to shares, then setting up user names and passwords will take care of that. If you mean more isolated, you can look at using the software firewall to ACL the IP addresses of the workstations allowed to access it. Then there is routed firewall which is more like what Red is alluding to. Then there is separate [internet] service and air gap.

How isolated do you need to go?

And yes to your basic question, groups and access start pretty simple and get more complicated with the more stuff you lump in.

 

[dealguru]

Yep, VLAN is the solution, check this out - http://en.wikipedia.org/wiki/Private_VLAN

 

[imagoon]

Yep, VLAN is the solution, check this out - http://en.wikipedia.org/wiki/Private_VLAN

How can it be the solution when we don't even know what the problem is?

 

[RadiclDreamer]

It seems like what he is wanting is the following:

All drops can access the internet
Only 5 drops can access a server

If this is indeed what you are wanting, you will need whats called an Access Control List (ACL) which would contain the allow/deny statements for your network. Typically this will only be available in enterprise grade, or at lowest business grade network equipment. If you can tell us what make and model you are working with we may be able to help.

 

[JackMDS]

When it comes to Medical facilities who must conform with HIPAA (http://www.hhs.gov/ocr/privacy/ ) regulations it is suggested to speak to a Consultant that specializes in this matter.

----
Otherwise, as mentioned above it can be done with VLAN.

Or even easier and providing more separation, by using a second Router to segregate part of the network.

Like this - http://www.ezlan.net/shield.html

 

[imagoon]

It seems like what he is wanting is the following:

All drops can access the internet
Only 5 drops can access a server

If this is indeed what you are wanting, you will need whats called an Access Control List (ACL) which would contain the allow/deny statements for your network. Typically this will only be available in enterprise grade, or at lowest business grade network equipment. If you can tell us what make and model you are working with we may be able to help.

Windows user names and passwords could also meet that need. We won't know until the OP replies.

 

[Red Squirrel]

Windows user names and passwords could also meet that need. We won't know until the OP replies.

I would not depend on that or any application based security. If there's an exploit it could easily be broken from the public access via someone's infected machine or something. You always want to do vlans with ACLs or something similar so that it's secure at the network level. You also want to make sure the firewall's management interface is only accessible from the private vlan.

 

[imagoon]

I would not depend on that or any application based security. If there's an exploit it could easily be broken from the public access via someone's infected machine or something. You always want to do vlans with ACLs or something similar so that it's secure at the network level. You also want to make sure the firewall's management interface is only accessible from the private vlan.

You can exploit vlans also so it really depends on the need. It is also possible to exploit the management engines on the switch, or the switching engine itself. Again, it depends on what he *needs* not what we as the arm chair network guys think he needs.

 

[mvbighead]

You can exploit vlans also so it really depends on the need. It is also possible to exploit the management engines on the switch, or the switching engine itself. Again, it depends on what he *needs* not what we as the arm chair network guys think he needs.

While I can certainly see your point that exploitation can occur with VLANs, the plain simple truth given what the OP described is that if it is a hospital environment, and they want only a select few to have access to a server and the others to have Internet access, it's pretty clear that some form of network segmentation should be involved.

Ideally, the other systems would use a completely separate circuit not associated with the "production" network. However, as this seems to be a small deployment, that cost is not likely to be something they would go with.

Properly implemented VLANs and ACLs will satisfy the segmentation the OP suggested that he needed. And if you truly think that the only need is user/password authentication to secure things, um... yeah, not touching that one. All I can say is, based on the minimal information there, the OP is looking for segmentation. The best place to start is at the network layer, and the most cost effective is likely going to involve VLANs and ACLs. You'd further want to you password authentication to the server inside that VLAN, but there is definitely no good reason to leave everything all on the same network if the other workstations don't need access to anything but the internet.

