subnet mask question

The network is the forum.

Moderators: Steel, notfred

subnet mask question

Postposted on Wed Feb 27, 2013 5:57 pm

I have a client who wants to keep employees from bringing in devices that can attach to his network, and download company data. He only has 4 computers attached. The “server” is a windows 7 and he needs to attach 3 xp computers. I was trying to limit attachment to the windows 7 with firewall rules, but they don’t seem to work very well. So I wondered if I used a subnet mask if I could reduce his available ip addresses so there would be no connection available to any extra devices. So if his router is 192.168.2.1 and I changed the subnet mask from 255.255.255.0 to 255.255.255.248, what ip addresses would be available? I’ve been reading tutorials, but I’m getting tired and the info is just not making it into my brain. If the answer is 192.168.2.2 thru 192.168.2.8, could I still allow the router to dhcp with a submask of 255.255.255.0 and only allocate ip addresses from 192.168.2.150 thru 160 so that the internet would work, but they just would not see the server?
bigjohn888jb
Gerbil First Class
 
Posts: 101
Joined: Wed Aug 31, 2011 9:41 am

Re: subnet mask question

Postposted on Wed Feb 27, 2013 11:29 pm

255.255.255.248 or /29

192.168.2.0

29 - 24 = 5

2^5 = 32 networks

32 - 29 = 3

2^3 = 8

8 - 2 = 6 hosts

256 / 32 = 8 Increment

192.168.2.0 - Network ID
192.168.2.1 - 192.168.2.6 - Usable Addresses
192.168.2.7 - Broadcast ID

192.168.2.8 - Network ID for network 2

This is as small as it gets. A /30 would only have two usable addresses.

IPSec would be a better way to wall them off. A subnet isn't security.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3563
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: subnet mask question

Postposted on Wed Feb 27, 2013 11:50 pm

I think upgrading the clients to Windows 7 and joining them to a homegroup would be a decent solution as well, if he's willing to shell out for that. Employees would be able to view the homegroup password, don't know if that would be an issue.

How are the employees attaching devices to the network? You might consider approaching it from that side, rather than restricting at the server, since it's such a small environment.
absurdity
Gerbil Elite
 
Posts: 881
Joined: Sat Mar 02, 2002 7:00 pm
Location: VT

Re: subnet mask question

Postposted on Wed Feb 27, 2013 11:59 pm

In this scenario, limiting the number of IP addresses available doesn't help if any of the legit PCs or network infrastructure are physically accessible to the people he's trying to guard against. Someone could simply power off one of the existing PCs or disconnect a network cable, and temporarily use that PC's IP address. MAC addresses can be spoofed too, so implementing MAC address filtering isn't a solution either.

Also, what's to stop someone from just plugging a thumbdrive into one of the existing PCs and copying the data? (Is he able to restrict physical access or ensure the screen is locked whenever a trusted employee is not present?)
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37845
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: subnet mask question

Postposted on Thu Feb 28, 2013 4:46 am

Definitely seems like the wrong solution to the problem. In this case a MAC filter list may help, assuming the workers don't know how to spoof the legit ones.

Proper access control with a domain controller or some other system (like applying encryption and/or rights management to documents) seems more proper. And yes, USB sticks already present a problem, are you going to superglue all the ports now? :o

BTW, if it is such a small company, IMO this should be the better approach:
1. Hire carefully
2. Treat the employees well, so they won't do **** like this.
Image
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
Flying Fox
Gerbil God
 
Posts: 24494
Joined: Mon May 24, 2004 2:19 am

Re: subnet mask question

Postposted on Thu Feb 28, 2013 8:25 am

What is the make and model of the router?

For starters, the router will need to be an actual router that that bridges subnets rather then just a gateway, like most home equipment is. If you don't have that then subnets aren't going to do anything for you.

Next, all of these addresses are going to be NATed at the router/gateway anyway, so you're better off changing to 172.16.x.x or 10.x.x.x addresses and assigning each network it's own block. 172.16.1.0/24, or 10.0.1.0/24, for the computers, and 172.16.2.0/24, or 10.0.1.0/24, for the other devices.

