How is everyone protecting their networks from clients infections?
I realize that disconnecting the cleint's network cable and securing the wireless router is a good start.
However, at some point we would want to connect to the Internet to ensure that that nothing is interfering.
Another reason would be to obtain the latest definitions of Malware.
To carry that question one step further .... how do we ensure that one client's computer does not infect another?

And no, I have not been burnt yet :).

I keep my client's computers on a separate router and a different subnet. I have it set up so you can't even ping my private network.

I keep my client's computers on a separate router and a different subnet. I have it set up so you can't even ping my private network.
That is what I was thinking also.
So, you just hang another router off one of the ports on let's say the 192.168.1.x subnet and let it assign its own IP addresses in the 192.168.2.x range, correct?
Your subnet mask would be 255.255.255.0 on both routers?
How do you avoid 'cross pollination' of the various clients' computers?

A router with DD-WRT would help out considerably, too... You can vlan the wired portion of it, and create a second SSID that only has internet connectivity for wireless.

Honestly, I don't usually have that many computers at once. In general I keep the computers off the network as much as possible. I let them update and then remove the access. At no time is there 2 computers on the network.

Honestly, I don't usually have that many computers at once. When I do have several computers, I keep them off the network as much as possible. I let them update and then remove the access. At no time is there 2 computers on the network.


Well, that doesn't help those of us that do have several computers at a time, does it? :p ;)

Well, that doesn't help those of us that do have several computers at a time, does it? :p ;)
I guess we good daisy chain the routers :

You need 3 routers to properly segment the routers (with consumer grade stuff)
1 router connected to the internet say 192.168.1.x
both other routers connected to that one (they both connect to that one via their "internet/wan" port)
say 192.168.2.x & 192.168.2.x or use different internal IP's for each so you can tell visually that you are on your network or the hostile one.

having each network your "internal" and the "client" network on different router protects both networks from each other.

Ie you have a virus or worm on your network it cannot propagate to the client and vice versa.

A Vlan would take care of it, or linux. I Hope this was helpful, I don't want to get another bad mark from moderators.
Yep a isolated private vlan would be the best bet. If your cheap, like I am, a wrt54g with dd-wrt firmware is a cheap way to setup an isolated vlan.

You will also want to block certain ports on the client LAN such as Bittorrent.

Keep your windows computers up to date, and not to many exceptions in your firewall. Then nothing will touch your private computers.

The main problem is the folders that you share.
If they are completely open, nasty things could appear there. but then again, they will not hurt you,,, if you don't run them.
AND any decent virus protector should grab them when they appear.

Quote within a quote seems to be broken.?

1. Windows updates have and will continue to cause problems. But we are talking about a professional technicians personal computers.
If we cannot update our computers and fix it if it goes wrong, no one can.
Beside, how many computers have come in for repair because the user was still using XP PRE SP1 and got the ever so fun blaster virus?

2. Granted, nothing is 100% secure.
But, the odds of your personal computer or the computers you use in your shop being attacked on the Internet by a skillful enough hacker to penetrate Windows SP3 are incredibly low.
I believe you would more likely to have a car crash in your bed... ;)

Sorry but
That is incorrect for many, many, many reasons.
is not a valid replay.
The only response I can give to something like this is, "no its correct".

My store is in a shopping mall, with free wireless for the stores and for customers who may bring laptops to the food court. I have my own connection that I pay for, with my network, servers and wireless with mac filtering. I connect client pc's to the mall network through a wet11 with a switch connected to it. Completely, and totally segregated.

Hope they fix this quote thing, I have to just underline your text...

Windows updates have and will continue to cause problems.

Yes.

But we are talking about a professional technicians personal computers.

Yes, and supposedly "Professional" people out in Redmond wrote those updates too. Yeah, Linux has update issues too, but they usually get fixed a lot faster than Windows ones do. Pro or not, All Windows PCs rely on those same updates. No getting around that.

Sure you can get around that.
Restore or uninstall the broken update...

But let me get this right, you are arguing for not updating your Windows because a update might be broken?
So when do you consider it save to update Windows?

If we cannot update our computers and fix it if it goes wrong, no one can.

That all depends.

In the case above, I can't write a new Windows update to fix their f-up. Maybe a workaround of some sorts, but an actual fix? Not I. Only MS can write Windows Updates.

