How Do We Protect *our* Network From Clients Infections

A

allanc

Well-Known Member
Reaction score
387
Location
Toronto, Ontario, Canada
How is everyone protecting their networks from clients infections?
I realize that disconnecting the cleint's network cable and securing the wireless router is a good start.
However, at some point we would want to connect to the Internet to ensure that that nothing is interfering.
Another reason would be to obtain the latest definitions of Malware.
To carry that question one step further .... how do we ensure that one client's computer does not infect another?

And no, I have not been burnt yet :).
 
I keep my client's computers on a separate router and a different subnet. I have it set up so you can't even ping my private network.
 
MrUnknown said:
I keep my client's computers on a separate router and a different subnet. I have it set up so you can't even ping my private network.
Click to expand...
That is what I was thinking also.
So, you just hang another router off one of the ports on let's say the 192.168.1.x subnet and let it assign its own IP addresses in the 192.168.2.x range, correct?
Your subnet mask would be 255.255.255.0 on both routers?
How do you avoid 'cross pollination' of the various clients' computers?
 
A router with DD-WRT would help out considerably, too... You can vlan the wired portion of it, and create a second SSID that only has internet connectivity for wireless.
 
Honestly, I don't usually have that many computers at once. In general I keep the computers off the network as much as possible. I let them update and then remove the access. At no time is there 2 computers on the network.
 
Honestly, I don't usually have that many computers at once. When I do have several computers, I keep them off the network as much as possible. I let them update and then remove the access. At no time is there 2 computers on the network.
Click to expand...


Well, that doesn't help those of us that do have several computers at a time, does it? :p ;)
 
You need 3 routers to properly segment the routers (with consumer grade stuff)
1 router connected to the internet say 192.168.1.x
both other routers connected to that one (they both connect to that one via their "internet/wan" port)
say 192.168.2.x & 192.168.2.x or use different internal IP's for each so you can tell visually that you are on your network or the hostile one.

having each network your "internal" and the "client" network on different router protects both networks from each other.

Ie you have a virus or worm on your network it cannot propagate to the client and vice versa.
 
ACG said:
A Vlan would take care of it, or linux. I Hope this was helpful, I don't want to get another bad mark from moderators.
Click to expand...
Yep a isolated private vlan would be the best bet. If your cheap, like I am, a wrt54g with dd-wrt firmware is a cheap way to setup an isolated vlan.
 
Keep your windows computers up to date, and not to many exceptions in your firewall. Then nothing will touch your private computers.

The main problem is the folders that you share.
If they are completely open, nasty things could appear there. but then again, they will not hurt you,,, if you don't run them.
AND any decent virus protector should grab them when they appear.
 
Last edited:
Quote within a quote seems to be broken.?

1. Windows updates have and will continue to cause problems. But we are talking about a professional technicians personal computers.
If we cannot update our computers and fix it if it goes wrong, no one can.
Beside, how many computers have come in for repair because the user was still using XP PRE SP1 and got the ever so fun blaster virus?

2. Granted, nothing is 100% secure.
But, the odds of your personal computer or the computers you use in your shop being attacked on the Internet by a skillful enough hacker to penetrate Windows SP3 are incredibly low.
I believe you would more likely to have a car crash in your bed... ;)

Sorry but
That is incorrect for many, many, many reasons.
Click to expand...
is not a valid replay.
The only response I can give to something like this is, "no its correct".
 
My store is in a shopping mall, with free wireless for the stores and for customers who may bring laptops to the food court. I have my own connection that I pay for, with my network, servers and wireless with mac filtering. I connect client pc's to the mall network through a wet11 with a switch connected to it. Completely, and totally segregated.
 
Hope they fix this quote thing, I have to just underline your text...

Windows updates have and will continue to cause problems.

Yes.

But we are talking about a professional technicians personal computers.

Yes, and supposedly "Professional" people out in Redmond wrote those updates too. Yeah, Linux has update issues too, but they usually get fixed a lot faster than Windows ones do. Pro or not, All Windows PCs rely on those same updates. No getting around that.

Sure you can get around that.
Restore or uninstall the broken update...

But let me get this right, you are arguing for not updating your Windows because a update might be broken?
So when do you consider it save to update Windows?

