what's ther best way to seperate 1 PC from the rest of the network?

[mcveigh]

I have a friend who is leasing out part of his office to a lawyer, he told this guy he could have access to his T1, but he also wants the guy to not be able to access his network.

I could statically assign him a IP address on a different subnet, but he could easily get around that. also he doesn't want to spend any money on this.
my best thought so far is to use a old smc router I have laying around and use that as his router and dhcp server.

 

[owensdj]

mcveigh, a simple way to do this is just don't give him a user account on the office network. Let his computer be in it's own workgroup. His computer can still get an IP address from the DHCP server so he could have Internet access, but he won't have access to any of the shares on the office server(s).

We really need to know more about the office LAN setup. Do you already have a router for the T1? Do you have a domain for the office LAN? Do have a single Internet IP address and use NAT to let the office computers share the T1?

 

[mcveigh]

I have a router in there, a zywall10, the server runs redhat and is secure. but several workstations are wide open for people to share some info. this is a small business about 10 computers, and some of the people have setup file sharing so co-workers can access files they have. (I don't approve but it's their company)

 

[mboy]

I believe you can set up ACL's on the Xywall. If so, just create a static IP for the lawyer's PC and create a Deny all rule from that LAN IP to the rest of the LAN. I would DUMP DHCP if you are using it an use static IP's for your entire network since u have less then 15 PC's total. That way, even if he changes it, he still cant access the LAN pc's (just create his IP as the lowest IP # and then deny all to those above it.

 

[cmetz]

mcveigh, what kind of router does your friend have to his T1? If for example he has a Cisco 2610, add another Ethernet port NM - it'll be the easiest way. If not, it might be easiest to get one

Another approach would be to build a real DMZ using SOHO gateway as firewalls:

Friend's network --- firewall ---|---- T1 router ---> outside world
(pad, ignore).............................|
..Sublet network --- firewall ---|

(cheesy ASCII art is highly likely to get messed up through the web, sorry!)

 

[mcveigh]

the t1 router is some generic one I think.... I only glanced at it. all I can about is that it's up. they have about 1/2 to 3/4 of the channels used for voice lines.

Mboy I did setup some ACL's like you reccomended hopefully they will work, it will probably be a day or 2 since this guy is still moving in. i'll turn off the dhcp server at that time.
thanks everyone! i'll post my results

 

[mboy]

set up a test pc and assign it the IP you will give that guy, then u can see if it works before he gets there. Why let it happen blindly? Either that or explain to the company since they have it set up the way they do, u can't guarantee u can block him from accessing your files until you can design their network properly.

 

[mcveigh]

here's what I did:
I used th ACL function , I left dhcp on because this new guy also has a 2 more computers including a laptop.
I had to keep on him on the same subnet to talk to the router. I gave the existing company static ip addresses from 192.168.2.2-49.
the router is 192.168.2.1, I let dhcp handle ip addresses from 192.168.2.50-100.
I created a rule to block all tcp traffic from 192.168.2.50 and higher from connecting to those 2-49. I created another rule for UDP and I created another rule blockign using ports 1-5000.

so far it seems to be workign