Easiest way to Block and Allow Internet Access in AD?

I have a customer who wants to prevent a portion of the existing (Class C)
network from accessing the Internet (XP Pro AD clients). But the same clients
still need access to the server / shared-network printers / other computers
on the network. There are other Win98 PC's on the network that need to have
access to everything including the Internet. Right now, everything is
networked and has Internet Access.

The customer wants to add two (Win98) PC's to have access to the Internet,
but no access to his own network - totally separated - to be used by those
that are having their access blocked (up front and center so he can monitor
their use).

What's going to be the easiest, quickest, simplest method to both prevent
and allow Internet access in this situation? There is no onsite Network
Administrator - I'm contracted... so in case I'm not available, this should
be relatively simple to implement and figure out, and also be a very reliable
solution.

There is an existing single AD, no other servers / domains / DNS's.
DHCP is not currently running on the 2003 Server.

Options I'm considering:
1) Use the existing LinkSys router, (which is currently the DHCP server), to
block Internet access to those computers and then statically assign addresses
to the 5 PC's that need access. This two PC's that don't need access can have
their DNS point to the Internet Provider, instead of the AD Server DNS - they
won't really be on a 'separate' network this way, but it's a simple solution.

2) Use the OU in AD that contains the XP Pro clients, to (somehow) prevent
Internet access through a policy (preferred but not sure how to do this).
This still doesn't put the other two Internet Access PC's on a 'separate'
network.

3) Setup DHCP on the server. Create two scopes / subnets, x.x.x.0-126 and
x.x.x.129-254 : 255.255.255.128. Divide the network by adding another router
as a GW, and plug the two Internet Access PC's into it. This is probably the
best solution, although I've never actually setup a subnet using routers -
just theory / book knowledge.

My biggest concern is, what will happen to the existing AD / DNS Server if I
change the subnet mask from x.x.x.0 to x.x.x.128?
Will it screw up the existing network clients / applications / etc.? Will I
have to add new Host (A) / PTR records / others, to point to the other
network?

 

That is done with a Firewall or Proxy, or in some cases with a LAN Router
between LAN Segments...not with AD or GPOs.

 

Actually I did it with an AD GPO and an additional router.
There are settings in the GPO that I used to disable access to the 'D:'
drive, hide the 'A:' drive and prevent the use of Internet Explorer - for the
XP computers that were in an OU.
I also setup DHCP on the server and removed it from the original router.
I could have also used it to create a false Proxy, which would in effect
cause IE not to work.

To separate the Internet Access computers from the rest of the network I
added a router and set them up with another network address / subnet. This
router provides the DHCP addresses for these computers.

In the end, it all worked. I've never setup a Proxy server, so this ended up
being a pretty easy solution. Figuring out how to connect the second router
to the first was the trickiest part since I've never done that before either.

 

OK. Sounds like you got done what you need done. You didn't setup a proxy
though,...you may have setup a NAT device. But I don't see a proxy,...a
proxy is a specific Application that runs on a PC tht performs the
"proxying" (ex. MS Proxy2, ISA 2000, ISA2004). Anyway, if it all does what
you want, that is what matters.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

 

Yeah, you're right - no proxy.
I know the theory behind one, but don't know what the process is to set one
up.

What I did was add a second router and switch on a separate cable segment,
and connected that to the first router.

First router: 192.168.1.1 - subnet: 255.255.255.128
DHCP Scope: 192.168.1.2 to 125

Second router: 192.168.2.129 - subnet: 255.255.255.128
DHCP Scope: 192.168.2.130 to 150 / 255.255.255.128

I connected the second router's WAN port to one of the open LAN ports on the
first router and set the GW on the second router to point to the first router
(192.168.1.1). I connected the LAN port on the second router to a switch,
where the Internet PC's are connected.

That gave me a separate network that can then connect to the Internet
through the first router, that has the cable modem attached.

Does that make more sense?

You're right though - it worked - and it was actually pretty cool to control
the XP's that way. The users aren't too happy about it, but the owner loves
it!

I'll have to study up on how to setup a proxy server and try it at home
sometime. How would I do it with a Server 2003 Standard?

