Isolate parts of LAN from the Internet?

[torandson]

HI,
I have a Linksys Cable/DSL Router with 4-Port switch with which I plan to set up a local network for file and print sharing and Internet access on a few office computers.

I also have two audio-only DAW computers that are connected together with a crossover ethernet cable for 1Gb file sharing and audio streaming. The audio computers will never be permitted to access the Internet, since they must never be bogged down with any anti-virus or firewall software. One of these machines also has an additional 10/100Mb ethernet controller and connection jack.

I currently use the 'sneakernet' method of moving files between the DAWs and the office machines, hand carrying a DVD from one machine to the other.

However, it would be convenient to be able to have file and print sharing between the office machines and the DAW machines for a number of reasons.

Is it in any way possible to set up file and print sharing between the DAWs and the office machines using the spare 10/100Mb ethernet connection on the DAW machine that has this and one port of the Linksys router without installing any anti-virus or firewall software on the DAWs and without there being any possibility of Internet access to or from the DAWs?

I would be willing to disconnect cables except when file or print sharing were needed and to be offline in that case. So, if I could accomplish this by turning some hardware and/or Windows XP SP1 firewall switch on and off in the DAWs and plugging and unplugging cables, might I be able to do both?: obtain file and print sharing between the office machines and the DAWs when needed, while keeping the DAWs free both of encumbering software that competes with audio processing for interrupt servicing, etc., and free from any possibility of Internet-sourced infection and malware? Or would malware resident on the office machines (were any to exist) always present a potential threat even when disconnected from the Internet? Would limiting data exchange along the 10/100Mb line to a single port number facilitate or insure the kind of isolation I'm seeking?

--torandson

 

[chipk]

Many viruses and worms spread using Windows Networking components, and even plugging a computer in momentarily poses an infection risk, even with anti-virus, so I would allow FTP only, along with the built-in Firewall for the 10/100 interface that will go from the isolated computer to the router. Allowing/using FTP only would allow you to transfer over the wire and stop using sneaker-net, but minimize your chances of infection.

On the 10/100 interface, you'll want to go to properties and de-select all protocols/services except TCP/IP. Rather than disconnect the cable, simply enable/disable the NIC when desired (unless you think there's a chance someone will leave it on), but then if you restrict the port to 21/FTP only, that wouldn't be as much of a risk.

You'll want to turn the firewall on manually, or create a batch file on the desktop to turn it on/off; command line for that is:

FIREWALL ON:
netsh firewall set opmode mode = ENABLE exceptions = DISABLE
FIREWALL OFF:
netsh firewall set opmode DISABLE

So, to summarize:

Allow FTP only on that interface. Your router should be able to do that.
Turn the firewall on when in use, just to be safe.
Disable NIC when not in use.

Of course, you could also set up an addtional private network from one of your public computers to the audio computer, in which case, you would have more isolation (because the audio computer wouldn't be on your router), but then you wouldn't be able to restrict ports/protocols as easily (because built-in TCP/IP filtering applies to all interfaces in Windows).

 

[maxthedork]

You could set those two PCs up with a non-routable protocol (such as NetBEUI), and set up the rest of the LAN with NetBEUI and IP. That way, the two DAW PCs can communicate with each other and the rest of the LAN, but they won't be able to go out through the router to the Internet.

 

[chipk]

Wouldn't NetBEUI require you to have Windows Network and File and Print sharing compenents active? I wonder if that still leaves you open to the vulnerabilities that use those services? Interesting solution if the vulnerabilities aren't there.

 

[vdinenna]

Put a firewall between your DAWs and switch to your internet enabled workstations. Only allow services and ports required for your needs. Make sure you have a fully functional and updated antivirus on your internet enabled PCs. This might minimize risk. Nothing is 100%.

Uninstall Internet Explorer on the DAWs. Pull PC updates from your networked PC and scan them once they are on disk, then move them to the DAWs.

You can build your own firewall with a lite Linux package.
2 NIC and an old 486 will do.

Vince

 

[maxthedork]

You can install NetBEUI without installing Windows File and Print sharing on the DAWs. It's just a protocol, like IP or IPX. I'm thinking you already have File and Print Sharing on one of your other computers, with a share that you want to access from the DAWs. You can get there if you put NetBEUI on all your PCs and leave IP off the DAWs.