Also, we're not Gods, we're techs. Not everything is solvable. At some point, you just replace the system. Solves the issue, but not the problem.

It’s very rare that a Windows update goes so wrong that a tech cannot remove the offender.

Beside, how many computers have come in for repair because the user was still using XP PRE SP1 and got the ever so fun blaster virus?

Considering many have Automatic Update turned on, I haven't ran across any pre-SP2 in a LONG time. Most are SP3 now. Even SP2 is become more rare.

Actually I agree, its bean many months since I ran into a PRE SP1.
But my point remains, you have to update to keep secure. Would you even consider using XP pre SP1?

Granted, nothing is 100% secure, but, the odds of your personal computer or the computers you use in your shop being attacked on the Internet by a skillful enough hacker to penetrate Windows SP3 are incredibly low.

So install SP3 and you are at very little risk? Riiiiiiiiiiiiiiiight.......I see...... if that's the case, then all the techs on this board will be out of business soon, right? NO ONE on this board has an XP SP3 box in their repair shop being worked on right now, right? I'd take that bet stating that they do...and will continue to have them, so your statement about SP3 is bunk.

That is the case, all of the computers I fix the user invited the security hazard into the computer by opening a program or something they should not have.
My point, the thing that I fix in the clients comptuer did NOT come there by itself.

I believe you would more likely to have a car crash in your bed... ;)

I would believe that you are more likely to have Windows crash than a car crash.

Totally agree, but it’s not because a computer at your shop hacked you.

Sorry but (see above) is not a valid replay. The only response I can give to something like this is, "no its correct".

Yes, it is..... and since you want me to type some of them out, here we go...

No its not.
"just because" is NEVER a valid replay.
That is a very basic thing is logical debate.

The main problem is the folders that you share. If they are completely open, nasty things could appear there. but then again, they will not hurt you,,, if you don't run them.

Here is only SOME of the reasons why I said"That is incorrect for many, many, many reasons." in reply to you:

1) If someone is accessing your PC/LAN/Intranet, (let alone folders on it), that they aren't supposed to, that is a HUGE problem....and one I would consider far larger than "The main problem is the folders that you share"; as you stated it.

Someone who?
You must remember what this topic is about.
We are talking about computers in your shop, there is no "someone".
And how is that a HUGE problem?
What can they do on your network?

2) This means that they got past any hardware / software perimeter barriers you have setup (Router, Switch, Proxy, Firewall, Gateway, IDS or UTM devices, etc) and that they are now on your network. The sheer scope of even discussing ONE of those items, is an entire thread in itself.

This is my point, they can access the internet using your IP address, that can be very serious for sure.
Now, what else can "they" do?
If your computers are updated "they" CAN NOT gain control of your computer/s.
"They" CAN NOT infect your computer with a virus/spyware without gaining control of your computer. (if you don’t click something that is or share out something stupid).

3) Just because YOU don't run them doesn't mean that THEY won't once they put them on your PC. (Related to the statement of "nasty things could appear there. but then again, they will not hurt you,,, if you don't run them.")

How are they put on my computer?
How do they make my computer run the nastys (as long as you don’t share out the root or windows folder)?

The only way they can put anything on my computer is if I leaf a shared folder open on my computer

Do I really NEED to go on with more??????

No, I cant make you. But I would like you to :)

Not sure what the original topic had to do with a linux vs windows debate. Getting personal and calling someone a "pizza tech" or other names does not make you a winner in anything. I hate reading any thread where someone keeps going on and on about the merits of linux. It's irrelevant until the balance of power does a 180 and linux is the os installed on over 90% of the world's computers. Then we can bitch about all the security holes in linux. We all love linux, that's not the point of the original topic. Please try to be civil to one another and stay on target when commenting.

"Can't we all just get along?!":p

I would have liked to call this a discussion or even debate.
its to bad you have to go personal.

I believe a pizza tech is not making his living from computer repair, I AM!

Most of you have much more experience then me in computer repair.
Please teach the guy that does not know any better.
I believe that most of us are here to help?

So can someone please show me an infection example.
I cant see any way for a heavily infected computer to wreak havoc on your personal computers.
Just show me how its done.

