Easiest way to Block and Allow Internet Access in AD?

I have a customer who wants to prevent a portion of the existing (Class C)
network from accessing the Internet (XP Pro AD clients). But the same clients
still need access to the server / shared-network printers / other computers
on the network. There are other Win98 PC's on the network that need to have
access to everything including the Internet. Right now, everything is
networked and has Internet Access.

The customer wants to add two (Win98) PC's to have access to the Internet,
but no access to his own network - totally separated - to be used by those
that are having their access blocked (up front and center so he can monitor
their use).

What's going to be the easiest, quickest, simplest method to both prevent
and allow Internet access in this situation? There is no onsite Network
Administrator - I'm contracted... so in case I'm not available, this should
be relatively simple to implement and figure out, and also be a very reliable
solution.

There is an existing single AD, no other servers / domains / DNS's.
DHCP is not currently running on the 2003 Server.

Options I'm considering:
1) Use the existing LinkSys router, (which is currently the DHCP server), to
block Internet access to those computers and then statically assign addresses
to the 5 PC's that need access. This two PC's that don't need access can have
their DNS point to the Internet Provider, instead of the AD Server DNS - they
won't really be on a 'separate' network this way, but it's a simple solution.

2) Use the OU in AD that contains the XP Pro clients, to (somehow) prevent
Internet access through a policy (preferred but not sure how to do this).
This still doesn't put the other two Internet Access PC's on a 'separate'
network.

3) Setup DHCP on the server. Create two scopes / subnets, x.x.x.0-126 and
x.x.x.129-254 : 255.255.255.128. Divide the network by adding another router
as a GW, and plug the two Internet Access PC's into it. This is probably the
best solution, although I've never actually setup a subnet using routers -
just theory / book knowledge.

My biggest concern is, what will happen to the existing AD / DNS Server if I
change the subnet mask from x.x.x.0 to x.x.x.128?
Will it screw up the existing network clients / applications / etc.? Will I
have to add new Host (A) / PTR records / others, to point to the other
network?

--
I can clean the crap outta your system!

That is done with a Firewall or Proxy, or in some cases with a LAN Router
between LAN Segments...not with AD or GPOs.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"'puter-rooter" <(E-Mail Removed)> wrote in message
news:A4CD1195-8911-407C-B906-(E-Mail Removed)...
> I have a customer who wants to prevent a portion of the existing (Class C)
> network from accessing the Internet (XP Pro AD clients). But the same
clients
> still need access to the server / shared-network printers / other
computers
> on the network. There are other Win98 PC's on the network that need to
have
> access to everything including the Internet. Right now, everything is
> networked and has Internet Access.
>
> The customer wants to add two (Win98) PC's to have access to the Internet,
> but no access to his own network - totally separated - to be used by those
> that are having their access blocked (up front and center so he can
monitor
> their use).
>
> What's going to be the easiest, quickest, simplest method to both prevent
> and allow Internet access in this situation? There is no onsite Network
> Administrator - I'm contracted... so in case I'm not available, this
should
> be relatively simple to implement and figure out, and also be a very
reliable
> solution.
>
> There is an existing single AD, no other servers / domains / DNS's.
> DHCP is not currently running on the 2003 Server.
>
> Options I'm considering:
> 1) Use the existing LinkSys router, (which is currently the DHCP server),
to
> block Internet access to those computers and then statically assign
addresses
> to the 5 PC's that need access. This two PC's that don't need access can
have
> their DNS point to the Internet Provider, instead of the AD Server DNS -
they
> won't really be on a 'separate' network this way, but it's a simple
solution.
>
> 2) Use the OU in AD that contains the XP Pro clients, to (somehow) prevent
> Internet access through a policy (preferred but not sure how to do this).
> This still doesn't put the other two Internet Access PC's on a 'separate'
> network.
>
> 3) Setup DHCP on the server. Create two scopes / subnets, x.x.x.0-126 and
> x.x.x.129-254 : 255.255.255.128. Divide the network by adding another
router
> as a GW, and plug the two Internet Access PC's into it. This is probably
the
> best solution, although I've never actually setup a subnet using routers -
> just theory / book knowledge.
>
> My biggest concern is, what will happen to the existing AD / DNS Server if
I
> change the subnet mask from x.x.x.0 to x.x.x.128?
> Will it screw up the existing network clients / applications / etc.? Will
I
> have to add new Host (A) / PTR records / others, to point to the other
> network?
>
> --
> I can clean the crap outta your system!

