secure area within my network for external laptops ?

[sebjenkins]

Hi,

We reguarly get external visitors into our company who come in for meetings and presentations.

Normally if the are showing a PowerPoint Presentation then they can do this from their laptop standalone.

However we are getting more and more people come in who need to do online presentations, demos on the web and so connect their laptops to our network.

We have no control over these laptops and it may be that thier virus definitions are out of date or their Windows files have not had the latest security updates applied.
I think we had a case recently where an external laptop was plugged ontop our network and started spredaing a virus.

I want to find out the options of setting up a small little network, within my network for these external users which has an active virus scanner on it to screen any machines connected to it and scan these live before they get through to the rest of the network.

I dont know if this is possible or if I'm talking rubbish ir if there is a better idea solution someone has in place.

Any suggestions would be greatly appreciated !

Many thanks

 

[dnelsonwc]

You don't need anything fancy - get your preferred brand of combination WAP/Router/Firewall appliance, and plug the WAN port into your local network. Configure the isolated network with a different subnet, have the appliance hand out DHCP addresses, and configure no port forwarding or DMZ pinholes. This way the people plugged in via this isolated network will still have internet access, but will not be able to see anything on your main network.

 

[sebjenkins]

Thankyou for taking the time to respond to my post.


How about possible virus spreading to other parts of my network ? Will this setup prevent this from happening ?

Presumably, as I need a devide with a WAN port then a hardware firewall/router is required an a software option not suitable ?

Thanks in advance.

 

[dnelsonwc]

Ok, I see your point. In order to have the isolated subnet able to make outgoing requests, it needs to be plugged into the LAN side of the appliance, meaning outgoing traffic (i.e. traffic going to the LAN) isn't filtered - just traffic going the other way.

So I guess my question would be; are you familiar with Linux at all? There are two ways I would do this.
1) A Linux box running Squid with ACLs limiting which ports traffic will flow to.
2) OpenBSD running PF, with redirects to a non-existent address for outgoing traffic on ports other than 80 and 443.

The Linux box would probably be the easiest - just make sure it has 2 NICs and at least 128MB of RAM (Squid is resource hungry), and you can run it on any old box you have lying around. Do a default install of Debian, then run apt-get to grab squid (apt-get install squid). Using Webmin (

http://www.webmin.com/)

makes managing Squid pretty simple, primarily for generating your ACLs. (Webmin is also available with APT, but it's a limited version, so you'll need to upgrade it, which can easily be done form within Webmin itself.)

Once you had that done, I'd just be sure that the isolated subnet wasn't plugged into the main hub structure (for fear of DCOM vulnerabilities, etc.) and you should be good. Hand out IP addresses with no gateway, and force users to use the proxy settings in their browser.

 

[cricket]

Get a dedicated Broadband line & router. This is very cheap nowadays compared to the cost of cleaning up after viruses, or building defences against security threats. Keep all those external laptops away entirely from your network.