Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Employee Personal Internet Access suggestions 2

Status
Not open for further replies.
DanielUK

DanielUK

IS-IT--Management
Jul 22, 2003
343
GB
Hi,

We have a small 20 or so win2k office network. I'm looking at a better way of managing employee access to the ineternet for personal use. Up till now they've been able to browse using the work machines but I'm mindful that needs to change.

One idea I am thinking of is to have a completely separate PC that is not joined to our domain but is still be able to access the broadband router. However, when I do this and point a workstation at the fixed IP address of the router, I can still see the domain from explorer. The fact it can be seen means it can be accessed with a domain account details, the very thing I'm trying to avoid.

Question is, using one broadband router, can I make the standalone machine only be able to see the router and not the domain?

The other idea is a separate router and phone line but that's too expensive for what is really a privelege.

Is there another secure way to achieve this?

Thanks

Dan



 
Sort by date Sort by votes
Unless you plan to put in seperate networking infrastructure, you're going to have an issue with what you want to do. As long as you're using the same network infrastructure, they are going to be able to see and use the domain resources, especially if they have domain credentials.

For such a small office, what you should look into is getting a device that will act as an internet gateway for your users. This can be a stand alone device, or a server that acts as a proxy for your internet access. This proxy server could then be used to allow or deny internet access as your business see's fit.

Good luck,
 
Upvote 0 Downvote
Thanks, I'm trying to keep it as simple as possible so I'll look into a proxy.

We have recently acquired a managed router (HP Procurve) and a Sonicwall firewall device. I'm thinking that between them I could block this standalone pc from accessing network resources but I'm not sure how secure it would be ultimately...am I being too paranoid?

Thanks

Dan
 
Upvote 0 Downvote
Personally, yes, I think you're being too paranoid. If you have a firewall and up-to-date anti-virus and anti-spyware protection for your users, you've gone a long way to protecting them on the internet. Giving them safe browsing guidelines and communicating it to them often is the best way to protect your network. Your users are your weakest link so making sure they understand WHY and HOW to be safe on the internet, and communicating it to them on a regular basis (we send out monthly bulletins/reminders) is wise.

As for the router and Sonic firewall you just acquired, you certainly could use that to segment out the sand-alone PC so that it can only access the internet. What you would really use it for is to segment out the rest of your network so that it can NOT access the internet though. I'm not too familuar with the Sonic firewall though but there may be a forum here just for that. You should check.

Good luck,
 
Upvote 0 Downvote
I set up a separate computer (a very old laptop) in our lunchroom specifically for personal internet use during breaks and lunch. It's got a wireless card and connects to a wireless router on the DMZ. It doesn't see the network, the network doesn't see it. Because it's still passing through the firewall, it is still protected by the content filter that we manually maintain. However, because it's not on the network, I had to put a separate AV software on it because our enterprise virus server can't see it.

The users think 'it's really cool' to have the laptop in the lunchroom, and it's keeping my internet statistics looking like business stats. :)

HTH!
 
Upvote 0 Downvote
That's a great idea especially for a small company Dollie. We have 5000+ employees here. :)
 
Upvote 0 Downvote
Thanks Dollie, I presume that the wireless router is on a different broadband line or are you sharing it?

Thanks for the idea!

Dan
 
Upvote 0 Downvote
We have multiple internet connections coming in, and the wireless is on the DSL line. I originally did it just so the old cranky laptop would have something to do, but it's turned into a source of entertainment during lunch (no Youtube or streaming video limits on that one connection).
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
625
Shmid
Shmid
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
100
gbayi_omo
gbayi_omo
kythri
  • Locked
  • Question
Restrict access to SSL VPN by IP (ASA 5540 - 8.4(7))
Replies
0
Views
112
kythri
kythri
RMurr34
  • Locked
  • Question
No Internet Access if no static map
Replies
0
Views
72
RMurr34
RMurr34
ttrsux
  • Locked
  • Question
No internet access on new LAN eth0/2 1
Replies
6
Views
178
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top