Actually I did it with an AD GPO and an additional router.
There are settings in the GPO that I used to disable access to the 'D:'
drive, hide the 'A:' drive and prevent the use of Internet Explorer - for the
XP computers that were in an OU.
I also setup DHCP on the server and removed it from the original router.
I could have also used it to create a false Proxy, which would in effect
cause IE not to work.

To separate the Internet Access computers from the rest of the network I
added a router and set them up with another network address / subnet. This
router provides the DHCP addresses for these computers.

In the end, it all worked. I've never setup a Proxy server, so this ended up
being a pretty easy solution. Figuring out how to connect the second router
to the first was the trickiest part since I've never done that before either.

"Phillip Windell" wrote:

> That is done with a Firewall or Proxy, or in some cases with a LAN Router
> between LAN Segments...not with AD or GPOs.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> "'puter-rooter" <(E-Mail Removed)> wrote in message
> news:A4CD1195-8911-407C-B906-(E-Mail Removed)...
> > I have a customer who wants to prevent a portion of the existing (Class C)
> > network from accessing the Internet (XP Pro AD clients). But the same
> clients
> > still need access to the server / shared-network printers / other
> computers
> > on the network. There are other Win98 PC's on the network that need to
> have
> > access to everything including the Internet. Right now, everything is
> > networked and has Internet Access.
> >
> > The customer wants to add two (Win98) PC's to have access to the Internet,
> > but no access to his own network - totally separated - to be used by those
> > that are having their access blocked (up front and center so he can
> monitor
> > their use).
> >
> > What's going to be the easiest, quickest, simplest method to both prevent
> > and allow Internet access in this situation? There is no onsite Network
> > Administrator - I'm contracted... so in case I'm not available, this
> should
> > be relatively simple to implement and figure out, and also be a very
> reliable
> > solution.
> >
> > There is an existing single AD, no other servers / domains / DNS's.
> > DHCP is not currently running on the 2003 Server.
> >
> > Options I'm considering:
> > 1) Use the existing LinkSys router, (which is currently the DHCP server),
> to
> > block Internet access to those computers and then statically assign
> addresses
> > to the 5 PC's that need access. This two PC's that don't need access can
> have
> > their DNS point to the Internet Provider, instead of the AD Server DNS -
> they
> > won't really be on a 'separate' network this way, but it's a simple
> solution.
> >
> > 2) Use the OU in AD that contains the XP Pro clients, to (somehow) prevent
> > Internet access through a policy (preferred but not sure how to do this).
> > This still doesn't put the other two Internet Access PC's on a 'separate'
> > network.
> >
> > 3) Setup DHCP on the server. Create two scopes / subnets, x.x.x.0-126 and
> > x.x.x.129-254 : 255.255.255.128. Divide the network by adding another
> router
> > as a GW, and plug the two Internet Access PC's into it. This is probably
> the
> > best solution, although I've never actually setup a subnet using routers -
> > just theory / book knowledge.
> >
> > My biggest concern is, what will happen to the existing AD / DNS Server if
> I
> > change the subnet mask from x.x.x.0 to x.x.x.128?
> > Will it screw up the existing network clients / applications / etc.? Will
> I
> > have to add new Host (A) / PTR records / others, to point to the other
> > network?
> >
> > --
> > I can clean the crap outta your system!
>
>
>

OK. Sounds like you got done what you need done. You didn't setup a proxy
though,...you may have setup a NAT device. But I don't see a proxy,...a
proxy is a specific Application that runs on a PC tht performs the
"proxying" (ex. MS Proxy2, ISA 2000, ISA2004). Anyway, if it all does what
you want, that is what matters.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com



"'puter-rooter" <(E-Mail Removed)> wrote in message
news:89773DDB-7B50-4FBB-9EEB-(E-Mail Removed)...
> Actually I did it with an AD GPO and an additional router.
> There are settings in the GPO that I used to disable access to the 'D:'
> drive, hide the 'A:' drive and prevent the use of Internet Explorer - for
the
> XP computers that were in an OU.
> I also setup DHCP on the server and removed it from the original router.
> I could have also used it to create a false Proxy, which would in effect
> cause IE not to work.
>
> To separate the Internet Access computers from the rest of the network I
> added a router and set them up with another network address / subnet. This
> router provides the DHCP addresses for these computers.
>
> In the end, it all worked. I've never setup a Proxy server, so this ended
up
> being a pretty easy solution. Figuring out how to connect the second
router
> to the first was the trickiest part since I've never done that before
either.
>
> "Phillip Windell" wrote:
>
> > That is done with a Firewall or Proxy, or in some cases with a LAN
Router
> > between LAN Segments...not with AD or GPOs.
> >
> > --
> >
> > Phillip Windell [MCP, MVP, CCNA]
> > www.wandtv.com
> >
> > "'puter-rooter" <(E-Mail Removed)> wrote in message
> > news:A4CD1195-8911-407C-B906-(E-Mail Removed)...
> > > I have a customer who wants to prevent a portion of the existing
(Class C)
> > > network from accessing the Internet (XP Pro AD clients). But the same
> > clients
> > > still need access to the server / shared-network printers / other
> > computers
> > > on the network. There are other Win98 PC's on the network that need to
> > have
> > > access to everything including the Internet. Right now, everything is
> > > networked and has Internet Access.
> > >
> > > The customer wants to add two (Win98) PC's to have access to the
Internet,
> > > but no access to his own network - totally separated - to be used by
those
> > > that are having their access blocked (up front and center so he can
> > monitor
> > > their use).
> > >
> > > What's going to be the easiest, quickest, simplest method to both
prevent
> > > and allow Internet access in this situation? There is no onsite
Network
> > > Administrator - I'm contracted... so in case I'm not available, this
> > should
> > > be relatively simple to implement and figure out, and also be a very
> > reliable
> > > solution.
> > >
> > > There is an existing single AD, no other servers / domains / DNS's.
> > > DHCP is not currently running on the 2003 Server.
> > >
> > > Options I'm considering:
> > > 1) Use the existing LinkSys router, (which is currently the DHCP
server),
> > to
> > > block Internet access to those computers and then statically assign
> > addresses
> > > to the 5 PC's that need access. This two PC's that don't need access
can
> > have
> > > their DNS point to the Internet Provider, instead of the AD Server
DNS -
> > they
> > > won't really be on a 'separate' network this way, but it's a simple
> > solution.
> > >
> > > 2) Use the OU in AD that contains the XP Pro clients, to (somehow)
prevent
> > > Internet access through a policy (preferred but not sure how to do
this).
> > > This still doesn't put the other two Internet Access PC's on a
'separate'
> > > network.
> > >
> > > 3) Setup DHCP on the server. Create two scopes / subnets, x.x.x.0-126
and
> > > x.x.x.129-254 : 255.255.255.128. Divide the network by adding another
> > router
> > > as a GW, and plug the two Internet Access PC's into it. This is
probably
> > the
> > > best solution, although I've never actually setup a subnet using
routers -
> > > just theory / book knowledge.
> > >
> > > My biggest concern is, what will happen to the existing AD / DNS
Server if
> > I
> > > change the subnet mask from x.x.x.0 to x.x.x.128?
> > > Will it screw up the existing network clients / applications / etc.?
Will
> > I
> > > have to add new Host (A) / PTR records / others, to point to the other
> > > network?
> > >
> > > --
> > > I can clean the crap outta your system!
> >
> >
> >

Yeah, you're right - no proxy.
I know the theory behind one, but don't know what the process is to set one
up.

What I did was add a second router and switch on a separate cable segment,
and connected that to the first router.

First router: 192.168.1.1 - subnet: 255.255.255.128
DHCP Scope: 192.168.1.2 to 125

Second router: 192.168.2.129 - subnet: 255.255.255.128
DHCP Scope: 192.168.2.130 to 150 / 255.255.255.128

I connected the second router's WAN port to one of the open LAN ports on the
first router and set the GW on the second router to point to the first router
(192.168.1.1). I connected the LAN port on the second router to a switch,
where the Internet PC's are connected.

That gave me a separate network that can then connect to the Internet
through the first router, that has the cable modem attached.

Does that make more sense?

You're right though - it worked - and it was actually pretty cool to control
the XP's that way. The users aren't too happy about it, but the owner loves
it!

I'll have to study up on how to setup a proxy server and try it at home
sometime. How would I do it with a Server 2003 Standard?

