What is the best way to handle this type of scenario
Setting, a small computer shop
1 inbound broadband line
I want to have a separate leg of the network where work on virused machines can be plugged into internet access for quickly and easily aquiring updates to anti virus software and or downloading utilities as needed.
It would seem less than prudent for these machines to share a hub with other machines that may contain important data.
should i do something like
router 1
router 1 has 3 connections,
1 to internet connection provider
1 to an 8 port hub
another to a second router.
Virus machines could be plugged into the hub for access as needed, any other machines would be on the clean side of the second router so the router firewall should repel any stray attempts to access other machines on the network.
Would something like this serve adequately or do I need something more complex. I am only talking about a network which will handle at tops maybe 20 machines that will have to do little more than share a few files and or printer and have internet access. No mail servers or fancy cross network apps to worry about, prolly only 1-2 machines will have any truly valuable data on them in the way of customer records and or accounting info, and they would once again be on the far side of the second router if not a third to isolate them from the rest of the tech work machines.
Technically, you want a firewall in between your office PCs and the test PCs. Essentially, the test PCs should be on the firewall’s DMZ. Find yourself an old PC with 3 NICs and set up a firewall like Smoothwall and set that directly on the internet link. And then put layers of defence behind that. You should be doing that anyway.
That said, I’d strongly advise speaking to your ISP about a second line. You don’t want your main IP address blacklisted because a customer’s machine starts spewing spam, and neither do they want theirs. They may have a special IP address range for this sort of thing.
You also might want to consider setting up a sandbox network where the infected machines have no connection to the outside world, and instead talk to a sort of reverse bastion host that is holding the Microsoft service packs and patches, AV signatures, etc.
This would prevent compromised machines from sending out spam or other attacks to the world. Of course, you’ll have to take very good care of the bastion host to prevent it from being compromised since it’s being deliberately exposed to all manner of possible attack.
You may have liability for damages caused by outbound attacks by machines you knowingly connected to the Internet.
Even if not, you’re breaking rule #1 by having them connected to the net.
I’m suggesting jump drives and burning CDs.
Or, yeah, firewalled bastion host. I reccomend Ghosting the bastion, so when it does get infected you can rebuild and regroup in 15 minutes.
For no really good reason, the wireless APs on my network (linked up to my main router) are open. To prevent problems with this, they’re configured to allow only POP, SMTP, FTP and HTTP traffic through them.
This means the worst that can happen is someone directly sends spam, which is fairly unlikely given the neighbourhood. After rebates the wifi routers were only about $10 - I imagine for testing purposes you could get away with something similar.
I would hesitate to ever connect known infected machines to the internet.
Seems like it would be much safer to only have ‘good’ machines connected, and download the latest anti-virus utilities to one of them, and write it onto a CD, which you can then use to clean the dirty machines. I’d think that would also save you time; instead of downloading it for each machin, you just maintain a CD full of the most current anti-virus software, and use that on each machine you work on.