Can I get some advice on this: In a small office, there is a DSL line with a Linksys router/4 port switch.
Currently one office group (3 pc's) use this DSL for their PC's.
What hardware or appliance would I use to add a SEPARATE group of 4 pc's to share the DSL connection, but keep the new office workgroup isolated from the original 3 pc's for security?
If I just added an uplink switch to the Linksys router, then ALL pc's can see each other--this is NOT what I want. I want two separate subgroups.
Is something like the Linksys BEFSX41 which has Stateful Packet Inspection enough? Or do I need to consider other security appliances such as Sonicwall TZ 150 or Checkpoint Safe @ Office 105, etc?
All computer in the small office are Windows XP (SP2 and up to date), using peer to peer. One Windows XP Prof acts as a peer to peer "server" for documents and databases. All pc's have Norton 2005 Antivirus. The Internet is used for proprietary financial software updates. No funny stuff. We scan for spyware regularly and backup regularly.
My main concern was the other subnet/workgroup (which is different company/business) seeing or accessing our pc's, since I have no idea if or how they are protected. I don't want some worm or virus from the other group getting into our pc's.
Forgot to mention, there is no email server, no ftp access, no vpn. Just small office sharing internal files over peer to peer, and accessing Internet for info and updates and normal email via ISP.
I don't consider the cheap firewalls worth purchasing if you want to run an office or commercial space, the TZ series is not something I would purchase for any customer. I have a strong fondness for WatchGuard and would purchase a X700 for a company/commercial site, but they run about $1900.
Unles you want to do HTTP filtering, attachment removal (on inbound SMTP to the mail server), etc... You can get by fine with a cheap NAT router in most cases. You really need to monitor the Linksys unit logs (use Wall Watcher).
I've got a number of customers that use the BEFVP41 unit for the IPSec tunnels to the home office, none of them have port-forwarding, but none of them have been compromised.
If you do the poor-mans DMZ/LAN using double routers, you won't have much in the way of problems - again, the router is not a firewall and has nothing to stop users from running malicious code on web/ftp sites or from running infected email.
If you run your own email server, make sure that you remove any attachment that can't be virus scanned or that could be executed before it gets to the users email box (GFI and Symantec make good products for this).
If you have a web/ftp server, make sure you lock it down - follow all the MS directions (or for the OS you use). I use File Zilla Server for FTP as I don't like the limited configuration options that you get with IIS on Windows.
What we need to know is what are you running inside that could be compromised and what services you allow your users to use - what OS, what virus protection, etc....
We setup a multi-tenant office space (2 floors, 6 different companies), we got a T1 for the building and 16 public IP. We setup a single Linksys router for each, giving them each a PUBLIC IP, but no inbound forwarding and none of them have the admin password to the routers (and they are locked in a closet where only the building owner has a key).
If you want to have both groups completely isolated from each other, you need two IP, one for each router, like this:
24 means that the first 24 bits (255.255.255.x) relate to the mask - the way a mask is used is in binary, each of the 4 represents
11111111.11111111.11111111.1111111 = 255.255.255.255.
A /24 would be 255.255.255.0 A /16 would be 255.255.0.0 A /8 would be 255.0.0.0
Just a question, if I were to enter the address of one (or more) of the LAN2 machines in the LMHOSTS file of my LAN1 machine, would that LAN1 machine see the others?
I understand that Zyxel routers have an IP ALIASDIS command to disable IP routing between alias interfaces (so far, I know that the Prestige 650HW has it).
Does anybody know if a similar facility is implemented in cheaper run-of-the-mill routers?
The only way the outer LAN can get to the inner LAN is if you open ports on the inner LAN. The inner LAN (Lan 2) has no unsolicited inbound means of access - so unless your LAN 2 machines contact LAN 1 machines, LAN 1 machines can't talk to LAN 2 machines.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.