Link between buildings

elbowgrease · 07-06-2008, 12:07 AM

I'm working on the same issue. The company has 3 buildings close together . Two are physically networked and the 3rd is connected via wireless access points. There are about 25 computers spanning over the 3 buildings. The computers that are on the network all communicate with a WIN2K server that hosts our accounting software. All the connected workstations are using XP pro, and a few may have XP Home.
We want to start securing the network so that users can only access what they need to and log into the computers with a password rather than the regular login they have now.
Also, the plan is to get everything as secure as possible so that we can add internet access.

What is the strategy for this and WHERE do I begin. I feel overwhelmed.
I purchased a Cisco ASA 5500 Firewalls/VPN Security device, but I haven't installed it yet. I'm waiting until I know how it should be implemented.

**Cellus** · 07-06-2008, 06:43 AM

Okay first off, hold the brain train for a moment. For those who have their own support issues, please start a new thread with the full details of your issue instead of posting in someone else's thread. This is to better facilitate and organize the support process, and mixing several issues from several people in a single forum thread will make it much more difficult for those requiring assistance and those giving it to be effective.

In terms of a hardware firewall appliance, you want it placed at the absolute outer perimeter of the network, which in the format of the above suggestion should go as:

FIREWALL
| |
ROUTER
| |
NETWORK

The reason being is the security hurdle should be the first thing malicious stuff should hit before even being routed anywhere (it also protects the router - yes routers can get hacked). You also want comprehensive coverage, and having all network data funneling to and from the network and the outside is more easily done when it doesn't have to be routed through the router and only covering bits and pieces here and there.

For a small business, you do not really need to invest in a software firewall for your workstations and server. Windows Firewall will be just fine. Your hardware firewall will take care of perimeter security. Application control should be handled at a permissions/policy level (ie. don't give normal users Administrator privileges, only install trusted applications, etc.). However with that being said, you definitely want to invest in Antivirus. Some hardware firewall appliances provide a certain level of AV protection, anti-spam, and so forth (depending on how much you spend). In any case, everything should have an AV program on it.

How exactly are your workstations, servers, and network laid out? More targeted advice can be given if we had a better idea of how everything is laid out.

elbowgrease · 07-07-2008, 02:11 AM

The two buildings that are physically networked via Fiber Optics, I'll refer to as buildings one and two. The building connected via wireless APs I'll call #3. All 3 buildings contain workstations that connect either directly to a main switch in each building or by a series of switches. The company's cable modem is in building 1 and connects to building 2 by a separate fiber line. The computers in building 2 to that connect to the cable modem through that fiber line are not connected to the LAN, the same goes for the internet computers in building 1. None of the computers in building 3 are on the internet at this point.

The Win2k server is in building two and connects to the main switch in that building.
Logically all the buildings are in a star topology, peer-to-peer.

I understand that the firewall would be in building one placed behind the cable modem, but my knowledge and experience does not lead me much further than that.

When it comes to the windows firewall, the server is on Win2k Server Edition how should I handle that?
Also, when applying permissions/policy limitations, is it possible to block certain users from the internet without affecting their access to the server?

Thanks for your prompt reply.

johnwill · 07-07-2008, 03:53 PM

Even though it appears you're having the same problem, please start a new thread when you have a new issue. It's very difficult to keep two problems straight and who's working on what in a single thread.

I've created a new thread for your issue here.

Note: You will need to post complete details of your configuration and your specific issue in this new thread for us to help you.

Thanks for your cooperation.

elbowgrease · 07-07-2008, 07:33 PM

OK, I'll restate the situation.

Its a peer-to-peer network using a logical star.
The network is spread over 3 buildings.
Each building has a main switch in it that all the workstations connect to. Some connect by a series of switches.
All workstations are running XP, but the Server they communicate with in building 2 runs Win2k Server.
Buildings 1 and 2 are linked via 2 Fiber Optic cables. One cable is network traffic and the other is for internet traffic.
Computers that have internet are not connected to the Servers network.
The cable modem is in building one.
Building 3 connects to building 2 via Wireless APs
Right now, building 3 is on the server network and not the internet network.
We have a Cisco ASA 5500, but have not installed it yet. Because we're not sure how it should be configured.
There are no Group Policies or User Policies currently in place
There is no Anti-virus on the server network

Ok. I need to read up on implementing group/users policies so that users cannot access restricted material. I'm thinking I should do this first, but does anyone know a good place to find information on this? Do the polcies have to come from the server or set at each workstation.
Right now there is no domain in use, some computers just use different workgroups.

