I am being asked to consider using a company supplied computer to provide remote access to that network from my own office. I don't own the necessary software licenses to set up a virtual machine to connect to that external network and we have agreed that using a preconfigured computer is a better option. The computer will be used for limited purposes to access and download specific files and possibly instant messaging through the company network.

The company computer will run Windows XP.

Security concerns immediately arise. As the company computer is the property of other people, they control the software on that computer. I respect their ownership and property. Yet I own my LAN and have standing to protect my computers.

I'll need to transfer files from the company computer to my office computer. That means using the same subnet and creating a single shared directory on one of the computers. For security purposes I could play sneakernet with a USB flash drive, but, oh, let's not discuss that.

My first option (with permissions from the owners) is to create a shared directory on the company computer from which I can transfer files to my office computer.

If that is not possible or allowed then I need to create a shared Samba directory on my office computer.

The challenge is I want to ensure the company computer can't see any directories or files other than the one that is shared and is unable to access the remaining computers in my LAN. All of my computers use NFS and Samba. I need to ensure the company computer can't find any of those shared directories. Ideally, the company computer would not see the other computers. The company computer would see only the one shared Samba directory on my office computer and nothing else.

My home LAN is behind a Linksys WRT54GL 1.1 router/switch running DD-WRT firmware. I use static IP addresses. Currently I do not have wireless enabled on the router.

All of my LAN computers use Slackware and an iptables firewall. I consider all traffic within my LAN subnet to be safe, but adding this company computer ends that presumption. SSH is enabled on all of my systems. I use keys rather than passwords.

I probably will want to use VNC to view the company computer desktop. The company computer will be a laptop. I don't get along with tiny screens.

Although there is a level of trust involved, I prefer to be paranoid with connecting this company computer.

I can set up a virtual machine to test any ideas offered.

I appreciate any help and ideas.

Thanks!

Hi Woodsman,

Alright before go indepth could you please let us know how the physical connections would be? I mean company computer will be in your office LAN. How company guys will have access to this company computer? Will that be over public connection or VPN? As you said that you want this company computer to only see shared samba share, that I think is possible by allowing only this computer to communicate over port 139 and 445 to the system that have shared directory configured.

You can block ports on your other office system iptables to prevent this company system to communicate with them. Like ssh, nfs, http etc.

It will be great if you could give us rough idea how your network currently looks like. After that we can decide where this company system will fit.

I have 5 computers in my LAN. All computers are hard-wired. There are no wireless systems. Two systems are connected through a 1 Gbps switch. The 1 Gbps switch and other three (10/100) computers are connected to the switch on the Linksys router/switch. All systems use static IP addresses on the same subnet. The router connects to the ISP CPE.

I am the only one who will use the company computer. Using that computer requires a login ID. The company computer will connect to their network using Juniper VPN client software and https. I would have to use an RSA SecurID token to gain access to their network with their supplied computer.

Being connected to my router means the company computer is on the same subnet as all of my machines. Being on the same subnet means the company computer can see the other machines. I don't mind that as I need to transfer files --- I just want to ensure nobody in the company can sneak in and snoop or tinker. I do know from working with these folks on site that IT personnel can remotely access any system in their network. I presume they can remotely access any computer they provide me too. Hence my desire to sandbox that machine as much as possible.

Thanks.

When I have to use a company provided laptop (at home), I ensure either:
- all other machines are off, or
- no sharing is active.

I have faith in my firewalling, but I don't trust any build of M$oft I didn't do myself.

I have two networks: a wireless network that connects a company laptop and a personal laptop to the Internet, and a wired network that connects the same personal laptop and two personal desktops to each other.

The wireless network is untrusted: my personal laptop has an iptables firewall that filters out incoming requests from the Internet, the company laptop, and anyone who may break in to the wireless. The wired network is trusted and connects only computers owned by me.

The company laptop and personal laptop can both access the Internet, but can't talk to each other. The company laptop runs VPN software that prohibits local connections while the VPN is in use.

I don't need to transfer files between the company laptop and my personal laptop, but if I did, I would open up the personal laptop's iptables firewall to allow incoming requests and turn off the company laptop's VPN.