As for network control, setup a RADIUS server and set the wireless network to WPA-Enterprise, and invest in switches that support 802.1x. WPA-Enterprise is easy to setup, and it's rather cheap since RADIUS can be run on a small Linux server. 802.1x switches are much more expensive and complicated.
Flatland_Spider
Gerbil Elite
 
Posts: 853
Joined: Mon Sep 13, 2004 8:33 pm
Location: The 918/539

Re: subnet mask question

Postposted on Thu Feb 28, 2013 8:49 am

use a MAC filter. With three machines the amount of maintenance will be very small unless he changes ethernet cards often.
Put those spare CPU/GPU cycles to good use - Folding@Home
Image
P5-133XL
Gerbil
 
Posts: 71
Joined: Fri Apr 18, 2008 4:52 am

Re: subnet mask question

Postposted on Thu Feb 28, 2013 9:18 am

Subnets are going to cause more trouble than they are worth and are trivial to bypass, and a MAC filter is trivial to get around for anyone that realises what is going on. Even going to 802.1x is going to be a nightmare and require a proper managed switch.

The right way to do this is to secure the information on the server so that only authorised clients can access it as Flying Fox suggests. Only allow domain members to access the shared data and only join the required machines to the domain.
notfred
Grand Gerbil Poohbah
 
Posts: 3749
Joined: Tue Aug 10, 2004 10:10 am
Location: Ottawa, Canada

Re: subnet mask question

Postposted on Thu Feb 28, 2013 9:27 am

notfred wrote:Only allow domain members to access the shared data and only join the required machines to the domain.


There is no domain, the server is a Windows 7 system.

I'm guessing this guy isn't going to want to spend a bunch of money on infrastructure. Something like MAC filtering might be the most reasonable way to do what's required without incurring lots of cost. It can be bypassed, but most people wouldn't know the first thing about it, which could make it a reasonable solution. We still don't know much about the environment, so it's hard to give very specific recommendations.
absurdity
Gerbil Elite
 
Posts: 881
Joined: Sat Mar 02, 2002 7:00 pm
Location: VT

Re: subnet mask question

Postposted on Thu Feb 28, 2013 9:44 am

just brew it! wrote:Also, what's to stop someone from just plugging a thumbdrive into one of the existing PCs and copying the data? (Is he able to restrict physical access or ensure the screen is locked whenever a trusted employee is not present?)


Windows Vista forward have an option to disable USB storage support via Group Policy.

The three Windows XP machines would need to be upgraded to a business edition of 7, but then that option would be available to fix the part of the physical security issues. Still nothing preventing the theft of the drive out of one of the computers (albeit Windows 7 Ultimate could tackle that with BitLocker).
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3563
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: subnet mask question

Postposted on Thu Feb 28, 2013 10:19 am

absurdity wrote:
notfred wrote:Only allow domain members to access the shared data and only join the required machines to the domain.


There is no domain, the server is a Windows 7 system.

I'm guessing this guy isn't going to want to spend a bunch of money on infrastructure. Something like MAC filtering might be the most reasonable way to do what's required without incurring lots of cost. It can be bypassed, but most people wouldn't know the first thing about it, which could make it a reasonable solution. We still don't know much about the environment, so it's hard to give very specific recommendations.

The (relatively) cheap part can be achieved with Server Essentials, but of course the OP's client may be even cheaper than that. The XP boxen are going to have the USB port problem, assuming we do have that USB port problem.

Also, what about physical security to printers? I assume the business still needs to use paper? How about digital camera/mobile phone taking pictures of screens? How anal do you want to get? Are you treating all your employees (the same people that most companies claim to be the "real assets") like thieves now? Don't treat them like crap.
Image
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
Flying Fox
Gerbil God
 
Posts: 24494
Joined: Mon May 24, 2004 2:19 am

Re: subnet mask question

Postposted on Thu Feb 28, 2013 10:30 am

AD RMS would deal with the printers and honestly any data carried out of the business, but I suspect that's not the kind of money the OP is looking to spend.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3563
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: subnet mask question

Postposted on Thu Feb 28, 2013 12:30 pm

I'm with Flying Fox on this one.

