LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Isolating a single network computer (http://www.linuxquestions.org/questions/slackware-14/isolating-a-single-network-computer-4175479673/)

Woodsman 10-04-2013 10:36 PM

Isolating a single network computer
 
Looks like I need to learn Windows 7. Professional/work reasons.

Sigh. :)

I'm seeking advice from fellow Slackers who use Windows professionally. I'm concerned about security --- allow internet access yet ensure the new Windows system can't see my home network. I don't want to just deny access, I want the new system to see nothing of my home network.

At this point I don't know whether I can use a virtual machine (VM) or will need or be provided a separate physical machine. A VM using VirtualBox NAT mode would be an easy solution. Otherwise new territory for me to isolate the system yet still allow internet access.

My home network looks like this:

Code:

3 Computers <--> Linksys WRT54GL 1.1 (DD-WRT) <--> ISP VOIP router <--> ISP CPE <--> wonderful wacky web
                                        ^
                                        |
3 Computers, Printer <--> 1Gb Switch <--|

New computer --> ?

I can provide further details about my network as requested.

All links and advice welcomed. As always thanks for any help! :)

NoStressHQ 10-04-2013 10:48 PM

What do you mean be "isolating" exactly ? Why don't you want Windows to "see" the LAN ? Do you have a specific worry or is it just a MS scare ?

I use Windows professionally, and have Slackware as an hybrid native/vm guest, and I don't take any particular care about "paranoid security", I don't even have any antivirus system: they slow down too much my compile time (I compile HUGE projects). I just take care of my internet usage and what I install on my computer.

As far as there's a "gateway" and my Linux machines have selected services and open port, I might be "crazy" but I don't feel any risk. Moreover I also count on being "partly anonymous", I'm not famous with a direct open machine on the internet, I doubt being targeted as an individual.

Beside I still have some tools to check malware and virus check on demand, only when I have some suspect software, which happens once in a... decade ? :)

But if I can give you a hint for your question, not being sure if it answer your concern, you might want to setup some kind of VPN.

Garry.

Edit: in fact when I say I'm not paranoid it's not totally true, I really don't trust antivirus corporations :).

Edit2: sorry, if it was blurry, I don't tell you there's no risk and that you shouldn't care, my question is "naive", in that I'm curious if you're thinking about a particular risk that I'd be blind to :).

volkerdi 10-04-2013 10:50 PM

The best way to do that is probably to put the Windows machine on an isolated vlan. Do a Google search for dd-wrt isolate computer vlan, and you'll find lots of instructions.

One word of advice... make sure the Windows machine is wired directly to the DD-WRT router. If it shares some other switch with other computers on your network it might be possible for it to get around the restrictions.

Woodsman 10-05-2013 02:22 PM

Thanks Pat! I needed a few hours of reading to grasp the new topic, but vlan seems to be what I am seeking. After reading I also understand your point about true isolation. I'm glad there are so many clever people in the world who think of these kind of ideas. :)

I'm still hoping I can run everything from a VM, but if not then a vlan seems ideal. My router and switch ports are full so if a new computer is required rather than a VM then I'll have to buy a new switch anyway. I'll get a managed switch and likely install that between my router and VOIP router. That would keep the new system on a different subnet from my LAN as well as provide isolation.

In the mean time I can experiment and learn with my existing systems using the vlan options in dd-wrt. Even more cool, I think I read enough to appreciate that I likely can now create a guest wireless network for family when they visit to keep my LAN isolated.

jon lee 10-05-2013 02:55 PM

I believe the easiest way is to use a gateway that allows multiple subnets (like pfsense). (and of course to put it on a different subnet IE. 10.1.x.x if your home lan is 192.168.x.x).

Edit: Apparently you can do it with dd-wrt. Looks scary.
http://www.coertvonk.com/technology/...-networks-5829

Paulo2 10-05-2013 05:24 PM

I don't have any experience with ipv6, but I've read discussion that since Windows 7 (or Vista)
ipv6 comes enabled by default, so some people say that they block ipv4 but Windows hosts
can access the local network through ipv6.
I don't know if this is true, just saying what I've read:) :twocents:


All times are GMT -5. The time now is 01:28 PM.