 

[imagoon]

While I can certainly see your point that exploitation can occur with VLANs, the plain simple truth given what the OP described is that if it is a hospital environment, and they want only a select few to have access to a server and the others to have Internet access, it's pretty clear that some form of network segmentation should be involved.

Ideally, the other systems would use a completely separate circuit not associated with the "production" network. However, as this seems to be a small deployment, that cost is not likely to be something they would go with.

Properly implemented VLANs and ACLs will satisfy the segmentation the OP suggested that he needed. And if you truly think that the only need is user/password authentication to secure things, um... yeah, not touching that one. All I can say is, based on the minimal information there, the OP is looking for segmentation. The best place to start is at the network layer, and the most cost effective is likely going to involve VLANs and ACLs. You'd further want to you password authentication to the server inside that VLAN, but there is definitely no good reason to leave everything all on the same network if the other workstations don't need access to anything but the internet.

You have brought the same point up. You are assuming that is what he needs. None of us have any idea. If this is nothing more than say a Windows file server, depending on the content, there may be literally no more need than a username / password requirement.

Scoff and quib about it all you want but there simply isn't enough information to justify anything. There are literally hundreds of thousands of servers that have access control via username and password. We don't create an entirely new network segment every time we prop up a file server because access control is handled via the operating system. Don't ASSume that since he said "hospital" that he automatically needs vlans, ACLs (IE a firewall) as there might not be anything HIPPA covered on it. It is one approach that may not be needed or the best. We need to determine what he considers "cannot access" and "can access" means. It may be that the server ends up hosted else where and those five points access it via Citrix or VPN. Again, it depends on what he *needs* not what we as the arm chair network guys think he needs.

 

[mvbighead]

You have brought the same point up. You are assuming that is what he needs. None of us have any idea. If this is nothing more than say a Windows file server, depending on the content, there may be literally no more need than a username / password requirement.

Scoff and quib about it all you want but there simply isn't enough information to justify anything. There are literally hundreds of thousands of servers that have access control via username and password. We don't create an entirely new network segment every time we prop up a file server because access control is handled via the operating system. Don't ASSume that since he said "hospital" that he automatically needs vlans, ACLs (IE a firewall) as there might not be anything HIPPA covered on it. It is one approach that may not be needed or the best. We need to determine what he considers "cannot access" and "can access" means. It may be that the server ends up hosted else where and those five points access it via Citrix or VPN. Again, it depends on what he *needs* not what we as the arm chair network guys think he needs.

Not really assuming anything there after re-reading the op:

Hi Guys,

Noob here so please bear with me.

Just set up a data cabling in my new hospital building. Have incoming broadband to a router which is connected to a switch [I think that's what it is called, and is being installed today]. From there I have cabling to 14 point in the building.

I want people who connect at any point to have internet access, but 5 points [hospital office, my office and reception, lab, pharmacy] should have computers which can access a server in the office. All are running either Win 8 or XP.

How can I set a local network for these 5 computers which cannot be accessed by the other people? Anyway to set up a group which needs a password to login etc?

You may be looking at the password login bit and assuming that it means a Windows share/etc. But he asked directly for a local network that is inaccessible to other people. He also referenced an office, lab, and pharmacy (IE - places with no physical access to public persons). This all reeks of having public terminals and private terminals. And when you have public and private terminals, they should always be separated from each other via network segmentation. Relying solely on Windows authentication is simply being naive.

I may be assuming some, but the bulk of what has been addressed has already been clarified in the op.

 

[RadiclDreamer]

When it comes to Medical facilities who must conform with HIPAA (http://www.hhs.gov/ocr/privacy/ ) regulations it is suggested to speak to a Consultant that specializes in this matter.

----
Otherwise, as mentioned above it can be done with VLAN.

Or even easier and providing more separation, by using a second Router to segregate part of the network.