We have 3 client computers on your home LAN on some DSL Internet connection, you can infect those computers with any number, and any type of software you like.

Then make a scenario where those computers infect another computer on your LAN, the target is any Windows, decently updated with some virus protector

Quick replay, out partying! :)

We are talking about automatic programs, programs ruining on computers on your work desk.

AKA, there is not physical presence of a human being in front of those computers.

Thread topic
"How Do We Protect *our* Network From Clients Infections"

Someday a client may ask, "how is my system you are building protected from the virused up typhoid mary box you're cleaning on the other bench?"

It will be better to tell them the exhaustive steps you have taken rather than saying "it'll be ok"

My former employer's network had to comply with SOX and SEC regulations, falling under this, among many other things, were vendors such as the auditors themselves. A redundant broadband connection was provided, and all approved access to our network was via Citrix. The wireless was locked down with MAC filtering, and the vendor had to ask me to add his mac before he could connect. PC's of an "unknown" state should never be connected to your production network.

I´m not afraid, In fact I appreciate the offer, and I just might take you up on it, thank you.

Hacking my wireless would be rather easy, as it is open and broadcasting Public.
Hacking my router is not big task either, it has that new flaw in DD-WRT (remote root vulnerability).

However, my computers are more of a challenge.
I believe you cant build a fortress around your network and that there no special need for it.
So I try to make a fortress in my computers rather.

But what do you mean that I am missing the point?
I think we that not talking general security from the Internet, only how we protect our computers from the computers we are fixing...?

But I think we agree that those computers really cannot hurt us if we keep our computer decently up to date and use a virus protector.

So if we are talking about that you would have penetrated my network, have control over my router.
How would you compromise my computers?
I have 3 XP SP3, and 2 Vista SP1.

I know this is not a network forum, so I really appreciate the time you are taking in guiding me.

Manual
But in this example how would you grab my packets and inject and/or redirect them inside my LAN?

Then I would use what information I found, and if possible check them manually; after all, programs do make mistakes, and report false information.
Again all of this can be done with no human interaction what so ever.

Automatic
Relay, a program can certainly scan and misuse a bug.
But that program would have to be very new, and even then.
How fast are hackers to make fully automatic programs that can misuse a bug so fully that they can inject a program and run in your computer?

+1 x 10 on everything pyramid technologies said. I'd also like to add that you seem to be in the dark about network security, and that is ok, it's not easy being a professional at it; it takes long hard work over many years to be even somewhat accomplished and proficient at it. ON that being said, I suppose every techie has a basic understanding of it.

I'd like to explain why it doesn't take a human interaction to compromise your network from an infected machine, using some of the steps I said before. A good basis and basic audit includes running software that scans and reports against your network and computer vulnerabilities. This is the gathering or "recon" step in the whole process. I'd also like to add that that in of itself is not the only part of the recon process. There are other sub steps that need to be taken. Anyway, Then I would use what information I found, and if possible check them manually; after all, programs do make mistakes, and report false information. Mind you, I am not talking about using commercial scanning apps like GFI languard either. Now, the point I am trying to make is that a malware program can incorporate the same basic measures of information recon as a person would by utilizing some software, and adding in some common exploits to fire at will when the machine(s)/network has shown vulnerable. How to check other computers that don't have open shares? Easy. Network / IP enumeration. How does that work? As easy as a port scan or ping. If I were to write the software, I would make it get the current machines network information. Now, based on it's default gateway, and subnet, matched against a built in database, I would make it try and enumerate the class of address, and start to ping / port scan scan (1-1024) TCP, and UDP for those of you with basic software firewalls. For instance;

Your machines IP is 192.168.1.103 default gateway is 192.168.1.1 and the subnet is 255.255.255.0 I would guess that the range of ip's was 192.168.1.1-.254 right? So now, I set to ping/udp scan from 192.168.1.2 to .254 and take note of all alive hosts. Now, one by one, I scan those alive hosts for open ports, and vulnerabilities. Take note of those who have issues found, and run attacks against those. I could also utilize brute forcing, network packet sniffing, MITM attacks, redirects/hijacks/poisoning, and break in other ways too.

Again all of this can be done with no human interaction what so ever.

How would you do this without having access to a computer inside my network?
Assuming you have control over my router, you cannot (I think) redirect packets to the router, out on the Internet to your computer and back, in order to MITM, can you?

