Date: Wed, 22 Jan 2003 17:19:41 -0000 From: "Martyn Hill" <m.hill@stjamessengirls.org.uk> To: "Bill Moran" <wmoran@potentialtech.com> Cc: "FreeBSD-questions" <freebsd-questions@freebsd.org> Subject: Re: Subnetting or Bridging to secure different dapartments on our School LAN? Message-ID: <00b101c2c23a$74082de0$6f00000a@SJMOBILE11> References: <000701c2c222$e7439dc0$6f00000a@SJMOBILE11> <3E2EB7BD.9080502@potentialtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Martyn Hill wrote: > > Do I use ifconfig to alias the one internal NIC in the present gateway to > > create virtual sub-nets? > > Bill Moran wrote: > That would be the method I would suggest, however without more details of > your network it's kind of hard to be sure it's the best method. What you > could do is: > > ADSL router > | > FreeBSD BOX > | > switch > / | \ > / | \ > / | \ > hub1 hub2 hub3 > / | \ > subnet1 subnet2 subnet3 > > The switch will keep traffic from subnet1 off subnet2 & subnet3 (and vise > versa) The freeBSD box has 2 nics, one to the ADSL, the other to the switch. > The NIC to the switch has an IP for each subnet and IPFW rules for each IP. > If the IPFW rules are identical for each subnet, you'll be able to consolidate > them a good bit. > Thank you very much for your ideas and time, Bill. You mention the use of hub1, 2 etc. Can I assume that some small switches (we use a few netgear 5 and 8 port switches around the building already) would do the job, given that the other departments amount to a handful of workstations each? > > Which one is really best depends a lot on details that you haven't > yet provided. Like, what traffic _exactly_ do you want to prevent from > crossing subnets? SMB browse announcements won't cross subnets, for example > (they'll get stopped at the switch) but cross-network browsing is still > possible by IP address (or if you use WINS). What this means (from a Windows > perspective) is that Windows machines on subnet1 won't see Windows machines > on subnet2 in their network neighborhood, but they will be able to access > them if the user knows the IP address of the machine he wants to connect > to. So it depends on whether you want to offer _real_ security or just > obscurity. (this is dependent on using the method I diagramed above, other > methods offer different levels of security/obscurity) > We do use WINS (via Samba-TNG) for our own curriculum/admin network, but the other departments are supposed to contain themselves to their own workgroups. Obscurity would provide sufficient protection for (from?) most, if not all, of our user base - I'm not aware of any potential hackers amoungst the school population, (if I found one, I'll be proud, as I'm the one who teaches the pupils IT!) My concerns over security are three fold: Access to SMB fileshares and printers (especially from some newly introduced Windows XP clients, which seem intent on discovering everything on the network and adding it to their own browse lists...) The ability of a virus outbreak to spread rampantly throughout the whole site. The limiting of adverse network 'noise' from one department affecting the bandwidth for others, (not really a security issue.) I appreciate the vaugeness of the information, I guess I'm not sure what traffic I _should_ be filtering out. Any ideas? Where should I turn next to penetrate the topic of aliasing using ifconfig? Best regards Martyn Hill ICT Teacher and IT Coordinator St James Independent School London To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00b101c2c23a$74082de0$6f00000a>