Thanks for your input Phillip!
~ Mike

"Phillip Windell" wrote:

> OK. Sounds like you got done what you need done. You didn't setup a proxy
> though,...you may have setup a NAT device. But I don't see a proxy,...a
> proxy is a specific Application that runs on a PC tht performs the
> "proxying" (ex. MS Proxy2, ISA 2000, ISA2004). Anyway, if it all does what
> you want, that is what matters.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>
> "'puter-rooter" <(E-Mail Removed)> wrote in message
> news:89773DDB-7B50-4FBB-9EEB-(E-Mail Removed)...
> > Actually I did it with an AD GPO and an additional router.
> > There are settings in the GPO that I used to disable access to the 'D:'
> > drive, hide the 'A:' drive and prevent the use of Internet Explorer - for
> the
> > XP computers that were in an OU.
> > I also setup DHCP on the server and removed it from the original router.
> > I could have also used it to create a false Proxy, which would in effect
> > cause IE not to work.
> >
> > To separate the Internet Access computers from the rest of the network I
> > added a router and set them up with another network address / subnet. This
> > router provides the DHCP addresses for these computers.
> >
> > In the end, it all worked. I've never setup a Proxy server, so this ended
> up
> > being a pretty easy solution. Figuring out how to connect the second
> router
> > to the first was the trickiest part since I've never done that before
> either.
> >
> > "Phillip Windell" wrote:
> >
> > > That is done with a Firewall or Proxy, or in some cases with a LAN
> Router
> > > between LAN Segments...not with AD or GPOs.
> > >
> > > --
> > >
> > > Phillip Windell [MCP, MVP, CCNA]
> > > www.wandtv.com
> > >
> > > "'puter-rooter" <(E-Mail Removed)> wrote in message
> > > news:A4CD1195-8911-407C-B906-(E-Mail Removed)...
> > > > I have a customer who wants to prevent a portion of the existing
> (Class C)
> > > > network from accessing the Internet (XP Pro AD clients). But the same
> > > clients
> > > > still need access to the server / shared-network printers / other
> > > computers
> > > > on the network. There are other Win98 PC's on the network that need to
> > > have
> > > > access to everything including the Internet. Right now, everything is
> > > > networked and has Internet Access.
> > > >
> > > > The customer wants to add two (Win98) PC's to have access to the
> Internet,
> > > > but no access to his own network - totally separated - to be used by
> those
> > > > that are having their access blocked (up front and center so he can
> > > monitor
> > > > their use).
> > > >
> > > > What's going to be the easiest, quickest, simplest method to both
> prevent
> > > > and allow Internet access in this situation? There is no onsite
> Network
> > > > Administrator - I'm contracted... so in case I'm not available, this
> > > should
> > > > be relatively simple to implement and figure out, and also be a very
> > > reliable
> > > > solution.
> > > >
> > > > There is an existing single AD, no other servers / domains / DNS's.
> > > > DHCP is not currently running on the 2003 Server.
> > > >
> > > > Options I'm considering:
> > > > 1) Use the existing LinkSys router, (which is currently the DHCP
> server),
> > > to
> > > > block Internet access to those computers and then statically assign
> > > addresses
> > > > to the 5 PC's that need access. This two PC's that don't need access
> can
> > > have
> > > > their DNS point to the Internet Provider, instead of the AD Server
> DNS -
> > > they
> > > > won't really be on a 'separate' network this way, but it's a simple
> > > solution.
> > > >
> > > > 2) Use the OU in AD that contains the XP Pro clients, to (somehow)
> prevent
> > > > Internet access through a policy (preferred but not sure how to do
> this).
> > > > This still doesn't put the other two Internet Access PC's on a
> 'separate'
> > > > network.
> > > >
> > > > 3) Setup DHCP on the server. Create two scopes / subnets, x.x.x.0-126
> and
> > > > x.x.x.129-254 : 255.255.255.128. Divide the network by adding another
> > > router
> > > > as a GW, and plug the two Internet Access PC's into it. This is
> probably
> > > the
> > > > best solution, although I've never actually setup a subnet using
> routers -
> > > > just theory / book knowledge.
> > > >
> > > > My biggest concern is, what will happen to the existing AD / DNS
> Server if
> > > I
> > > > change the subnet mask from x.x.x.0 to x.x.x.128?
> > > > Will it screw up the existing network clients / applications / etc.?
> Will
> > > I
> > > > have to add new Host (A) / PTR records / others, to point to the other
> > > > network?
> > > >
> > > > --
> > > > I can clean the crap outta your system!
> > >
> > >
> > >
>
>
>

"'puter-rooter" <(E-Mail Removed)> wrote in message
news:17BE5AC0-B24C-4B93-B8E8-(E-Mail Removed)...
> First router: 192.168.1.1 - subnet: 255.255.255.128
> DHCP Scope: 192.168.1.2 to 125
>
> Second router: 192.168.2.129 - subnet: 255.255.255.128
> DHCP Scope: 192.168.2.130 to 150 / 255.255.255.128

You created a Back-to-Back DMZ. The DMZ is an "untrusted" network that
exists between the two NAT Devices.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Ok - what exactly does that mean?