If we cannot update our computers and fix it if it goes wrong, no one can.

That all depends.

In the case above, I can't write a new Windows update to fix their f-up. Maybe a workaround of some sorts, but an actual fix? Not I. Only MS can write Windows Updates.

Also, we're not Gods, we're techs. Not everything is solvable. At some point, you just replace the system. Solves the issue, but not the problem.

It’s very rare that a Windows update goes so wrong that a tech cannot remove the offender.

Beside, how many computers have come in for repair because the user was still using XP PRE SP1 and got the ever so fun blaster virus?

Considering many have Automatic Update turned on, I haven't ran across any pre-SP2 in a LONG time. Most are SP3 now. Even SP2 is become more rare.

Actually I agree, its bean many months since I ran into a PRE SP1.
But my point remains, you have to update to keep secure. Would you even consider using XP pre SP1?

Granted, nothing is 100% secure, but, the odds of your personal computer or the computers you use in your shop being attacked on the Internet by a skillful enough hacker to penetrate Windows SP3 are incredibly low.

So install SP3 and you are at very little risk? Riiiiiiiiiiiiiiiight.......I see...... if that's the case, then all the techs on this board will be out of business soon, right? NO ONE on this board has an XP SP3 box in their repair shop being worked on right now, right? I'd take that bet stating that they do...and will continue to have them, so your statement about SP3 is bunk.

That is the case, all of the computers I fix the user invited the security hazard into the computer by opening a program or something they should not have.
My point, the thing that I fix in the clients comptuer did NOT come there by itself.

I believe you would more likely to have a car crash in your bed... ;)

I would believe that you are more likely to have Windows crash than a car crash.

Totally agree, but it’s not because a computer at your shop hacked you.

Sorry but (see above) is not a valid replay. The only response I can give to something like this is, "no its correct".

Yes, it is..... and since you want me to type some of them out, here we go...

No its not.
"just because" is NEVER a valid replay.
That is a very basic thing is logical debate.

The main problem is the folders that you share. If they are completely open, nasty things could appear there. but then again, they will not hurt you,,, if you don't run them.

Here is only SOME of the reasons why I said"That is incorrect for many, many, many reasons." in reply to you:

1) If someone is accessing your PC/LAN/Intranet, (let alone folders on it), that they aren't supposed to, that is a HUGE problem....and one I would consider far larger than "The main problem is the folders that you share"; as you stated it.

Someone who?
You must remember what this topic is about.
We are talking about computers in your shop, there is no "someone".
And how is that a HUGE problem?
What can they do on your network?

2) This means that they got past any hardware / software perimeter barriers you have setup (Router, Switch, Proxy, Firewall, Gateway, IDS or UTM devices, etc) and that they are now on your network. The sheer scope of even discussing ONE of those items, is an entire thread in itself.

This is my point, they can access the internet using your IP address, that can be very serious for sure.
Now, what else can "they" do?
If your computers are updated "they" CAN NOT gain control of your computer/s.
"They" CAN NOT infect your computer with a virus/spyware without gaining control of your computer. (if you don’t click something that is or share out something stupid).

3) Just because YOU don't run them doesn't mean that THEY won't once they put them on your PC. (Related to the statement of "nasty things could appear there. but then again, they will not hurt you,,, if you don't run them.")

How are they put on my computer?
How do they make my computer run the nastys (as long as you don’t share out the root or windows folder)?

The only way they can put anything on my computer is if I leaf a shared folder open on my computer

Do I really NEED to go on with more??????

No, I cant make you. But I would like you to :)
 
Not sure what the original topic had to do with a linux vs windows debate. Getting personal and calling someone a "pizza tech" or other names does not make you a winner in anything. I hate reading any thread where someone keeps going on and on about the merits of linux. It's irrelevant until the balance of power does a 180 and linux is the os installed on over 90% of the world's computers. Then we can bitch about all the security holes in linux. We all love linux, that's not the point of the original topic. Please try to be civil to one another and stay on target when commenting.

"Can't we all just get along?!":p
 
I would have liked to call this a discussion or even debate.
its to bad you have to go personal.

