RE: block internet at two workstations - Answer

[jamesworld () intelligencia com]

Tim,

IF  (BIG IF) those machines have no need for IP services:

Since it's a small user network 10 machines:

Remove TCP/IP on those 2 machines and add netbuei.

Add netbuei to the other machines (so they can all talk).

The 2 w/o TCP/IP will not be able to get tot he internet.

You could use IPX if you really wanted to too....  Chatty though and more 
overhead.


very simple and  you can rest assured that the Netbuei machines will not 
get out to the internet.

Make sure you have a way to distribute the AV updates to those machines 
(script on an IP machine to push the files to a share)

Then you can lock down the ability to add protocols


If they need IP:

add a secondary IP network to all machines

192.168.0.1 = fw and all are on 192.168.0.x
add 172.16.1.x to all machines as secondaries.
Remove 192.168.0.x from the 2 machines.

They can communicate via network since they are all local.
If you need to go to another remote site then you are looking at adding IP 
secondaries to your router.

172.16.1.x has no route to the Internet


Either way, problem solved.


-James


At 20:21 5/6/2003, Tim Laureska wrote:
> I called Netgear and they said that feature is not available in any of
> their routers... I couldn't find any reference to deny rules or
> filtering IPs or MAC addresses in the documentation either
>
>
> From: tombin [mailto:tomb1n () attbi com]
> Sent: Tuesday, May 06, 2003 9:11 AM
> To: Tim Laureska
> Subject: Re: block internet at two workstations
>
>
> Those netgear cable sharing routers, have the ability to block MAC
> addresses. Just add the 2 machine's MAC addresses into the firewall
> rules to deny. Check the help file located on the router for a better
> description of how to do this.
>
> Tim Laureska wrote:
>
> >I'm working with a small (10 user network) with a netgear FVS318
> >firewall, accessing the internet via cable modem.. The client wants to
> >block internet access at two workstations.  I don't see anything
> >available within the firewall documentation/configuration that would
> >address this.  What is the best and easiest way to do this ...easy and
> >best may be a contradiction :-)
> >
> >TIA
> >Tim
> >
> >
> >




---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------