If you actually want to secure the data properly with a technical solution, that's gonna be expensive for a tiny shop like that, there are too many problems and too many workarounds unless you have serious infrastructure and technical know how. Since you cant realistically do it with tech unless you want to shell out a good portion of money, and most of what you can easily implement can probably be googled around, as mac-filtering, etc, it's a soft problem, with soft solutions.

That is, policy and acceptance from the employees. I.e. taking proprietary information from the systems, should be grounds for dismissal and damages. Eithery they sign it or they dont work there if the client is really anal about it. But keeping people that needs access to the data in their work, not being able to access it and carry it home in some format or another next to impossible. Printed documents, mobile takes a photo of the screen. USB Memories, personal devices, just comitting the information to memory, etc.

Keeping outsiders from getting it, is more easily realised. As is keepign employees that should'nt be able to access the data. The data resides on a servers, the easiest would be to set rights on file system on who can access it. But trying to limit it on a network basis, is probably doomed to fail as far as employees go if they need access for work. This does not account for collusion or an employee helping another employee to access it though.
Aphasia
Grand Gerbil Poohbah
 
Posts: 3468
Joined: Tue Jan 01, 2002 7:00 pm
Location: Solna/Sweden

Re: subnet mask question

Postposted on Thu Feb 28, 2013 4:34 pm

The owner is a good guy. He works 6 ½ days a week, 10 to 12 hours a day. He is honest and goes out of his way to take care of his customers. This is a car repair garage. The concern is that one of his best mechanics might be thinking of starting his own business. The owner is just concerned that he might take his customer list. No one is big into computers, these are car guys. So he wants to make it more secure if possible for not a whole lot of money. I figured I would change them to a different workgroup and put passwords on the access to the windows 7 machine. I can’t figure out any way to make it real secure as they need access to the customer list to take in cars and bill for the repairs. The usbs are a problem. I thought I saw somewhere that I can secure them on the Windows 7 computer, but I don’t think I can on the xp computers. The router is really just a internet appliance that is pretty much just a gateway. I was just looking for something tricky to thwart computer novices.
bigjohn888jb
Gerbil First Class
 
Posts: 101
Joined: Wed Aug 31, 2011 9:41 am

Re: subnet mask question

Postposted on Thu Feb 28, 2013 8:16 pm

Ah, I see. Truecrypt container in a non-network accessible location with a key file, or files, that aren't in the same location as the container. Truecrypt Homepage

1) They aren't going to crack the encryption. They won't have the time or computer power.
2) They will need the key file to start the decryption process, and since the key file can be anything, good luck to them figuring out what it is if it's not obvious and they only have the container.

The owner should probably talk it out with the mechanic, and be cool if he say's he is going to leave. There is less chance of him stealing the client list if the guy is being cool about it.
Flatland_Spider
Gerbil Elite
 
Posts: 853
Joined: Mon Sep 13, 2004 8:33 pm
Location: The 918/539

Re: subnet mask question

Postposted on Thu Feb 28, 2013 8:22 pm

Flatland_Spider wrote:Ah, I see. Truecrypt container in a non-network accessible location with a key file, or files, that aren't in the same location as the container. Truecrypt Homepage

1) They aren't going to crack the encryption. They won't have the time or computer power.
2) They will need the key file to start the decryption process, and since the key file can be anything, good luck to them figuring out what it is if it's not obvious and they only have the container.

The owner should probably talk it out with the mechanic, and be cool if he say's he is going to leave. There is less chance of him stealing the client list if the guy is being cool about it.

The staff presumably needs to access the client list during the work day. Does this mean the owner is going to open shop each day, decrypt the stuff for the day, and then turn off the computer every night? Besides, if the mechanic is determined to "steal" the customer list, there are other ways of doing that. Like actually talking to the customers (he works on their cars, right?).
Image
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
Flying Fox
Gerbil God
 
Posts: 24494
Joined: Mon May 24, 2004 2:19 am


Return to Networking

Who is online

Users browsing this forum: Chuckaluphagus, Google Adsense [Bot] and 8 guests