The plan is that once we can get the network secure, we'll tie the internet network from building one into the server network. We do not want everyone to be able to access the internet, but more importantly we don't want bad stuff coming in from the internet. With the workstations on XP and the server on Win2k Server, whats a good way to do this?

Once I get my policies and firewall running, how can I test them to see how secure they are?

Also, when the 3rd building connecting by wireless APs, what can I do to secure them?

TheWiz · 07-13-2008, 04:35 AM

OK. This is a substantial project you are undertaking and really warrants a professional for each major part. You should be implementing a Windows Domain Controller set up to provide user access control. I am no expert in that so I won't take that any further. For Internet access control you should be looking at a Proxy Server such as a Windows ISA box. Once again, not my expertise. The Cisco ASA however is an area I can help with along with you gebneral network set up. I assume that you are segregating your Internet access PC's for security reasons and that you percieve this zone as 'untrusted'. This is a good assumption but not practical moving forward. Your ASA box is a great purchase and will serve you well. It is highly configurable but does require an experienced person to really set it up. Once set up it is realatively straightforward to administrate. You can set rules governing access both inbound and outbound to your network including setting up a DMZ for Email servers etc. Do you have the 5505 or the 5510 model?

I can help you with this to a basic level through this forum but it will be a bit tedious and may take a while and a few posts. First thing to start with in any proiject like this is a diagram of current set up and a future state diagram. The diagram should have accompanying information about the network such as the AP types and subnets allocated in each building. Switch types would also be good. Add any other details you think would be relevant to the network design.

Cheers

Wiz

07-06-2008, 12:07 AM	#1 (permalink)
elbowgrease Registered User Join Date: Nov 2005 Posts: 78 OS: Windows Vista Ultimate	Link between buildings I'm working on the same issue. The company has 3 buildings close together . Two are physically networked and the 3rd is connected via wireless access points. There are about 25 computers spanning over the 3 buildings. The computers that are on the network all communicate with a WIN2K server that hosts our accounting software. All the connected workstations are using XP pro, and a few may have XP Home. We want to start securing the network so that users can only access what they need to and log into the computers with a password rather than the regular login they have now. Also, the plan is to get everything as secure as possible so that we can add internet access. What is the strategy for this and WHERE do I begin. I feel overwhelmed. I purchased a Cisco ASA 5500 Firewalls/VPN Security device, but I haven't installed it yet. I'm waiting until I know how it should be implemented.

07-06-2008, 06:43 AM	#2 (permalink)
Cellus Moderator Networking Team Join Date: Aug 2006 Location: Canada Posts: 2,633 OS: Windows Vista Business SP1, Windows XP Professional SP3 My System	Re: security and firewalls Okay first off, hold the brain train for a moment. For those who have their own support issues, please start a new thread with the full details of your issue instead of posting in someone else's thread. This is to better facilitate and organize the support process, and mixing several issues from several people in a single forum thread will make it much more difficult for those requiring assistance and those giving it to be effective. In terms of a hardware firewall appliance, you want it placed at the absolute outer perimeter of the network, which in the format of the above suggestion should go as: FIREWALL \| \| ROUTER \| \| NETWORK The reason being is the security hurdle should be the first thing malicious stuff should hit before even being routed anywhere (it also protects the router - yes routers can get hacked). You also want comprehensive coverage, and having all network data funneling to and from the network and the outside is more easily done when it doesn't have to be routed through the router and only covering bits and pieces here and there. For a small business, you do not really need to invest in a software firewall for your workstations and server. Windows Firewall will be just fine. Your hardware firewall will take care of perimeter security. Application control should be handled at a permissions/policy level (ie. don't give normal users Administrator privileges, only install trusted applications, etc.). However with that being said, you definitely want to invest in Antivirus. Some hardware firewall appliances provide a certain level of AV protection, anti-spam, and so forth (depending on how much you spend). In any case, everything should have an AV program on it. How exactly are your workstations, servers, and network laid out? More targeted advice can be given if we had a better idea of how everything is laid out. __________________ TSF Networking Team HijackThis 5 Step Process Donate! Last edited by Cellus : 07-06-2008 at 06:45 AM.

