Secure Contractor/Visitor Internet

[plexer]

Hi,

We have a meeting/training room where we have companies giving us product demo's etc...

What would be the best of having a network point in the room that gives them internet access securely without the possiblity of their machine compromising our lan.

Would a firewall i.e smoothwal in between this data point and our network do the job or not?

Or any other ideas.

Our internet is provided by the lea via a cisco router, all of our traffic has to go out via their internal proxy server as well.

If you need more info shout.

Ben

[CyberNerd]

Sounds like an ideal job for Smoothwall, set up the meeting room on the red interface to protect your network and enable snort for intrusion detection. Smoothwall (free version) will only provide a firewall on one interface, so the meetings room won't be protected against attacks from within your network. If you need to firewall incoming and outgoing traffic between your network and the meetings room, can be done with iptables - or maybe check some of the smoothwall mods on the smoothwall forum.

edit: and of course you'll need to open http and https to the LEA proxy

[ChrisH]

You could use the orange interface as well and implement the full firewall mod this allows you to fully control the traffic between each interface.

[plexer]

Thats what I thought having used smoothie free and corporate before, obviously with this setup it would give out dhcp on the green interface which would be the meeting room secure point and then the red, internet interface is actually my internal lan I presume? or as the firewall will allow all traffic from the green onto the red is that actually going to protect the rest of the lan?

Ben

[CyberNerd]

As Chris suggested the Full Firewall Control mod will do just what you need, I found it here:

http://community.smoothwall.org/foru...pic.php?t=9593

[plexer]

Cheers CN will have a look at it now.
Gotta download any iso's etc... I need from home because doubt it will work at school.


Ben

[ChrisH]

I think in the smoothwall case the meeting room would be on the orange interface which is usually the DMZ or a Wireless AP and your Lan would be green. Im not sure if it supports that kind of configuration though.
I think you will probably get the desired result with the mod I mentioned with a basic red and green. You just need to say traffic on the internet ports you need can only go to your router IP and nowhere else on green.
Alternatively a basic Linux install with IP tables configured by Shorewall is fairly easy to use.

[plexer]

Ok Chris thanks for that I'm keen to ge ta smoothie box installed again and have a play but will look at others toos. Just will be nice to have a data point labelled "Secure Internet" and be able to have demo guys just plug into without worrying about the state of their laptop because they all tell me there are no viruses etc... on their laptop.

Ben

[plexer]

Ok got smoothie express 2 installed but still playing with it. I suppose the ideal solution would be a small appliance type device maybe a mini-itx machine that could be transported to wherever the contractor/sales person needs internet access and then plugged in between them and your network.

As we have a conference room where these things normally take place I can trial this with a standard mini tower pc.

Ben

[Ric_]

You could also try IPCOP - I know that this allows you to run SNORT on the Red and Green interfaces plus it's a little more feature-rich out of the box than Smoothwall Free (or whatever it's name is).

[plexer]

Thanks for the suggestion I'm happy with my smoothwall express these have a fond place in my heart.

Ben

[Ric_]

Thanks for the suggestion I'm happy with my smoothwall express these have a fond place in my heart.

Ben

I guess it's down to which side you took when the projects split

[plexer]

Indeed it is ric indeed it is

Ben

[russdev]

I am watching this thread interest as we are about to start community room and idea of having a secure network point from rest of network sounds good...

Just thinking there might be times when staff want to use it and access main network is there anyway to do this with smooth or IPCOP by having some kind of client installed on laptop like for example..

ideas

Russ

[E1uSiV3]

If you have managed switches, why not vlan it?