Like this - http://www.ezlan.net/shield.html

I work in healthcare, conforming to HIPAA is not as hard as people think. Sure its a pain in the butt at times, but overall I don't have to think about it much. Really, all networks when ran properly meet most HIPAA requirements. The main rule when dealing with HIPAA is data is on a need to know basis, if you don't need to know it to do your job (billing, coding, transcription) or to provide patient care (physician, rad technician, nurse) then you shouldn't be letting it out or looking at it in any way.

 

[imagoon]

Not really assuming anything there after re-reading the op:


You may be looking at the password login bit and assuming that it means a Windows share/etc. But he asked directly for a local network that is inaccessible to other people. He also referenced an office, lab, and pharmacy (IE - places with no physical access to public persons). This all reeks of having public terminals and private terminals. And when you have public and private terminals, they should always be separated from each other via network segmentation. Relying solely on Windows authentication is simply being naive.

I may be assuming some, but the bulk of what has been addressed has already been clarified in the op.

I don't agree. There is nothing naive about relying on Username / Passwords, Windows, Internet, Linux, Citrix etc. There also isn't enough there to describe his needs. Since he hasn't posted a single reply to answer any of the pile of questions, we can't determine what would be needed to satisfy his requirements.

Considering I that we currently work with a company (We have a medical division that provides medical services to clients) that houses piles and piles of data that would be covered by HIPAA that is Internet accessibly via a Citrix secure gateway using nothing more than a username and password that has passed numerous Federal Government audits, it really isn't that naive to assume the same thing wouldn't apply here. For those that don't know, Citrix is just RDP on steroids.

 

[deepakvrao]

Sorry guys for the delay.

Here is what I did today. Created a 'Homegroup' and got a pw generated from the control panel. Left all drives to non sharing status, except one drive on the server computer which hosts the main hospital software.

GOing to test now whether I can plug in to a LAN port, or wirelessly access any of the computers in the homegroup.

It's a small hospital, only 30 beds, and I'm 'hoping' that the need ois only to keep inquisitive snoopers out. I hope none of my patients will actually make a determined attempt to access hospital computers. Maybe naive?

Lots of info here, so it will take me time to read and try to assimilate. Does not mean that I have posted and disappeared. I do appreciate the help you guys are giving.

In addition, my medical work takes most of my time [thankfully ;-)]

 

[imagoon]

May I suggest you consider hiring a Managed Service Provider then? MSP's would handle your IT needs for a small rate per computer per month. It would be better to let them handle the equipment than yourself if you are unsure of what you are doing.

 

[RadiclDreamer]

Sorry guys for the delay.

Here is what I did today. Created a 'Homegroup' and got a pw generated from the control panel. Left all drives to non sharing status, except one drive on the server computer which hosts the main hospital software.

GOing to test now whether I can plug in to a LAN port, or wirelessly access any of the computers in the homegroup.

It's a small hospital, only 30 beds, and I'm 'hoping' that the need ois only to keep inquisitive snoopers out. I hope none of my patients will actually make a determined attempt to access hospital computers. Maybe naive?

Lots of info here, so it will take me time to read and try to assimilate. Does not mean that I have posted and disappeared. I do appreciate the help you guys are giving.

In addition, my medical work takes most of my time [thankfully ;-)]

Coming from a medical IT background, I doubt this will be sufficient defense in the event of a breach. Hoping that nobody cares enough to break in is a sure fire way to get your self burned.

I hate to be the typical forum nazi that tells you how to run your business, but in this case I can see you opening yourself up to quite a bit of liability with this method of network operation. If you dont have the funding to hire someone full time, I would highly suggest getting an outside consultant to take a look at things for you, be sure to get your BAA signed by them as well (business associate agreement) since they will most likely come into contact with PHI and need to be willing to be held liable as well for any breach that may happen.

Again, this is just some friendly advice from someone in the field and you are free to do as you see fit. I just would rather you know the risks and consequences before making any decision.

 

[Carson Dyle]

Pardon me if this is considered a thread hijacking, but I was just going to pose a very similar question. In a multi-tenant apartment building, the owner wants to provide shared internet access to 20 apartments.

