Isolating a single network computer
 

Looks like I need to learn Windows 7. Professional/work reasons.

Sigh. :)

I'm seeking advice from fellow Slackers who use Windows professionally. I'm concerned about security --- allow internet access yet ensure the new Windows system can't see my home network. I don't want to just deny access, I want the new system to see nothing of my home network.

At this point I don't know whether I can use a virtual machine (VM) or will need or be provided a separate physical machine. A VM using VirtualBox NAT mode would be an easy solution. Otherwise new territory for me to isolate the system yet still allow internet access.

My home network looks like this:

I can provide further details about my network as requested.

All links and advice welcomed. As always thanks for any help! :)

What do you mean be "isolating" exactly ? Why don't you want Windows to "see" the LAN ? Do you have a specific worry or is it just a MS scare ?

I use Windows professionally, and have Slackware as an hybrid native/vm guest, and I don't take any particular care about "paranoid security", I don't even have any antivirus system: they slow down too much my compile time (I compile HUGE projects). I just take care of my internet usage and what I install on my computer.

As far as there's a "gateway" and my Linux machines have selected services and open port, I might be "crazy" but I don't feel any risk. Moreover I also count on being "partly anonymous", I'm not famous with a direct open machine on the internet, I doubt being targeted as an individual.

Beside I still have some tools to check malware and virus check on demand, only when I have some suspect software, which happens once in a... decade ? :)

But if I can give you a hint for your question, not being sure if it answer your concern, you might want to setup some kind of VPN.

Garry.

Edit: in fact when I say I'm not paranoid it's not totally true, I really don't trust antivirus corporations :).

Edit2: sorry, if it was blurry, I don't tell you there's no risk and that you shouldn't care, my question is "naive", in that I'm curious if you're thinking about a particular risk that I'd be blind to :).

The best way to do that is probably to put the Windows machine on an isolated vlan. Do a Google search for dd-wrt isolate computer vlan, and you'll find lots of instructions.

One word of advice... make sure the Windows machine is wired directly to the DD-WRT router. If it shares some other switch with other computers on your network it might be possible for it to get around the restrictions.

Thanks Pat! I needed a few hours of reading to grasp the new topic, but vlan seems to be what I am seeking. After reading I also understand your point about true isolation. I'm glad there are so many clever people in the world who think of these kind of ideas. :)

I'm still hoping I can run everything from a VM, but if not then a vlan seems ideal. My router and switch ports are full so if a new computer is required rather than a VM then I'll have to buy a new switch anyway. I'll get a managed switch and likely install that between my router and VOIP router. That would keep the new system on a different subnet from my LAN as well as provide isolation.

In the mean time I can experiment and learn with my existing systems using the vlan options in dd-wrt. Even more cool, I think I read enough to appreciate that I likely can now create a guest wireless network for family when they visit to keep my LAN isolated.

I believe the easiest way is to use a gateway that allows multiple subnets (like pfsense). (and of course to put it on a different subnet IE. 10.1.x.x if your home lan is 192.168.x.x).

Edit: Apparently you can do it with dd-wrt. Looks scary.
http://www.coertvonk.com/technology/...-networks-5829

I don't have any experience with ipv6, but I've read discussion that since Windows 7 (or Vista)
ipv6 comes enabled by default, so some people say that they block ipv4 but Windows hosts
can access the local network through ipv6.
I don't know if this is true, just saying what I've read:) :twocents: