Network isolation

I have a workgroup network consisting of all XP pro machines. There is one
machine that is the print server, acting as the host to a busy laserjet via
a USB connection. However, of these computers, there is one machine that is
semi-public. I want this public machine to be able to connect to the print
server but NOT to any of the remaining private machines. In other words,
when someone browses Network Places on this public machine, all they see is
this print server. I may put a shared folder on this server to be accessible
from the public computer, but the server primarily will act as the print
server for the shared laserjet for the entire network -- public and private.

All the machines have simple file sharing to make things easier to manage.
However because of Simple File Sharing, the public machine can see all the
other computers. I am thinking of segmentalize the network into two
subnetworks at the IP level instead of at the Application level. Can I
achieve this by putting a second NIC in the print server and give it a
different subnet, one that is the same as the public machine's, but
different than that of the private network?

Example:

Public machine gets 192.168.1.2/24
Print server NIC1 gets 192.168.1.3/24 and NIC2 gets 192.168.2.2/24
All the rest of the machines in the private network get 192.168.2.x/24

So as long as I do not bridge the two NICs in the print server, I can
completely prevent the public computer from even seeing the private
computers, right? What are the chances of a package leak from one NIC to the
other given that they have different subnets?

In your example you've actually changed the IP address of each network. One
is in 192.168.1.xxx space and the other is in 192.168.2.xxx space the
subnets/24 are the same.

David Hettel
MVP Mobile Devices

"Zyggy" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
>I have a workgroup network consisting of all XP pro machines. There is one
>machine that is the print server, acting as the host to a busy laserjet via
>a USB connection. However, of these computers, there is one machine that is
>semi-public. I want this public machine to be able to connect to the print
>server but NOT to any of the remaining private machines. In other words,
>when someone browses Network Places on this public machine, all they see is
>this print server. I may put a shared folder on this server to be
>accessible from the public computer, but the server primarily will act as
>the print server for the shared laserjet for the entire network -- public
>and private.
>
> All the machines have simple file sharing to make things easier to manage.
> However because of Simple File Sharing, the public machine can see all the
> other computers. I am thinking of segmentalize the network into two
> subnetworks at the IP level instead of at the Application level. Can I
> achieve this by putting a second NIC in the print server and give it a
> different subnet, one that is the same as the public machine's, but
> different than that of the private network?
>
> Example:
>
> Public machine gets 192.168.1.2/24
> Print server NIC1 gets 192.168.1.3/24 and NIC2 gets 192.168.2.2/24
> All the rest of the machines in the private network get 192.168.2.x/24
>
> So as long as I do not bridge the two NICs in the print server, I can
> completely prevent the public computer from even seeing the private
> computers, right? What are the chances of a package leak from one NIC to
> the other given that they have different subnets?
>

The solution is to stop using "Simple File Sharing. It is just that simple
(no pun intended).

Seeing machines in NetPlaces it pointless to worry about. Netplaces is just
a "display" of what is contained in a "browse list" maintained by the Master
Browser. It has nothing to do with permissions or "access" and it a total
waiste of time to worry about machines showing in it.

What *is* worth worrying about is the permissions on Shares (Share-Level
Premissions) and the files & folders in those shares (NTFS Permissions). So
stop using Simple File Sharing and make the sure the Share-Level Permissions
and the NTFS Permissions are what they should be and the problem is solved.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Zyggy" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
>I have a workgroup network consisting of all XP pro machines. There is one
>machine that is the print server, acting as the host to a busy laserjet via
>a USB connection. However, of these computers, there is one machine that is
>semi-public. I want this public machine to be able to connect to the print
>server but NOT to any of the remaining private machines. In other words,
>when someone browses Network Places on this public machine, all they see is
>this print server. I may put a shared folder on this server to be
>accessible from the public computer, but the server primarily will act as
>the print server for the shared laserjet for the entire network -- public
>and private.
>
> All the machines have simple file sharing to make things easier to manage.
> However because of Simple File Sharing, the public machine can see all the
> other computers. I am thinking of segmentalize the network into two
> subnetworks at the IP level instead of at the Application level. Can I
> achieve this by putting a second NIC in the print server and give it a
> different subnet, one that is the same as the public machine's, but
> different than that of the private network?
>
> Example:
>
> Public machine gets 192.168.1.2/24
> Print server NIC1 gets 192.168.1.3/24 and NIC2 gets 192.168.2.2/24
> All the rest of the machines in the private network get 192.168.2.x/24
>
> So as long as I do not bridge the two NICs in the print server, I can
> completely prevent the public computer from even seeing the private
> computers, right? What are the chances of a package leak from one NIC to
> the other given that they have different subnets?
>