Submission + - Least-worst network arrangement?
CPUsInHotPlaces writes: "Dear Slashdotters,
I have the (un)enviable task of running a small (3 laptops) network in a small West African country. We have a (slow) broadband internet connection, which is shared through an ethernet router/ firewall. Two of the laptops can connect directly (via an Ethernet cable) to the router, but the other one, and an additional computer need to be connected from about 40m away, via a different ethernet network (that doesn't have internet access — it's used for sharing a printer). ASCII topology: /-LaptopA
/
THE WORLD — ROUTER / — LaptopB
|
|
Other network — > |
| — LaptopC
|
| — Foreign Computer D-Z
The additional complication is that while I have admin rights on Laptops A-C, the other computers are virus-ridden, malware-spewing windows boxes (mostly running Windows '98) which I have no control over. However, I have to connect one of them to the internet....(this is non-negotiable for political reasons).
I can make sure that I only connect Laptop C and Foreign Computer D, rather than all 20, using MAC address filtering, but I'm still worried about having them all on the same subnet. I'd like to be able to have some shared disk space (using NFS or Samba), but don't want to expose it to the computers I can't control. I had thought about putting a second route/firewall between the first router and the other network cable, but then Laptop C can't access it either.
So, my options seem to be:
* All one subnet — simple, but then we have an infected computer behind the firewall
* Two subnets — more expense, one of the laptops can't access the shared drive, and it is still on the same subnet as an infected computer
Anyone got any better ideas?
Matt"
I have the (un)enviable task of running a small (3 laptops) network in a small West African country. We have a (slow) broadband internet connection, which is shared through an ethernet router/ firewall. Two of the laptops can connect directly (via an Ethernet cable) to the router, but the other one, and an additional computer need to be connected from about 40m away, via a different ethernet network (that doesn't have internet access — it's used for sharing a printer). ASCII topology:
/
THE WORLD — ROUTER
|
|
Other network — > |
| — LaptopC
|
| — Foreign Computer D-Z
The additional complication is that while I have admin rights on Laptops A-C, the other computers are virus-ridden, malware-spewing windows boxes (mostly running Windows '98) which I have no control over. However, I have to connect one of them to the internet....(this is non-negotiable for political reasons).
I can make sure that I only connect Laptop C and Foreign Computer D, rather than all 20, using MAC address filtering, but I'm still worried about having them all on the same subnet. I'd like to be able to have some shared disk space (using NFS or Samba), but don't want to expose it to the computers I can't control. I had thought about putting a second route/firewall between the first router and the other network cable, but then Laptop C can't access it either.
So, my options seem to be:
* All one subnet — simple, but then we have an infected computer behind the firewall
* Two subnets — more expense, one of the laptops can't access the shared drive, and it is still on the same subnet as an infected computer
Anyone got any better ideas?
Matt"