Router Connection Granularity

The issue here isn't that the admins don't want your PCs accessing the Web, they don't want your machines on the NETWORK, PERIOD, without their taking away your admin rights. I can understand that. You genuinely want to have your lab PCs on the network so you can move data back and forth to them without harming anything else. I can understand that.

However, they have no GUARANTEE that's all you'll do with them. So the 'policy' answer would be, 'No'. With an 'uncontrolled' PC on the network at all, they can't say for sure what the network will be used for.

The only way to get around this would be to have a second Network card in your PC that hooked into your lab network. Without bridging to your work network, you're fine. However again, they can't GUARANTEE that you'll never bridge the connections, so the answer would STILL be, 'No.'

So the answer to sell them on would be to create a VLAN explicitly connecting the Lab network to your PC on the work network, and YOUR PC ONLY. They still won't like the fact that the lab PCs are connected to the work network at all, but the VLAN will ensure that all traffic is confined to the lab network and to your PC. They may still say no, and they have a right to, but it would be more of a 'We don't want to' decision rather than a policy decision based on technical possibilities.

MAC filtering would also be unreliable since they're so easy to spoof. It sounds like these guys have their network locked down better than that.

@Wand3r3r
It was more that in my haste to preempt questions like \"why don\'t you just put these on the network then\" I got a bit muddled.

I should have simply said we have several off-network PCs that we keep off network to maintain admin rights. I need them to be able to communicate with the networked PCs in some fashion but we can\'t use USB. My first pass at a solution was a router level block. I should have left the bits about the patching out, it was not relevant.

Obviously I\'m not a networking guy but it seems perfectly reasonable to me that there is a way to simply restrict certain PCs from talking with anything but PCs connected to the same local router. I figure this was a win for all since it solves my problem and doesn\'t skirt security policy.

Wouldn\'t MAC filtering keep my PC from talking to other PCs on that same router? Or are you saying I can block outbound traffic by MAC address.

@Troy
The tone of your post suggests an unfair assessment of me that I am trying to game the system or that I don\'t understand why we keep unpatched computers off of a network. I get what you\'re saying but honestly there isn\'t anything stopping me from connecting these PCs to the network besides my own desire not to break the rules. If they trust me not to connect these PCs to the network is it such a leap that they would trust me not to spoof a MAC address? I want to be transparent to our IT staff. It doesn\'t serve my needs to have them lock down what I can do.

The tone of your post suggests an unfair assessment of me that I am trying to game the system or that I don\'t understand why we keep unpatched computers off of a network.

I want to be transparent to our IT staff. It doesn\'t serve my needs to have them lock down what I can do.

Click to expand...

These two statements are at odds with each other. It's not so much an 'unfair' assessment (or judgment, as you may think it to be), so much as one borne out of experience. To answer Wanderer's question, "Where did the rest of that come from?", it's because I've been there before, trying to mediate between users that 'just want to do their stuff' and IT departments that are inflexible when it comes to bending their policies... It's not a judgement. I totally understand where you're coming from. It's like speeding. You're on a nice, open, highway. You have a safe car, and you're a safe driver... There's nothing 'wrong' with it, but if the police catch you, you get a ticket. It's not like you're blasting down a crowded city street or anything, so it seems totally unfair. And it IS...yet it isn't.

An example I just read about was a marketing dept. that grew tired of waiting for IT and other depts. to come together and develop a website, so they went out and did it on their own. When it was found and tested, within 10 minutes the testers had admin access to some of the network's core servers from the Internet, and could have brought them down at will.

You mentioned that 'unpatched' PCs can't be on the network, so my understanding was THAT was stopping you from connecting them to the work network, not that you just didn't do it. I'm on your side here. The solution I mentioned would do exactly what you mentioned, although you wouldn't be transparent to the IT staff, your activities should be limited enough to make them happy. You mention a 'router level block', so only PCs on the same router can talk to each other. That's what a VLAN would accomplish. A software block, like IP addresses and subnetting can be circumvented. A VLAN is a virtual network, so if you say that ports 1,2,6 & 8 are on a VLAN, and the remaining ports are on another, the two groups can't see each other. With some clever manipulation of tagging and subnetting, you can have it so that certain computers are on the network and can see your lab PCs, but the lab PCs can't access the network (and vice versa).

I'm also assuming you don't have control of your local network devices. If the network is that locked down, plugging ANYTHING in that isn't properly configured and authorized won't get connection at all. With a little more knowledge of what you have access to, and how the PCs are physically connected to them, we might be able to help further. Take MAC filtering. You can configure your router so a MAC address can't get out on the network, but can you configure it so the network can't discover that device's presence on the router?

It may not be on their priority list (and I know how lethargic some IT depts. can be) but I can't see why it wouldn't be in their best interest to help you. To them, you're one of the most dangerous types of users out there. You've got a focus, and access to technical expertise, and nothing but good intentions. You'll eventually find some way to crack it. I'd rather KNOW how you're bending my rules (after helping you bend them in a controlled manner) as opposed to leaving you to your own devices...