Or do you mean that a single program can do all of this completely automatic?

Internet <-- Your gateway <-- ME Pretending to be your gateway <-- Your network/pcs


Sorry, I misread your question.

I would spoof your gateway. like a MITM attack, it would work like this

You sending;
Internet <-- Your gateway <-- ME Pretending to be your gateway <-- Your network/pcs

Receiving;
Internet --> Your gateway --> Me --> Your network/pcs

Now, I can also take a copy of your packets on the send and receive. Also, Now that I am pretending to be your gateway, and lets say you are going to www.chase.com to do some banking, I can put a redirect on it so go to a fake login page, or better yet just capture your data before it hits that spot. I can inject your packets in linux easily (in windows I am not sure it would be so easy because on winsock limitations), Once I am on your network, the possibilities are endless.

Having phishing enabled in ones browser would though efficiently prevent redirects would it not??
And how well is SSL immune to MITM?

Thank you for that informative text.
I have to translate at least parts of it and put up on some of the offices where I work, Its amazing how wireless access for example is many times a wide open gateway to a corporate network.
I don't trust windows server or windows domain well enough to have someone snooping around analyzing packets and poking at it.
(I look diffrently at my home network)

I was perhaps a little to sure of myself, my master and mentor when I started doing networks in general thought me this.

I think may be he just did not know enough about packets.
But he told me, and of course I could only see that as pure truth that ,,,

"There is practically no way to mess with a LAN network unless you get control of a computer inside that same network, and even then its very hard.
So his final word was to UPDATE Windows frequently!"

I have of course gotten into problems with windows updates causing problems, I can usually not fix it, but I can restore every time before the update.
So windows update has bean my best friend.

I still don't see how MITM and variants there of would work inside my LAN without a hacker having control over a computer inside my LAN, and I don't see how a hacker could compromise my computer without having at least LAN access.
But that just means that I don't know how its done, not that it cannot be done.

I guess I have to learn how to hack a network, that seems to be the best lesson, instead of learning network security.

While we're on the topic of security, how does Untangle perform in adding an addition layer of security to a network? Does it itself pose new security threats? Would it's built in "Remote Access Portal" be susceptible to attack? It seems that if that were compromised, then an entire network could be crippled very easily.

Reading this thread on the dangers of wireless security illustrates why BellSouth would fire anyone connecting a wireless device to the corporate network. A few tried and they had to find a new employer.:eek:

They would have to be VERY determined, enough to hang around for a week or more to actually sniff a valid MAC. And all they would get is internet access, which is free in the freakin hallway. So I'm not too worried, the security more than meets the actual danger.

AND the way a pc gets access to YOUR network is by YOUR competitor bringing in HIS machine that is prepared to do whatever damage or discovery, supposedly for something stupid that requires internet access for you to fix. Then he pays the $50 for your "fix", after wrecking your network, credibility, or scarfing your customer list.

You need 3 routers to properly segment the routers (with consumer grade stuff)
1 router connected to the internet say 192.168.1.x
both other routers connected to that one (they both connect to that one via their "internet/wan" port)
say 192.168.2.x & 192.168.2.x or use different internal IP's for each so you can tell visually that you are on your network or the hostile one.

having each network your "internal" and the "client" network on different router protects both networks from each other.

That is what I was thinking too. The first "router" connected to the internet would be the cable or DSL modem - - right?

That is what I was thinking too. The first "router" connected to the internet would be the cable or DSL modem - - right?
I have been thinking a bit more about this topic.
In these configurations, all the in-house computers will be sharing the bandwith of one channel on the router. Can this be a issue in terms of applications with large amounts of data flowing through the internal network?

That is what I was thinking too. The first "router" connected to the internet would be the cable or DSL modem - - right?

while I believe this would be technically true, these routers usually only push out 1 IP address which is directly routable from the internet and useless in this situation.

while I believe this would be technically true, these routers usually only push out 1 IP address which is directly routable from the internet and useless in this situation.

Why is it useless? If using three routers, #1 is the DSL router, #2 is the router for the business LAN, and #3 is for the LAN for customer PC's. Both #2 and #3 connect to #1 and share the internet connection. What is wrong with this?