Isolating a Few IP Addresses from the Rest of the Network

mda

2[H]4U
Joined
Mar 23, 2011
Messages
2,207
Hi All,

I'm trying to secure our network from a specific bunch of users whose devices often pick up viruses, worms, etc.

Our current setup:
Main Router - Edgerouter Lite
Switches - Cisco SG300 L3 Switch, DLink DGS 1210 "Smart Switch"
Wifi 1 - Asus AC68U (Access Point Only)
Wifi 2/3/4 - Bunch of Unifis with a controller

Network topology - all DHCP, single subnet

I can identify the particular mac addresses of the devices of said persons.

How do I block these devices (mostly on wifi) from accessing the rest of our network while allowing the rest of the devices to communicate with each other?

Thanks!
 
If they are on wifi, just turn on isolation. It should only allow the wifi client to send packets to the gateway IP, but nothing else on the local lan. If you need to do it for wired clients, you'll have to check which switch they are connected to and check the specific manual.



BUUUT this is a bandaid fix. You really need to really fix your security policies, or not allow them on the network at all. This won't fix the actual problem, and this will eventually bite the company in the ass.
 
  • On the ER-Lite, define a VLAN interface on the same port as the existing LAN subnet.
  • Define a new subnet for the new VLAN.
  • Define firewall rules that prevent the new subnet from reaching the original.
  • Trunk the new VLAN from the ER-Lite to the switch.
  • For wired nodes configure access ports on the switch to the new VLAN as needed (this is a good point to test that the new subnet is working as required).
  • From the switch, trunk the VLAN to the APs (not sure if the Asus can handle this though).
  • Define a second SSID on the APs linked to the new VLAN (again not sure the Asus is capable).
  • Give the problem users the new SSID info.
  • Change the password for the original SSID.
 
As mentioned, vlans are the answer. Create a dedicated network for your problem users, and treat that network as if it were hostile ( because indeed, it is ).

Restrict access to network services on that segment, and only open them up as you get those users back under control. I'm guessing this is management, so good luck.
 
Configure another interface on your EdgeRouter and connect another switch to that with the access points and create a policy that denies traffic from that wireless LAN to the production network.
 
Last edited:
^ This ^. + split the IP addresses into two different non-overlapping ranges. Safe users on 10.2.2.X/24. Plague sufferers on 192.168.1.x/24. Makes reading logs easier.
 
Thanks for this.

Current setup is like this:

ER Lite -> 2 ISPs
ER Lite -> SG300

How do I set 2 DHCPs, and have the SG300 know that there are 2 VLANs on the network? Is there a way to have certain MAC Addresses bound to a certain VLAN when connected via switch?

I already have 2 VLans on the ERL but only through one cable.

Will do more research tonight.

Thanks!
 
Thanks for this.

Current setup is like this:

ER Lite -> 2 ISPs
ER Lite -> SG300

How do I set 2 DHCPs, and have the SG300 know that there are 2 VLANs on the network? Is there a way to have certain MAC Addresses bound to a certain VLAN when connected via switch?

I already have 2 VLans on the ERL but only through one cable.

Will do more research tonight.

Thanks!


If you're using the ER-Lite for DHCP it's very simple to add an additional scope for the second subnet.

I doubt there's any simple way to link specific MACs to VLANs. The only way I can think of that might work is via a 802.1x setup, but there's not much that's simple about that. Typically, you would simply define specific ports on the switch to the second VLAN instead of the default.
 
With a switch it's a bit easier, with wifi not that hard either(sounds like they are connect to both, but I may be wrong). As others have said vlans are the way to go, For the Wifi you need to setup a new SSID, your Unifi should be capable of tagging the frames(not sure about the asus), also if trouble devices are connected to switch assign the port that they are connected to to the same vlan(for problem ones I use 66, easier to read....and I know that is one I don't trust :) ). Same subnet. If they have access to the switch, you can also assign port-security/mac-sticky to their ports. So if they try to move their cables the port will get shut down....so they can't do it that way either. Of course the VLAN you pick needs to have the same subnet range throughout.
 
These users have no need to connect to rest of the network ever? I highly doubt this is the case. What you have is a user education problem that you're wrongly trying to solve with a technical solution. Further, given the very basic nature of your technical solution question you do not have the skills to manage the technical solutions that have been presented. Solve the real problem by getting your users correctly trained.
 
Solve the real problem by getting your users correctly trained.

This, user training and sanctions are what needs to happen here, not some technical solution. Start slow with some basic instructions on safe browsing or Phishing awareness. If they keep getting viruses start bringing HR into the mix.
 
This, user training and sanctions are what needs to happen here, not some technical solution. Start slow with some basic instructions on safe browsing or Phishing awareness. If they keep getting viruses start bringing HR into the mix.
My spidey sense is telling me these users are management, or otherwise protected from sanctions. In the past, when I've had situations similar this, that was the case; users you weren't allowed to blackhole, and even putting them in front of HR didn't accomplish anything.

The not-so-fun aspect of IT. There are ways to address it, but they require "out of the box" thinking and are probably not suitable for discussion here.
 
Remove admin rights
Run proper av
filter email with good email security platform
firewall/web filter to block malware from coming in through websites
user training (not the do it because we said so mantra)
 
Back
Top