I know that a DMZ is a demilitarized zone... but what does it mean to be
'untrusted', when it's within an existing network like this, behind routers?

What is the significance of it being 'untrusted' in this situation?

How else would you / should I have setup the network / router connections so
that it was 'trusted'? or is that where the Proxy comes into play?

You're scaring me! LOL
~ Mike

"Phillip Windell" wrote:

> "'puter-rooter" <(E-Mail Removed)> wrote in message
> news:17BE5AC0-B24C-4B93-B8E8-(E-Mail Removed)...
> > First router: 192.168.1.1 - subnet: 255.255.255.128
> > DHCP Scope: 192.168.1.2 to 125
> >
> > Second router: 192.168.2.129 - subnet: 255.255.255.128
> > DHCP Scope: 192.168.2.130 to 150 / 255.255.255.128
>
> You created a Back-to-Back DMZ. The DMZ is an "untrusted" network that
> exists between the two NAT Devices.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>

"'puter-rooter" <(E-Mail Removed)> wrote in message
news:8CE10CEE-7F13-4BBD-911E-(E-Mail Removed)...
> Ok - what exactly does that mean?
>
> I know that a DMZ is a demilitarized zone... but what does it mean to be
> 'untrusted', when it's within an existing network like this, behind
routers?
>
> What is the significance of it being 'untrusted' in this situation?

Trusted/Untrusted is defined from the perspective of the Firewall (NAT
Device) or Proxy that separates the two.

The Internet is always an "untrusted" network.
A Back-to-Back DMZ is an "untrusted" network for the innermost NAT Device,
but is "trusted" by the outermost NAT Device.
The Internal Network is always a "trusted" network.

A Trusted network is allowed to reach an Untrusted Network.
An Untrusted Network is not allowed to contact a Trusted Network, however
NAT Devices and Proxys can "publish" machines or services from the "trusted"
network to the "untrusted" network

> How else would you / should I have setup the network / router connections
so
> that it was 'trusted'? or is that where the Proxy comes into play?

I would not have built it the way you did unless there was a specific reason
to do so. I typically place just one Proxy or NAT Device (one or the other)
at the network edge between it and the Internet. So there would be one Proxy
(or NAT Device) with the Internet being "untrusted" and the LAN being
"trusted". I would have only one Subnet.

I then control who has access to the Internet using the abilities built into
the Proxy (or NAT Device). At worst, that may mean that some machines use
static (or DHCP Reserved) address so you always know what their IP# is.

If some machines are not supposed to have access to certain things on the
LAN, then that is handled by the NTFS Permissions on the "targets". In some
cases it may be controlled by the Services or Applications they connect to
if those services or applications have their own built in Authentication
abilities such as SQL Server and many proprietary Applications. The fact
that they can see the "targets" in Network Places is meaningless,...the fact
that they may be able to ping the "targets" is also meaningless. You just
simply don't give the User accounts permissions to things they aren't
supposed to get to,..it's just that simple.

For example, at our place:
1. A File Server stores files in many different "shares". Users can only
get to the files they are supposed to get to and nothing else. It is
controlled by NTFS permissions.
2. Sales/Accounting access the Applications they run by logging into the
Application. These are Applications designed with "user databases" built
into them and only the users with "accounts" in those Applications can use
the Applications
3. NewsRoom Users,...it is just a repeat of above. The NewsRoom System
has its own build in User Accounts in the Application itself that controls
who can use it and what they are allowed to do.
4. Internet Access is controlled by ISA Server (a proxy server) and
Users are allowed/denied to the Internet based on *who* the are, not by what
machine they are sitting at. They are also limited by what they can actually
do on the Internet, different users may have different abilities,...again
based on *who* they are.

Although I have multiple subnets now,..this all worked perfectly fine and
securely with just one single large subnet. There was no "fooling around"
with NAT Devices, Routers, or Proxys on the internal part of the LAN to make
that happen. NAT Devices and Proxys are designed to protect User from the
Internet,..not from each other.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Ok, I see what you mean by trusted / untrusted - and 'normally' I setup
networks the way you described. One network / one NAT at the edge.