Thanks for your input Phillip!
~ Mike

 

You created a Back-to-Back DMZ. The DMZ is an "untrusted" network that
exists between the two NAT Devices.

 

Ok - what exactly does that mean?

I know that a DMZ is a demilitarized zone... but what does it mean to be
'untrusted', when it's within an existing network like this, behind routers?

What is the significance of it being 'untrusted' in this situation?

How else would you / should I have setup the network / router connections so
that it was 'trusted'? or is that where the Proxy comes into play?

You're scaring me! LOL
~ Mike

 

Trusted/Untrusted is defined from the perspective of the Firewall (NAT
Device) or Proxy that separates the two.

The Internet is always an "untrusted" network.
A Back-to-Back DMZ is an "untrusted" network for the innermost NAT Device,
but is "trusted" by the outermost NAT Device.
The Internal Network is always a "trusted" network.

A Trusted network is allowed to reach an Untrusted Network.
An Untrusted Network is not allowed to contact a Trusted Network, however
NAT Devices and Proxys can "publish" machines or services from the "trusted"
network to the "untrusted" network

I would not have built it the way you did unless there was a specific reason
to do so. I typically place just one Proxy or NAT Device (one or the other)
at the network edge between it and the Internet. So there would be one Proxy
(or NAT Device) with the Internet being "untrusted" and the LAN being
"trusted". I would have only one Subnet.

I then control who has access to the Internet using the abilities built into
the Proxy (or NAT Device). At worst, that may mean that some machines use
static (or DHCP Reserved) address so you always know what their IP# is.

If some machines are not supposed to have access to certain things on the
LAN, then that is handled by the NTFS Permissions on the "targets". In some
cases it may be controlled by the Services or Applications they connect to
if those services or applications have their own built in Authentication
abilities such as SQL Server and many proprietary Applications. The fact
that they can see the "targets" in Network Places is meaningless,...the fact
that they may be able to ping the "targets" is also meaningless. You just
simply don't give the User accounts permissions to things they aren't
supposed to get to,..it's just that simple.

For example, at our place:
1. A File Server stores files in many different "shares". Users can only
get to the files they are supposed to get to and nothing else. It is
controlled by NTFS permissions.
2. Sales/Accounting access the Applications they run by logging into the
Application. These are Applications designed with "user databases" built
into them and only the users with "accounts" in those Applications can use
the Applications
3. NewsRoom Users,...it is just a repeat of above. The NewsRoom System
has its own build in User Accounts in the Application itself that controls
who can use it and what they are allowed to do.
4. Internet Access is controlled by ISA Server (a proxy server) and
Users are allowed/denied to the Internet based on *who* the are, not by what
machine they are sitting at. They are also limited by what they can actually
do on the Internet, different users may have different abilities,...again
based on *who* they are.

Although I have multiple subnets now,..this all worked perfectly fine and
securely with just one single large subnet. There was no "fooling around"
with NAT Devices, Routers, or Proxys on the internal part of the LAN to make
that happen. NAT Devices and Proxys are designed to protect User from the
Internet,..not from each other.

 

Ok, I see what you mean by trusted / untrusted - and 'normally' I setup
networks the way you described. One network / one NAT at the edge.

But I thought that 'technically' a DMZ is an area that sits outside of your
firewall, so that it is accessible from the Internet, like a IIS / FTP
server? In my setup, none of the network is accessible from the Internet, but
the Internet is accessible from either of the two networks.

The reason for setting it up the way I did was for one reason... the
customer wants to be sure his network never gets infected by any kind of work
/ trojan / virus, that can spread through network shares. Since the server
hosts a client / server application that all (other) users access, he wanted
to separate the servers' network from the internet accessible network. The
theory (fact) is that there are known threats that can spread through network
shares. I didn't see any other way to achieve that kind of protection... does
that make sense, and would you say that this setup achieves that?

I would agree with you if you said this is overkill / a little more than
paranoia - but, is my application / thought process (in this case), correct
or (at least) effective?

