Securing Your Internal Network from Windows?

← Back to Stories (view on slashdot.org)

Securing Your Internal Network from Windows?

Posted by Cliff on Tuesday November 26, 2002 @09:35PM from the protecting-your-network-externally-and-internally dept.

acacord asks: "I am the Network Admin for a medium-sized law firm (hold the flames, please). We are one of the few Macintosh-based firms left. All of our workstations (near 150) will have been migrated to Mac OS X 10.2.2 by the end of the year. We have a couple users who think that they know more than the IT department and therefore insist that they maintain WinXP boxes on their desks. How should I configure a segment of my network for them, and them only, to make sure that the remainder of my networks are not susceptible to any of their natural security 'features' . Any and all ideas are welcome."

3 of 78 comments (clear)

Min score:

Reason:

Sort:

Logical segmentation or VLANs by Twylite · 2002-11-26 23:37 · Score: 4, Informative

Given the number of computers involved I am assuming you are using switches. One option you have is to configure VLANS - I'm not very clued up on these, but iirc you should be able to construct a logical separate LAN from a group or port or MAC addresses. Then you need a gateway between the Windows VLAN and the Mac VLAN, with a firewall which can protect them from each other.

This can be a bit nasty to manage though. If its a port-based VLAN you have to make sure the boxes are plugged into the right network sockets, or they'll be on the wrong VLAN. If believe MAC-based VLANs are possible (but I could be wrong); in which case you have to have a list of MACs and whether they are Windows or Mac machines, and assign them ... tedious.

A simpler solution could be to insist that all Windows boxes use DHCP, and assign them addresses in a particular subnet. If you want the Mac boxes to use DHCP too, you'll have to do MAC reservations for the Windows network cards to make sure they go onto the right subnet. Then have a gateway/firewall. This doesn't protect against lusers who give their computer a static IP on the logical Mac subnet ... but it gives you some ability to manage the situation.

To detect troublecausers, you could automate a security scanning tool to check the Mac network for computers which appear to be Windows boxes.

--
i-name =twylite [http://public.xdi.org/=twylite], see idcommons.net
You are a Law Firm... by Technician · 2002-11-27 03:01 · Score: 4, Informative

Read the EULA carefully. Especialy the part regarding auditing any and all computers in the building. Let your staff know the building can not support the liabiality risk of the other OS.
Please do not give the BSA a free ticket in the front door.

--
The truth shall set you free!
Yes, that's nice and all but... by amarodeeps · 2002-11-27 03:05 · Score: 4, Informative

...the reason he's griping about his WinXP boxes is that he doesn't want any viruses banging on his network, crackers hijacking these machines, etc.--Windows IS more susceptible to this stuff, if for no other reason (and there may be other reasons) than it is so popular right now, and it is not exactly set up by default to be secure. So get off your high and mighty standards-compliance horse (no matter that I agree with you--I think you have a good point about what _should_ be the case) and remember this guy has to deal with a real-world situation.

Plus, MS is not really into standards-compliance last I heard, and that also kinda puts a crimp in your ideology...