But I thought that 'technically' a DMZ is an area that sits outside of your
firewall, so that it is accessible from the Internet, like a IIS / FTP
server? In my setup, none of the network is accessible from the Internet, but
the Internet is accessible from either of the two networks.

The reason for setting it up the way I did was for one reason... the
customer wants to be sure his network never gets infected by any kind of work
/ trojan / virus, that can spread through network shares. Since the server
hosts a client / server application that all (other) users access, he wanted
to separate the servers' network from the internet accessible network. The
theory (fact) is that there are known threats that can spread through network
shares. I didn't see any other way to achieve that kind of protection... does
that make sense, and would you say that this setup achieves that?

I would agree with you if you said this is overkill / a little more than
paranoia - but, is my application / thought process (in this case), correct
or (at least) effective?

The two Internet computers that are connected to the Router #2 network are
in their own Workgroup (anyway) and not part of the AD Server - connected to
Router #1. My guess is, that (alone) would be enough to prevent any type of
threat (worm / virus) from spreading to any other part of the network - since
the Internet computers have no mapped drives to the other network anyway.

I guess my thinking was that by having them on their own network, connected
to another router (back-to-back DMZ), that there would be absolutely no way
any threat could spread to the Servers network?

I've never setup a network like this before, and wouldn't have this time,
except for the customer's extreme paranoia.

I think there are legitimate situations where routers are used to segment /
divide / separate, networks. In a situation like that, wouldn't you connect
one router to another, in the same way that I did? Or how else would it be
done?

Thanks for your explanations and taking the time to answer my lengthy
questions!
I really appreciate it!
~ Mike

"Phillip Windell" wrote:

> "'puter-rooter" <(E-Mail Removed)> wrote in message
> news:8CE10CEE-7F13-4BBD-911E-(E-Mail Removed)...
> > Ok - what exactly does that mean?
> >
> > I know that a DMZ is a demilitarized zone... but what does it mean to be
> > 'untrusted', when it's within an existing network like this, behind
> routers?
> >
> > What is the significance of it being 'untrusted' in this situation?
>
> Trusted/Untrusted is defined from the perspective of the Firewall (NAT
> Device) or Proxy that separates the two.
>
> The Internet is always an "untrusted" network.
> A Back-to-Back DMZ is an "untrusted" network for the innermost NAT Device,
> but is "trusted" by the outermost NAT Device.
> The Internal Network is always a "trusted" network.
>
> A Trusted network is allowed to reach an Untrusted Network.
> An Untrusted Network is not allowed to contact a Trusted Network, however
> NAT Devices and Proxys can "publish" machines or services from the "trusted"
> network to the "untrusted" network
>
> > How else would you / should I have setup the network / router connections
> so
> > that it was 'trusted'? or is that where the Proxy comes into play?
>
> I would not have built it the way you did unless there was a specific reason
> to do so. I typically place just one Proxy or NAT Device (one or the other)
> at the network edge between it and the Internet. So there would be one Proxy
> (or NAT Device) with the Internet being "untrusted" and the LAN being
> "trusted". I would have only one Subnet.
>
> I then control who has access to the Internet using the abilities built into
> the Proxy (or NAT Device). At worst, that may mean that some machines use
> static (or DHCP Reserved) address so you always know what their IP# is.
>
> If some machines are not supposed to have access to certain things on the
> LAN, then that is handled by the NTFS Permissions on the "targets". In some
> cases it may be controlled by the Services or Applications they connect to
> if those services or applications have their own built in Authentication
> abilities such as SQL Server and many proprietary Applications. The fact
> that they can see the "targets" in Network Places is meaningless,...the fact
> that they may be able to ping the "targets" is also meaningless. You just
> simply don't give the User accounts permissions to things they aren't
> supposed to get to,..it's just that simple.
>
> For example, at our place:
> 1. A File Server stores files in many different "shares". Users can only
> get to the files they are supposed to get to and nothing else. It is
> controlled by NTFS permissions.
> 2. Sales/Accounting access the Applications they run by logging into the
> Application. These are Applications designed with "user databases" built
> into them and only the users with "accounts" in those Applications can use
> the Applications
> 3. NewsRoom Users,...it is just a repeat of above. The NewsRoom System
> has its own build in User Accounts in the Application itself that controls
> who can use it and what they are allowed to do.
> 4. Internet Access is controlled by ISA Server (a proxy server) and
> Users are allowed/denied to the Internet based on *who* the are, not by what
> machine they are sitting at. They are also limited by what they can actually
> do on the Internet, different users may have different abilities,...again
> based on *who* they are.
>
> Although I have multiple subnets now,..this all worked perfectly fine and
> securely with just one single large subnet. There was no "fooling around"
> with NAT Devices, Routers, or Proxys on the internal part of the LAN to make
> that happen. NAT Devices and Proxys are designed to protect User from the
> Internet,..not from each other.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>