My employer doesn't want company information to leak out onto hardware not owned by the company, and I too don't want my personal information to leak out onto hardware not owned by me. Having separate networks was the most reliable way to implement that.
Ed

Thinking about it, separate network segment is a much better option.
Why don't we all just insist they provide a mobile broadband card with the laptop ?.

Might try that next time I'm told I have to use their kit ...

That makes sense. For the moment I'll presume this computer will be configured likewise.

That makes sense too.

Which is where I am with this proposal. Their computer belongs to them and my computers belong to me.

Before posting I had thought about different subnets. I don't want to enable wireless on my router, but I would consider the option if that is the only way I can create two different subnets without further expense.

File sharing through my own network is a convenience and not a necessity. I could waste my ISP bandwidth by sending myself emails from the company computer to my own computer. Seems lazy and could be expensive because my ISP imposes very low caps. So maybe I live with playing sneakernet on a USB flash drive. Security vs. convenience often is a trade-off.

Another thing I don't like with the company computer on the same subnet as my LAN is access to my router interface. Everything on the internet side is closed but any system connected to the LAN side on the same subnet can try to access the router interface. Yes I use a password, but the more I think about this proposal the more jittery I get. Sandboxing seems like the best security option.

Do I need a second router to keep the company computer isolated? Or is enabling wireless sufficient? Will that prevent the company computer from accessing my router interface?

Good idea but I'm in the boonies. No such luck around here.

Yes, you will need two.

I use a network switch and static IPs for the wired network. The wireless network uses a router. The company laptop can access the router's setup page, but could cause only limited damage since the router is on the untrusted network.

I should mention a possible downside to my setup is that the desktop computers on the wired network don't have Internet access (but can ssh into the laptop when needed).
Ed

Let's see whether I understand this:

1. My LAN needs internet access. All LAN systems stay connected as is to the existing router. None of that changes.
2. The second router is configured with a different subnet.
3. The second router would be configured to use the first router as the internet gateway.
4. The company computer has access to the second router's setup page, but not the first.
5. Somebody remotely accessing the company computer could tinker with the second router's setup but not the first.

How does this setup prevent the company computer from having access to the existing router's setup page?

How about setting up a VirtualBox machine with IP forwarding and a different subnet? The company computer accesses the internet through that virtual machine. Would that sandbox the company computer?

Or perhaps in my primary office machine add a second NIC on a different subnet and enable IP forwarding? The company computer would connect to that second NIC. Would that prevent the company computer from seeing my LAN subnet?

Here is my setup:


The iptables firewall at the personal laptop blocks incoming requests to my computers. The router also has a firewall, but it is redundant for the personal laptop. Only the personal laptop and company laptop have Internet access.

This setup works for me, but may not do what you want. It evolved from an older network (the wireless router and DSL modem were once a dial-up modem). This arrangement is secure.

I'm not a networking expert, but I know from experience that placing two routers in series leads to problems (Google double-NAT problem). I hope this helps.
Ed

Hello,

My last company had a similar solution, but my old IT department didn't provide any answers. Thus, I provided one for them, and circulated it to everyone, with IT's unofficial blessing. In fact, they were happy to have the design, because it reenforced their own security model.

First, I don't trust my IT departments to have my personal interests, thus I don't rely on any of their firewall settings on their systems in my house. So I isolate the work systems away from my personal ones with a separate firewall. You can use your own linux laptop as a router/firewall, but I prefer stand-alone units. There are any number of decent firewalls out there, many of them with built-in switches. I personally use pfsense where I can.

I recommend build a separate network, with a separate ip subnet. You can look at this as putting the company xp system on a dmz. The company system will be behind your house's firewall. Don't use what the home-firewall systems call an dmz: that is little more than a host on the same lan that gets all external internet traffic. The new stateful gateway/firewall will be between this dmz and your private lan. Your networks can be wired, or wireless: you choose. I will include a pdf drawing for illustration.

Ed refers to a problem with double-nat and wiring routers in series. Turn NAT off on the second firewall and this will not be a problem: You don't want it anyway. Routers on the internet are all wired in series: that's just they way they all work. By turning off NAT on the internal router, you are not modifying packets, and you should be fine. Leave NAT running on your external firewall.

Ensure your internet firewall has a static route to your private lan through your private firewall's ip address! That way, it can return packets to your internal LAN. Ensure your private firewall will allow 192.168 addresses to come in on its wan side. (might be labeled rfc1918 networks, or 'non-routable' networks.)