The two Internet computers that are connected to the Router #2 network are
in their own Workgroup (anyway) and not part of the AD Server - connected to
Router #1. My guess is, that (alone) would be enough to prevent any type of
threat (worm / virus) from spreading to any other part of the network - since
the Internet computers have no mapped drives to the other network anyway.

I guess my thinking was that by having them on their own network, connected
to another router (back-to-back DMZ), that there would be absolutely no way
any threat could spread to the Servers network?

I've never setup a network like this before, and wouldn't have this time,
except for the customer's extreme paranoia.

I think there are legitimate situations where routers are used to segment /
divide / separate, networks. In a situation like that, wouldn't you connect
one router to another, in the same way that I did? Or how else would it be
done?

Thanks for your explanations and taking the time to answer my lengthy
questions!
I really appreciate it!
~ Mike

 

So each NAT Device is "side-by-side" and independent of each other?

Nothing you are attempting to do will stop that. That is why on the 8th day
God invented Anti-Virus software. A week later Bill Gates created Security
Patches. ;-)

Then you use a LAN Router (not an Internet Sharing NAT Device) between the
two LAN segments. None of this has anything to do with the Internet
connection or the NAT Devices providing it. But it won't stop what you are
wanting to stop. Whatever you do in the idea of "stopping the viruses" will
also stop the user's ability to do their jobs.

Not paranoia,...they are legitiment concerns,...but just, I think,...
misguided. You protect the system from what you described via AntiVirus
software and the other methods I described in the last post.

That doesn't matter.

No it will not, and additionally, mapped drive don't matter either.

Having them on thier own network would not do that.

I think you are falling into the trap of letting the customer tell you the
right way to do something. The fact is the customer doesn't know,...if they
did they would do it themselves and wouldn't need you. Your job is to know
the right way to do something, explain to them the right way it is
done,...and then do it.

I sympathize with your situation and am many times thankful that I am not in
that type of situation. I deal with the same system everyday that does not
change often. I am also the "decision maker" of that system and I build an
design it as I know best. So I don't have to deal with "customers" that in
many cases think they know more than they really know and have many
"superstitions" to overcome.

If you mean LAN Routers, ...yes. Typically there are two reasons:

1. The number of Hosts increases above 250-300, and the network begins
to degrade as a result of "broadcasts" which are the normal characteristics
of Ethernet.

2. Security concerns. ACLs are used on the LAN Routers to restict
traffic at the OSI Layers 3 & 4. These methods typically do not stop
viruses, worms, spyware, etc. These methods are simply to assure the the
LAN Users cannot use certain types of communincation (certain protocols)
over the Router.
These restrictions are only *supplementary* to the *primary* security
that is based on the NTFS permissions and the permissions drived from
Applications that have their own build in user databases and authentication
systems.

 

So much for my theory then... (that's funny!)

On the bright side, I think he's willing to purchase the necessary
client/server anti-virus software. His original point was that if his network
wasn't connected to the Internet, then he wouldn't have to anti-up (pardon
the pun) for the protection. As it is, he still has four other PC's connected
to the servers network that also have an internet connection. As it turns
out, all I've really accomplished was to give him (and me until now) a false
sense of security. I already told him the only way to be safe is to not get
on the internet - otherwise his only other (practically safe) answer is
anti-virus.

Thanks again for your input! Good stuff!
Wish I could find someplace to work, with someone like you to learn from.
Actually, I guess I'm already doing that here - LOL

~ Mike

 

Thank you. Well some days I do fine in the newsgroups, other days I'm just
an idot that can't get it right. It varies.

If you haven't already done the equivalent, I'd recommend checking into one
of the local schools and see if they handle the 4 classes for the Cisco CCNA
exam. They cover a lot of the stuff that would make a lot of what you been
wondering about seem obvious. It builds the foundation that all the other
things you do are built on top of.

If you get the Cert it needs renewed every 3 years. I plan to retake the
classes again at the time as a "refresher" before retesting. A person rarely
uses all that stuff everyday so you don't always retain it,...plus the
material changes and evolves over time so you get some new stuff each time
you go through it.

It has been some of the best time & money I've spent.