"'puter-rooter" <(E-Mail Removed)> wrote in message
news:E9229F50-3EF6-4CE8-A87D-(E-Mail Removed)...
> But I thought that 'technically' a DMZ is an area that sits outside of
your
> firewall, so that it is accessible from the Internet, like a IIS / FTP
> server?

Correct.

> In my setup, none of the network is accessible from the Internet, but
> the Internet is accessible from either of the two networks.

So each NAT Device is "side-by-side" and independent of each other?

> The reason for setting it up the way I did was for one reason... the
> customer wants to be sure his network never gets infected by any kind of
work
> / trojan / virus, that can spread through network shares.

Nothing you are attempting to do will stop that. That is why on the 8th day
God invented Anti-Virus software. A week later Bill Gates created Security
Patches. ;-)

> Since the server
> hosts a client / server application that all (other) users access, he
wanted
> to separate the servers' network from the internet accessible network. The
> theory (fact) is that there are known threats that can spread through
network
> shares. I didn't see any other way to achieve that kind of protection...
does
> that make sense, and would you say that this setup achieves that?

Then you use a LAN Router (not an Internet Sharing NAT Device) between the
two LAN segments. None of this has anything to do with the Internet
connection or the NAT Devices providing it. But it won't stop what you are
wanting to stop. Whatever you do in the idea of "stopping the viruses" will
also stop the user's ability to do their jobs.

> I would agree with you if you said this is overkill / a little more than
> paranoia - but, is my application / thought process (in this case),
correct
> or (at least) effective?

Not paranoia,...they are legitiment concerns,...but just, I think,...
misguided. You protect the system from what you described via AntiVirus
software and the other methods I described in the last post.

> The two Internet computers that are connected to the Router #2 network are
> in their own Workgroup (anyway) and not part of the AD Server - connected
to
> Router #1.

That doesn't matter.

> My guess is, that (alone) would be enough to prevent any type of
> threat (worm / virus) from spreading to any other part of the network -
since
> the Internet computers have no mapped drives to the other network anyway.

No it will not, and additionally, mapped drive don't matter either.

> I guess my thinking was that by having them on their own network,
connected
> to another router (back-to-back DMZ), that there would be absolutely no
way
> any threat could spread to the Servers network?

Having them on thier own network would not do that.

> I've never setup a network like this before, and wouldn't have this time,
> except for the customer's extreme paranoia.

I think you are falling into the trap of letting the customer tell you the
right way to do something. The fact is the customer doesn't know,...if they
did they would do it themselves and wouldn't need you. Your job is to know
the right way to do something, explain to them the right way it is
done,...and then do it.

I sympathize with your situation and am many times thankful that I am not in
that type of situation. I deal with the same system everyday that does not
change often. I am also the "decision maker" of that system and I build an
design it as I know best. So I don't have to deal with "customers" that in
many cases think they know more than they really know and have many
"superstitions" to overcome.

> I think there are legitimate situations where routers are used to segment
/
> divide / separate, networks. In a situation like that, wouldn't you
connect
> one router to another, in the same way that I did? Or how else would it be
> done?

If you mean LAN Routers, ...yes. Typically there are two reasons:

1. The number of Hosts increases above 250-300, and the network begins
to degrade as a result of "broadcasts" which are the normal characteristics
of Ethernet.

2. Security concerns. ACLs are used on the LAN Routers to restict
traffic at the OSI Layers 3 & 4. These methods typically do not stop
viruses, worms, spyware, etc. These methods are simply to assure the the
LAN Users cannot use certain types of communincation (certain protocols)
over the Router.
These restrictions are only *supplementary* to the *primary* security
that is based on the NTFS permissions and the permissions drived from
Applications that have their own build in user databases and authentication
systems.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com