Restricting Network

I know this may not be directly related to Networking, but here goes.

I recently bought to new laptops to replace ageing desktops. No
problem networking everything.

The laptops connect via wireless and the desktops cat5/6. I would like
to put the old desktops in two spare bedrooms to allow family and
friends who stay with us Web access (using Firefox - my prefered
browser), but would not want them being able to do anything else on
the network i.e. access other laptops/desktops, printers.

Is there anyway I can setup something like this - so they just have
browser access?

Thanks

Clive

Clive wrote:
> I know this may not be directly related to Networking, but here goes.
>
> I recently bought to new laptops to replace ageing desktops. No
> problem networking everything.
>
> The laptops connect via wireless and the desktops cat5/6. I would like
> to put the old desktops in two spare bedrooms to allow family and
> friends who stay with us Web access (using Firefox - my prefered
> browser), but would not want them being able to do anything else on
> the network i.e. access other laptops/desktops, printers.
>
> Is there anyway I can setup something like this - so they just have
> browser access?

Yes, if you're prepared to put the "guest" machines on a separate
network segment on a firewalled router, and set up the firewall tables
accordingly. I used to do just this at home, separating an untrusted
"kids" segment from a trusted "parents" segment - all windows file/print
traffic was prohibited between segments; most internet-bound traffic was
permitted from either.

/But/ I use an old PC running freebsd as internet
gateway/jack-of-all-trades, a solution that may not suit the
non-unix-minded. I rather doubt that there's a domestic quality router
around that would fill the purpose.

Mike Scott wrote:
> Clive wrote:
>> I know this may not be directly related to Networking, but here goes.
>>
>> I recently bought to new laptops to replace ageing desktops. No
>> problem networking everything.
>>
>> The laptops connect via wireless and the desktops cat5/6. I would
>> like to put the old desktops in two spare bedrooms to allow family
>> and friends who stay with us Web access (using Firefox - my prefered
>> browser), but would not want them being able to do anything else on
>> the network i.e. access other laptops/desktops, printers.
>>
>> Is there anyway I can setup something like this - so they just have
>> browser access?
>
> Yes, if you're prepared to put the "guest" machines on a separate
> network segment on a firewalled router, and set up the firewall tables
> accordingly.

No need to do that.
Assuming the old machines are running 2k or xp it's not all that hard to
lock them down so that all they can do is run a browser of your choice with
no access to any other apps or settings.

Although I do wonder , if these guests are so untrustworthy , why they are
being allowed into the house and given a computer to play with

--
Alex

"I laugh in the face of danger. Then I hide until it goes away"

www.drzoidberg.co.uk www.ebayfaq.co.uk

Clive wrote:
> I know this may not be directly related to Networking, but here goes.
>
> I recently bought to new laptops to replace ageing desktops. No
> problem networking everything.
>
> The laptops connect via wireless and the desktops cat5/6. I would like
> to put the old desktops in two spare bedrooms to allow family and
> friends who stay with us Web access (using Firefox - my prefered
> browser), but would not want them being able to do anything else on
> the network i.e. access other laptops/desktops, printers.
>
> Is there anyway I can setup something like this - so they just have
> browser access?
>
> Thanks
>
> Clive
>

If your Internet Access is via a router with multiple LAN ports, check
whether it supports VLAN - with this you place the ports into groups so
they are effectively isolated from each other but can share Internet access.

eg:

VLAN 1 = LAN Port 1 for Desktop #1
VLAN 2 = LAN Port 2 for Desktop #2
VLAN 3 = LAN Ports 3 + 4 + Wifi

You can certainly do this with the Draytek 2600/2800 routers.

Dr Zoidberg wrote:
> Mike Scott wrote:
>> Clive wrote:
....
>>> like to put the old desktops in two spare bedrooms to allow family
>>> and friends who stay with us Web access (using Firefox - my prefered
>>> browser), but would not want them being able to do anything else on
>>> the network i.e. access other laptops/desktops, printers.
>>>
>>> Is there anyway I can setup something like this - so they just have
>>> browser access?
>> Yes, if you're prepared to put the "guest" machines on a separate
>> network segment on a firewalled router, and set up the firewall tables
>> accordingly.
>
> No need to do that.
> Assuming the old machines are running 2k or xp it's not all that hard to
> lock them down so that all they can do is run a browser of your choice with
> no access to any other apps or settings.

Too obvious :-) But even a browser is dangerous - if the "guests" are
so untrustworthy, even firefox could let them (whether accidentally or
by design) install all manner of Evil Things on the guest machine -
which is why all things windows need barring from an effectively
untrustable workstation. And if the "guests" are also Evil, what's to
stop them bringing their own (bootable?) disks along.......

>
> Although I do wonder , if these guests are so untrustworthy , why they are
> being allowed into the house and given a computer to play with

Mere incompetence would be quite enough, plus window inbuilt security,
to potentially cause problems.

Dr Zoidberg <alexNOOOOOO!!!!!!!@drzoidberg.co.uk> wrote:
> Mike Scott wrote:
> > Clive wrote:
> >> I know this may not be directly related to Networking, but here goes.
> >>
> >> I recently bought to new laptops to replace ageing desktops. No
> >> problem networking everything.
> >>
> >> The laptops connect via wireless and the desktops cat5/6. I would
> >> like to put the old desktops in two spare bedrooms to allow family
> >> and friends who stay with us Web access (using Firefox - my prefered
> >> browser), but would not want them being able to do anything else on
> >> the network i.e. access other laptops/desktops, printers.
> >>
> >> Is there anyway I can setup something like this - so they just have
> >> browser access?
> >
> > Yes, if you're prepared to put the "guest" machines on a separate
> > network segment on a firewalled router, and set up the firewall tables
> > accordingly.
>
> No need to do that.
> Assuming the old machines are running 2k or xp it's not all that hard to
> lock them down so that all they can do is run a browser of your choice with
> no access to any other apps or settings.
>
But since you can run just about *anything* through a browser window
and/or use port 80 for just about any traffic it's not too difficult
to get around even that restriction.

--
Chris Green