Transferring files to/from people you don't trust?

[hutchingsp]

We have an office which will soon have some external people working in it alongside our own people.

They need a way to transfer files between each other that is quicker/simpler than removable media, however we don't trust them so they will have no access to our network.

They will have wireless internet access via a dedicated Guest VLAN.

Because of the work we do "cloud" isn't an option.

I'm mulling over a few options from a cheap NAS with dual NIC's, to putting in a cheap/basic firewall and having the NAS on one side of that so that either we punch through to them, or they punch through to the NAS.

There are a few ways of doing it, I'd appreciate any opinions on how you'd deal with it.

As much as I know we have options with "free" things like OpenFilter/FreeNAS I'd prefer a portable brick. As it's just for transfer it doesn't need to be backed up.

 

[Haven]

Private server on the Guest VLAN. Make it so your people can access the server shares, and the external people can access it as well, but only from within the physical building (more or less). If you are a Microsoft shop you could setup a SharePoint server. Otherwise it could be a SFTP server or Windows server.

 

[hutchingsp]

The only issue there is that the wireless is site-wide so a server on that VLAN would be on the same VLAN as everyone else, so I'm not so keen on doing that.

Firewall seems like a sensible plan, but then so does a NAS with dual NICs assuming each can be given an IP on a different subnet - my reservations there are any issues with the NAS firmware that means it could be exploited as a bridge (without getting too specific we really don't trust these folks but we're stuck with it).

 

[Haven]

Create a new VLAN that allows access from both Internal and Guests and put the server in there?

 

[MrGuvernment]

i would do as you said, a box with a 2nd connection they can connect in from to dump files but from there they cant see your network, just make sure it has good AV protection on it.

 

[hutchingsp]

Create a new VLAN that allows access from both Internal and Guests and put the server in there?

Doable, but seems like overkill if (big if) a NAS with dual NICs could be considered safe.

The office has patch panels so all the physical kit is buried off in the comms cupboard.

 

[Haven]

Doable, but seems like overkill if (big if) a NAS with dual NICs could be considered safe.

The office has patch panels so all the physical kit is buried off in the comms cupboard.

It depends. This gives you the most security. VLAN 1 can see VLAN 3, VLAN 2 can see VLAN 3, but VLAN 2 can not see VLAN 1.

Where using two NICs, server 1 can see VLAN 1 and VLAN 2, Server 1 gets compromised and then VLAN 2 people can get to VLAN 1 resources.

If I was doing the security thing still I would tell you that dual homing can lead to security breaches and you need to be prepared for that.

 

[hutchingsp]

Yeah, I'm not sure we have a spare switch that will do L3 routing though, and AFAIK we'd need that do be able to route between VLANs?

I am wondering whether to investigate something simple like a VM on our LAN running Nexenta or some form of NAS distro and only allowing ports 139 and 445 from the visitors LAN through a firewall onto it - again we're into the "what if's" of if it gets breached.