I have a very important question I'm hoping someone can answer...

I am supporting a small LAN with about 5 workstations, 1 of which is a Win XP Pro machine acting as a file server. All machines are protected by a hardware firewall and all are connected to the LAN through a D-Link cable/DSL router. Here is my problem... One of the users insists on using his computer for file sharing and downloading potentially harmful files through programs such as Kazaa... Is there any way to ensure his computer will not affect the other LAN workstations if harmful content were to arise on his system??... Should he be off the network??... Should he be off the LAN and on a seperate computer??...

Any ideas or suggestions will be much appreciated...

Asus A7V133
AMD Athlon 1.2Ghz
512Mb SDRAM
ATI Radeon 9600XT
SoundBlaster Live! Value

Have a look at this it may be of use

http://www.grc.com/nat/nat.htm

good luck

Thanks clover,

That web site was really informative, but it didn't have the info to solve my problem...

The problem is that all computers (including the potentially harmful one) on the LAN must be able to communicate with the 1 file server which is also on the same LAN... If I use multiple NAT routers, that will allow the file server to communicate with the other LAN workstations, but will not allow the workstations to communicate back to the file server... If I am wrong please let me know... I basically need this one potentailly harmful station to be able to access everything on the LAN, but not infect anything on the LAN including the file server if it is infected... if that is possible... if not... I'm open to any ideas that could solve this problem...

Thanks for your help,
ToPo

Asus A7V133
AMD Athlon 1.2Ghz
512Mb SDRAM
ATI Radeon 9600XT
SoundBlaster Live! Value

if the user downloads something harmful then yes, he can infect everyone else (including bringing in a trojan whiich may allow others access to your nw). THere have to be rules and guidelines followed for a NW to remain stable and safe. This is somehting you'll need to decide but, if he continues to do this, then it could happen. If this is a work network, how can he justify it as 'needed for work'? If you have the authority take him off, if not, find out who does.

Unfortunatly he is the owner and what he says goes... As a temporary solution I was going to use another computer he has kicking around as a "jukebox" machine, where he can download music, files, etc... This machine will have all the sharing capabilites disabled, but will remain on the same LAN (to be connected to the internet)... what do you think?... good or bad? Will this still make the network vulnerable because of this "jukebox" machine even with file sharing disabled?

Asus A7V133
AMD Athlon 1.2Ghz
512Mb SDRAM
ATI Radeon 9600XT
SoundBlaster Live! Value

still not safe/perfect but, sometimes you have to do what you have to do with people like this. Actually something happening would be the best thing for him since he might then understand what he is doing if he lost work/time and had to do it again. Do you have a valid backup regime and current AV at least? Even if the other PC doesnt have file sharing enabled, it is still possible for him to infect everyone else from that PC and let people piggyback in with him.

You may want to get a second router and subnet off the "jukebox" PC.

1st router
wan side configured to ISP
LAN side default out of the box if you wish.
IP 192.168.1.1
sub 255.255.255.0
enable DCHP

2nd router
WAN side DHCP off the 1st router
LAN side
IP 192.168.2.1
subnet 255.255.255.0
DHCP enabled

this will at least give you some protection.

Thanks guys for your advice... I do have a scheduled backup routine in place for this network and up to date AV so i feel a little better in that respect... I think I'm going to go with JOHN3's idea of introducing a second router into the LAN with a second subnet... The more secure the better...

Thanks for all your help,
ToPo

Asus A7V133
AMD Athlon 1.2Ghz
512Mb SDRAM
ATI Radeon 9600XT
SoundBlaster Live! Value

I'd say if he's that irresponsible regarding his own Company's Security, you all may soon be looking for new employment.

Let him do what he wants, and I'd recommend you look for employment somewhere that will actually appreciate your professionalism and attention to detail.

Soylent Green is PEOPLE!!!