07-07-2008, 02:11 AM	#3 (permalink)
elbowgrease Registered User Join Date: Nov 2005 Posts: 78 OS: Windows Vista Ultimate	Re: security and firewalls The two buildings that are physically networked via Fiber Optics, I'll refer to as buildings one and two. The building connected via wireless APs I'll call #3. All 3 buildings contain workstations that connect either directly to a main switch in each building or by a series of switches. The company's cable modem is in building 1 and connects to building 2 by a separate fiber line. The computers in building 2 to that connect to the cable modem through that fiber line are not connected to the LAN, the same goes for the internet computers in building 1. None of the computers in building 3 are on the internet at this point. The Win2k server is in building two and connects to the main switch in that building. Logically all the buildings are in a star topology, peer-to-peer. I understand that the firewall would be in building one placed behind the cable modem, but my knowledge and experience does not lead me much further than that. When it comes to the windows firewall, the server is on Win2k Server Edition how should I handle that? Also, when applying permissions/policy limitations, is it possible to block certain users from the internet without affecting their access to the server? Thanks for your prompt reply. __________________ "Time for some thrilling heroics." ~Jayne Cobb Last edited by elbowgrease : 07-07-2008 at 02:17 AM. Reason: typos

07-07-2008, 03:53 PM	#4 (permalink)
johnwill Manager, Networking Forums Join Date: Sep 2002 Location: S.E. Pennsylvania, US Posts: 31,291 OS: XP-Pro, Vista, Linux Blog Entries: 1	Re: Link between buildings Even though it appears you're having the same problem, please start a new thread when you have a new issue. It's very difficult to keep two problems straight and who's working on what in a single thread. I've created a new thread for your issue here. Note: You will need to post complete details of your configuration and your specific issue in this new thread for us to help you. Thanks for your cooperation. __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! Microsoft MVP - Windows Desktop Experience

07-07-2008, 07:33 PM	#5 (permalink)
elbowgrease Registered User Join Date: Nov 2005 Posts: 78 OS: Windows Vista Ultimate	Re: Link between buildings OK, I'll restate the situation. Its a peer-to-peer network using a logical star. The network is spread over 3 buildings. Each building has a main switch in it that all the workstations connect to. Some connect by a series of switches. All workstations are running XP, but the Server they communicate with in building 2 runs Win2k Server. Buildings 1 and 2 are linked via 2 Fiber Optic cables. One cable is network traffic and the other is for internet traffic. Computers that have internet are not connected to the Servers network. The cable modem is in building one. Building 3 connects to building 2 via Wireless APs Right now, building 3 is on the server network and not the internet network. We have a Cisco ASA 5500, but have not installed it yet. Because we're not sure how it should be configured. There are no Group Policies or User Policies currently in place There is no Anti-virus on the server network Ok. I need to read up on implementing group/users policies so that users cannot access restricted material. I'm thinking I should do this first, but does anyone know a good place to find information on this? Do the polcies have to come from the server or set at each workstation. Right now there is no domain in use, some computers just use different workgroups. The plan is that once we can get the network secure, we'll tie the internet network from building one into the server network. We do not want everyone to be able to access the internet, but more importantly we don't want bad stuff coming in from the internet. With the workstations on XP and the server on Win2k Server, whats a good way to do this? Once I get my policies and firewall running, how can I test them to see how secure they are? Also, when the 3rd building connecting by wireless APs, what can I do to secure them? __________________ "Time for some thrilling heroics." ~Jayne Cobb

07-13-2008, 04:35 AM	#6 (permalink)
TheWiz Registered User Join Date: May 2008 Location: Sydney, Australia Posts: 84 OS: XP Pro SP3, Vista home premium (arghhh)	Re: Link between buildings OK. This is a substantial project you are undertaking and really warrants a professional for each major part. You should be implementing a Windows Domain Controller set up to provide user access control. I am no expert in that so I won't take that any further. For Internet access control you should be looking at a Proxy Server such as a Windows ISA box. Once again, not my expertise. The Cisco ASA however is an area I can help with along with you gebneral network set up. I assume that you are segregating your Internet access PC's for security reasons and that you percieve this zone as 'untrusted'. This is a good assumption but not practical moving forward. Your ASA box is a great purchase and will serve you well. It is highly configurable but does require an experienced person to really set it up. Once set up it is realatively straightforward to administrate. You can set rules governing access both inbound and outbound to your network including setting up a DMZ for Email servers etc. Do you have the 5505 or the 5510 model? I can help you with this to a basic level through this forum but it will be a bit tedious and may take a while and a few posts. First thing to start with in any proiject like this is a diagram of current set up and a future state diagram. The diagram should have accompanying information about the network such as the AP types and subnets allocated in each building. Switch types would also be good. Add any other details you think would be relevant to the network design. Cheers Wiz