Static IP addresses and segmented Clerk PCs

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
aclawson
Senior Member
Posts: 760
Joined: Fri Jan 19, 2007 6:28 pm

Re: Static IP addresses and segmented Clerk PCs

#11

Post by aclawson »

russellhltn wrote:
  • Are you sure that function is available given all the scripts currently running on the firewall?
The feature is available, it is just not implemented. The Cisco environment allows you to isolate (by MAC) all clients from all other clients - in the most secure mode no device would be able to communicate with any other device on the network, you would have access to the firewall and nothing else.
russellhltn wrote:
  • This would increase the burden on the GS when computers and changed out.
Why? The script can be automated. Or it doesn't even have to be a script - put trusted, hardwired devices on port 0 and wireless devices go on port 1. Isolate port 0 from port 1 and you're done, don't even need to do additional scripting. You'd need to purchase some switches, but when you are networking a building sometimes you need to purchase some switches.
russellhltn wrote:
  • This increases what the STS needs to do to change out the computer.
Maybe, maybe not - depends on how things are set up. But as an STS I wouldn't feel overworked if I had to run a script once every five years. And when building a secure network sometimes additional steps are required.
russellhltn wrote:
  • This wouldn't protect against attacks from within the LAN - such as from wireless devices.
[/list][/list][/list]
Sure it would - the entire point of this is to protect against attacks from within the LAN. When you isolate a client either physically or virtually packets from the bad people can't get to the admin computer. The entire job of a router is to decide where to send what packets and if you configure the router to not allow any device to connect to the MAC address of the admin computer they won't be able to. Or you can take advantage of the 8 VLANs that the 880 series devices support. The new configuration is already using isolation - FHCs cannot connect to the admin PC, and neither the admin PC nor any device on wireless can talk to the internet enabled thermostats. Network engineers do this kind of thing all the time - arranging for secure networks is a fundamental aspect of their job.
russellhltn
Community Administrator
Posts: 34421
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Static IP addresses and segmented Clerk PCs

#12

Post by russellhltn »

aclawson wrote:The entire job of a router is to decide where to send what packets and if you configure the router to not allow any device to connect to the MAC address of the admin computer they won't be able to.
Routers only handle traffic leaving the local subnet. They are not involved with traffic in the same IP subnet on the same physical segment (same port on the firewall). Nor do they get involved with Ethernet traffic on a segment. So even if they were in a different subnet, they could still be attacked at the Ethernet/MAC address level if they were on the same physical subnet.

Now, a managed switch could probably do that. I've never been lucky enough to play with them. But they are quite a bit more expensive than normal switches. When changing out everything world-wide, that's no small amount of money and paid employee time.

Can it be done? Yes, with time and money. Is it worth it? Apparently those in charge of the widow's mite think otherwise.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
aclawson
Senior Member
Posts: 760
Joined: Fri Jan 19, 2007 6:28 pm

Re: Static IP addresses and segmented Clerk PCs

#13

Post by aclawson »

russellhltn wrote:Routers only handle traffic leaving the local subnet.
Fortunately in our case the Cisco 800 series are more than just a basic router. For example, to prevent any wireless client from being able to communication with any other wireless client enter in the command

dot11 {ssid | guest-ssid} [guest-SSID-number] SSID-name

Followed by

isolate-clients
russellhltn wrote:Nor do they get involved with Ethernet traffic on a segment. So even if they were in a different subnet, they could still be attacked at the Ethernet/MAC address level if they were on the same physical subnet.
Hence my suggestion of "put trusted, hardwired devices on port 0 and wireless devices go on port 1. Isolate port 0 from port 1 and you're done".
russellhltn wrote:Now, a managed switch could probably do that. I've never been lucky enough to play with them.
The 881W IS a managed switch. As described, the 881W includes "Four 10/100 Mbps Fast Ethernet-managed switch ports". This whole deal with making sure the FHC is on port 2 and port 3 is reserved for FMG use is to provide the isolation between network segments.

Now when a building has the Cat 6 pulled it should be terminated at a patch panel along the lines of this: http://www.amazon.com/Intellinet-12-Por ... atch+panel. 12 ports, $18. If you have only two connections to make (or three if you don't have an FHC to worry about) then you're golden. If you need more than that then you would have to get a switch anyway so tie in some Netgear GS108s and you're good to go. Connect the admin computer(s) to port 0, put all public drops and WiFi on port 1 and program the managed switch that is the 881W to provide your security at a level higher by several orders of magnitude. Net additional cost is essentially zero because as just stated you would have had to buy the switch(es) anyway.
russellhltn wrote:Can it be done? Yes, with time and money. Is it worth it? Apparently those in charge of the widow's mite think otherwise.
Correct - they don't want to do this. The security risks have been deemed to be acceptable and no further action was taken.
russellhltn
Community Administrator
Posts: 34421
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Static IP addresses and segmented Clerk PCs

#14

Post by russellhltn »

aclawson wrote:Now when a building has the Cat 6 pulled it should be terminated at a patch panel along the lines of this: http://www.amazon.com/Intellinet-12-Por ... atch+panel. 12 ports, $18.
That would be nice, but none in our stake were done that way. Because of the layout of the stake center, we have remote switches. Switches that include both WAPs and clerk computers.

From what I'm reading here, ours wasn't the only one done with remote switches.

Keep in mind that isolating clerk machines would likely result in isolating networked printers. (Or complicate the setup.) That could be a problem as some people use their wireless computers to print things.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
rolandc
Member
Posts: 257
Joined: Tue May 15, 2012 8:20 pm

Re: Static IP addresses and segmented Clerk PCs

#15

Post by rolandc »

This is all very interesting.

Sorry for the wrong questions
Last edited by rolandc on Fri Dec 05, 2014 5:11 pm, edited 1 time in total.
Roland
aclawson
Senior Member
Posts: 760
Joined: Fri Jan 19, 2007 6:28 pm

Re: Static IP addresses and segmented Clerk PCs

#16

Post by aclawson »

You are asking threat model questions (which are the right questions) but the thread was about how to secure the network, not if the network needed to be secured.
Post Reply

Return to “Meetinghouse Internet”