Isolating a Few IP Addresses from the Rest of the Network

Discussion in 'Networking & Security' started by mda, Apr 16, 2019.

  1. mda

    mda [H]ard|Gawd

    Messages:
    1,479
    Joined:
    Mar 23, 2011
    Hi All,

    I'm trying to secure our network from a specific bunch of users whose devices often pick up viruses, worms, etc.

    Our current setup:
    Main Router - Edgerouter Lite
    Switches - Cisco SG300 L3 Switch, DLink DGS 1210 "Smart Switch"
    Wifi 1 - Asus AC68U (Access Point Only)
    Wifi 2/3/4 - Bunch of Unifis with a controller

    Network topology - all DHCP, single subnet

    I can identify the particular mac addresses of the devices of said persons.

    How do I block these devices (mostly on wifi) from accessing the rest of our network while allowing the rest of the devices to communicate with each other?

    Thanks!
     
  2. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,208
    Joined:
    Nov 16, 2009
    If they are on wifi, just turn on isolation. It should only allow the wifi client to send packets to the gateway IP, but nothing else on the local lan. If you need to do it for wired clients, you'll have to check which switch they are connected to and check the specific manual.



    BUUUT this is a bandaid fix. You really need to really fix your security policies, or not allow them on the network at all. This won't fix the actual problem, and this will eventually bite the company in the ass.
     
  3. BlueLineSwinger

    BlueLineSwinger Gawd

    Messages:
    624
    Joined:
    Dec 1, 2011
    • On the ER-Lite, define a VLAN interface on the same port as the existing LAN subnet.
    • Define a new subnet for the new VLAN.
    • Define firewall rules that prevent the new subnet from reaching the original.
    • Trunk the new VLAN from the ER-Lite to the switch.
    • For wired nodes configure access ports on the switch to the new VLAN as needed (this is a good point to test that the new subnet is working as required).
    • From the switch, trunk the VLAN to the APs (not sure if the Asus can handle this though).
    • Define a second SSID on the APs linked to the new VLAN (again not sure the Asus is capable).
    • Give the problem users the new SSID info.
    • Change the password for the original SSID.
     
    marshac and FNtastic like this.
  4. Rifter0876

    Rifter0876 [H]Lite

    Messages:
    102
    Joined:
    Nov 1, 2017
    setup a Vlan
     
    marshac and FNtastic like this.
  5. grasshoppa

    grasshoppa [H]ard|Gawd

    Messages:
    1,628
    Joined:
    Jun 18, 2017
    As mentioned, vlans are the answer. Create a dedicated network for your problem users, and treat that network as if it were hostile ( because indeed, it is ).

    Restrict access to network services on that segment, and only open them up as you get those users back under control. I'm guessing this is management, so good luck.
     
    Silentbob343 and FNtastic like this.
  6. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,392
    Joined:
    Oct 4, 2007
    Configure another interface on your EdgeRouter and connect another switch to that with the access points and create a policy that denies traffic from that wireless LAN to the production network.
     
    Last edited: Apr 17, 2019
    Silentbob343 likes this.
  7. Dead Parrot

    Dead Parrot 2[H]4U

    Messages:
    2,399
    Joined:
    Mar 4, 2013
    ^ This ^. + split the IP addresses into two different non-overlapping ranges. Safe users on 10.2.2.X/24. Plague sufferers on 192.168.1.x/24. Makes reading logs easier.
     
    Silentbob343 likes this.
  8. mda

    mda [H]ard|Gawd

    Messages:
    1,479
    Joined:
    Mar 23, 2011
    Thanks for this.

    Current setup is like this:

    ER Lite -> 2 ISPs
    ER Lite -> SG300

    How do I set 2 DHCPs, and have the SG300 know that there are 2 VLANs on the network? Is there a way to have certain MAC Addresses bound to a certain VLAN when connected via switch?

    I already have 2 VLans on the ERL but only through one cable.

    Will do more research tonight.

    Thanks!
     
  9. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,392
    Joined:
    Oct 4, 2007
  10. BlueLineSwinger

    BlueLineSwinger Gawd

    Messages:
    624
    Joined:
    Dec 1, 2011

    If you're using the ER-Lite for DHCP it's very simple to add an additional scope for the second subnet.

    I doubt there's any simple way to link specific MACs to VLANs. The only way I can think of that might work is via a 802.1x setup, but there's not much that's simple about that. Typically, you would simply define specific ports on the switch to the second VLAN instead of the default.
     
  11. scrappymouse

    scrappymouse n00b

    Messages:
    31
    Joined:
    Mar 18, 2016
    With a switch it's a bit easier, with wifi not that hard either(sounds like they are connect to both, but I may be wrong). As others have said vlans are the way to go, For the Wifi you need to setup a new SSID, your Unifi should be capable of tagging the frames(not sure about the asus), also if trouble devices are connected to switch assign the port that they are connected to to the same vlan(for problem ones I use 66, easier to read....and I know that is one I don't trust :) ). Same subnet. If they have access to the switch, you can also assign port-security/mac-sticky to their ports. So if they try to move their cables the port will get shut down....so they can't do it that way either. Of course the VLAN you pick needs to have the same subnet range throughout.
     
  12. Nicklebon

    Nicklebon Gawd

    Messages:
    550
    Joined:
    May 22, 2006
    These users have no need to connect to rest of the network ever? I highly doubt this is the case. What you have is a user education problem that you're wrongly trying to solve with a technical solution. Further, given the very basic nature of your technical solution question you do not have the skills to manage the technical solutions that have been presented. Solve the real problem by getting your users correctly trained.
     
  13. Blackjack

    Blackjack [H]ard|Gawd

    Messages:
    1,309
    Joined:
    Oct 29, 2007
    This, user training and sanctions are what needs to happen here, not some technical solution. Start slow with some basic instructions on safe browsing or Phishing awareness. If they keep getting viruses start bringing HR into the mix.
     
  14. grasshoppa

    grasshoppa [H]ard|Gawd

    Messages:
    1,628
    Joined:
    Jun 18, 2017
    My spidey sense is telling me these users are management, or otherwise protected from sanctions. In the past, when I've had situations similar this, that was the case; users you weren't allowed to blackhole, and even putting them in front of HR didn't accomplish anything.

    The not-so-fun aspect of IT. There are ways to address it, but they require "out of the box" thinking and are probably not suitable for discussion here.
     
  15. Eickst

    Eickst [H]ard|Gawd

    Messages:
    1,819
    Joined:
    Aug 24, 2005
    Remove admin rights
    Run proper av
    filter email with good email security platform
    firewall/web filter to block malware from coming in through websites
    user training (not the do it because we said so mantra)