These connections will have to be individually isolated. Unlike the above scenario, none of the ports would ever be consolidated into a network. Would a switch with VLANs still be the best (and cheapest?) solution?

 

[imagoon]

Pardon me if this is considered a thread hijacking, but I was just going to pose a very similar question. In a multi-tenant apartment building, the owner wants to provide shared internet access to 20 apartments.

These connections will have to be individually isolated. Unlike the above scenario, none of the ports would ever be consolidated into a network. Would a switch with VLANs still be the best (and cheapest?) solution?

You would likely use PVLAN to do that. Similar idea but not quite the same.

 

[azazel1024]

It seems like what he is wanting is the following:

All drops can access the internet
Only 5 drops can access a server

If this is indeed what you are wanting, you will need whats called an Access Control List (ACL) which would contain the allow/deny statements for your network. Typically this will only be available in enterprise grade, or at lowest business grade network equipment. If you can tell us what make and model you are working with we may be able to help.

Most L2 switches have the ability. My smart, not quite full L2 switch has ACLs based on MAC and port. I've done some limited testing on it and it works just fine. Seems like it should be able to easily handle duties for 5 drops to the server. Just setup the ACL so only the ports from the 5 locations you want to be able to access the server have permissions and deny all other switch ports from going to the server.

Should be done. Only a little trickier if you also need to allow the server to have internet access, but even then, you can just allow the port that the router is on to have access to the server and ensure there is nothing else on the router other than the internet (IE none of the switch ports are in use, other than the backhaul from the router to the switch).

 

[azazel1024]

You would likely use PVLAN to do that. Similar idea but not quite the same.

You can also do a 24 port switch with ACLs. Just allow all to the port with the internet router and deny all access to any other ports. You'd probably need to look in to switches a little more to make sure that both ACL is supported and also how robust it is, but it should work just fine.

 

[imagoon]

Most L2 switches have the ability. My smart, not quite full L2 switch has ACLs based on MAC and port. I've done some limited testing on it and it works just fine. Seems like it should be able to easily handle duties for 5 drops to the server. Just setup the ACL so only the ports from the 5 locations you want to be able to access the server have permissions and deny all other switch ports from going to the server.

Should be done. Only a little trickier if you also need to allow the server to have internet access, but even then, you can just allow the port that the router is on to have access to the server and ensure there is nothing else on the router other than the internet (IE none of the switch ports are in use, other than the backhaul from the router to the switch).

What you are describing is PVLAN (done the hard way.) If he needs true isolation, PVLAN membership based on the port is easiest since you can add the internet as an uplink port, the server + 5 locations in one pvlan and all the workstations + internet port in another pvlan. Since the server isn't in the workstation pvlan, frames wouldn't make it that port. There is some special config you need to do to handle broadcasts you actually want to get through (IE dhcp.) The 5 workstations would end up being members of both PVLANs and would get Internet and Server access.

 

[mvbighead]

May I suggest you consider hiring a Managed Service Provider then? MSP's would handle your IT needs for a small rate per computer per month. It would be better to let them handle the equipment than yourself if you are unsure of what you are doing.

I'd agree with this. In all actuality, you could probably contract someone to come in and configure the basics for you, and then run with it from there. So long as the person you contract is legit, you should be able to get things configured the way you wish leaving the private terminals private and the public ones public.

 

[ultimatebob]

You can also do a 24 port switch with ACLs. Just allow all to the port with the internet router and deny all access to any other ports. You'd probably need to look in to switches a little more to make sure that both ACL is supported and also how robust it is, but it should work just fine.

I could see that solution coming back to haunt you someday. You buy a nice managed 24 port switch with PVLAN support now, it breaks 2 years later, and then the landlord who doesn't know jack shit about IT replaces it with a $200 generic Netgear switch that they get from Newegg. Chaos ensues