Don't use NAT on your private firewall, it will be harder to restrict traffic to/from the company laptop to your private systems. The typical default rules for a stateful inspection(SPI) firewall run something like: allow all traffic initiated from the lan, Block all traffic initiated from the wan side. Add some rules like:
- allow traffic to be initiated from your laptop to the work vpn system
- block all other traffic from your private lan to the work vpn system

Any traffic starting from your company's vpn server will be blocked from your private lan. This includes your laptop in case any windows viruses get onto the company system. you will also be blocking all of your private lan systems from connecting to your company's vpn system.

You will be able to connect to your company's vpn system and pull files from it. You will NOT be able to push files from your company's vpn computer to your laptop.

This is my kind of preferred operations. I hope this helps!

--jason

Attached Files

vpn_wired.pdf (13.7 KB, 16 views)

Well now, if I had been more thorough in reading this thread, I would have seen I just re-stated what ed suggested. Having said that, let me look at the list and answer the requirements in terms of my solution:

Your Lan systems would be connected to the second firewall. AND each would have internet access. AND without anyone having to do any crazy network monkeying around.

Yes to both. The internet firewall should have a static route: lan ip and subnet via wan ip of second firewall. NAT should be turned OFF on the second firewall.

From a routing standpoint, they would have access to your main firewall (router). You would block that with a deny rule on the main firewall, and set the password to something non-standard. They certainly shouldn't need access as long as their vpn system can communicate to/from your company. Any company access to the vpn PC should occur through the vpn. The vpn itself should be initiated from the company provided PC, so you shouldn't need any incoming rules on your internet firewall.

By the way, if you block all of your dmz from the main router, then make certain you allow access from your lan!

Each of these ideas has merit, but to me seem overly complicated. It's not my intention to shoot down your ideas, but I have used my computer as a firewall before, and my housemates wanted to kill me everytime I updated the linux kernel.

Oh, one more point addressing what Ed said:

If I am reading Woodsman correctly, then the vpn PC will need to allow lan access: whether initiated from his laptop, or the VPN pc. If his department is already willing to allow him to work via his personal system, then they should already be ok setting up a means to allow network access to the vpn pc.

Thanks Jason for the explanation. I learned just enough about networking to make my home network working and secure.

I purposely never transfer files between my work laptop and personal laptop. There have been cases of former employees getting into trouble over that, so having an internal firewall is a good thing for both parties.
Ed

Thanks for the information. I decided that to keep my equipment secure I need to have two routers. DD-WRT firmware supports creating another VLAN for any one single computer port, but I don't yet understand how any of that works.

If these folks decide they want to proceed with providing me with their own computer I'll tell them to throw in a $30 router too. I'll explain to them that this is to keep their system on a different subnet to protect their computer from my systems should mine ever get compromised. They only care about their computers and not mine so the explanation is worded with their interests at stake rather than mine.

Today I was talking with my local mom-and-pop ISP. He thought two routers behind a switch would work. He can assign a static IP address to his CPE. My LAN router would get assigned an IP address dynamically just like right now. The other router would use the static IP address as its gateway.

I like the idea jason_not described in his drawing. Still needs two routers but keeps my LAN secure.

Although I see how I could fetch files from the company computer using jason_not's plan (and not vice-versa), I resigned myself to the idea that worst case I would play sneakernet with a USB flash drive to transfer to my computers any files I download with the company computer. A little inconvenient but that is the price of security.

I don't have that problem.

I'm curious how safe a second NIC might be. My iptables firewall is the same in every LAN machine and trusts all machines on the same subnet. I am thinking of installing a second NIC and assign an IP address on a different subnet. Enable IP forwarding. The company computer is assigned a static IP address on the same subnet as the second NIC and is assigned a gateway of the router, which is on the first subnet. Will that work or do I have to add some routing tables for the second NIC to find the router on a different subnet?

If that is feasible, my iptables rules should keep the company computer out bay of any of my LAN systems, including pings. Would the company computer still have access to the router web page interface? (The idea of using a second NIC is more of a thought exercise --- I believe two routers is the best isolation solution.)

jason_not: What app did you use to create your drawing?