I believe a pizza tech is not making his living from computer repair, I AM!

Most of you have much more experience then me in computer repair.
Please teach the guy that does not know any better.
I believe that most of us are here to help?

So can someone please show me an infection example.
I cant see any way for a heavily infected computer to wreak havoc on your personal computers.
Just show me how its done.

We have 3 client computers on your home LAN on some DSL Internet connection, you can infect those computers with any number, and any type of software you like.

Then make a scenario where those computers infect another computer on your LAN, the target is any Windows, decently updated with some virus protector
 
Quick replay, out partying! :)

We are talking about automatic programs, programs ruining on computers on your work desk.

AKA, there is not physical presence of a human being in front of those computers.

Thread topic
"How Do We Protect *our* Network From Clients Infections"
 
Someday a client may ask, "how is my system you are building protected from the virused up typhoid mary box you're cleaning on the other bench?"

It will be better to tell them the exhaustive steps you have taken rather than saying "it'll be ok"

My former employer's network had to comply with SOX and SEC regulations, falling under this, among many other things, were vendors such as the auditors themselves. A redundant broadband connection was provided, and all approved access to our network was via Citrix. The wireless was locked down with MAC filtering, and the vendor had to ask me to add his mac before he could connect. PC's of an "unknown" state should never be connected to your production network.
 
I´m not afraid, In fact I appreciate the offer, and I just might take you up on it, thank you.

Hacking my wireless would be rather easy, as it is open and broadcasting Public.
Hacking my router is not big task either, it has that new flaw in DD-WRT (remote root vulnerability).

However, my computers are more of a challenge.
I believe you cant build a fortress around your network and that there no special need for it.
So I try to make a fortress in my computers rather.

But what do you mean that I am missing the point?
I think we that not talking general security from the Internet, only how we protect our computers from the computers we are fixing...?

But I think we agree that those computers really cannot hurt us if we keep our computer decently up to date and use a virus protector.

So if we are talking about that you would have penetrated my network, have control over my router.
How would you compromise my computers?
I have 3 XP SP3, and 2 Vista SP1.
 
Last edited:
I know this is not a network forum, so I really appreciate the time you are taking in guiding me.

Manual
But in this example how would you grab my packets and inject and/or redirect them inside my LAN?

Then I would use what information I found, and if possible check them manually; after all, programs do make mistakes, and report false information.
Click to expand...
Again all of this can be done with no human interaction what so ever.
Click to expand...

Automatic
Relay, a program can certainly scan and misuse a bug.
But that program would have to be very new, and even then.
How fast are hackers to make fully automatic programs that can misuse a bug so fully that they can inject a program and run in your computer?

ACG said:
+1 x 10 on everything pyramid technologies said. I'd also like to add that you seem to be in the dark about network security, and that is ok, it's not easy being a professional at it; it takes long hard work over many years to be even somewhat accomplished and proficient at it. ON that being said, I suppose every techie has a basic understanding of it.

I'd like to explain why it doesn't take a human interaction to compromise your network from an infected machine, using some of the steps I said before. A good basis and basic audit includes running software that scans and reports against your network and computer vulnerabilities. This is the gathering or "recon" step in the whole process. I'd also like to add that that in of itself is not the only part of the recon process. There are other sub steps that need to be taken. Anyway, Then I would use what information I found, and if possible check them manually; after all, programs do make mistakes, and report false information. Mind you, I am not talking about using commercial scanning apps like GFI languard either. Now, the point I am trying to make is that a malware program can incorporate the same basic measures of information recon as a person would by utilizing some software, and adding in some common exploits to fire at will when the machine(s)/network has shown vulnerable. How to check other computers that don't have open shares? Easy. Network / IP enumeration. How does that work? As easy as a port scan or ping. If I were to write the software, I would make it get the current machines network information. Now, based on it's default gateway, and subnet, matched against a built in database, I would make it try and enumerate the class of address, and start to ping / port scan scan (1-1024) TCP, and UDP for those of you with basic software firewalls. For instance;

Your machines IP is 192.168.1.103 default gateway is 192.168.1.1 and the subnet is 255.255.255.0 I would guess that the range of ip's was 192.168.1.1-.254 right? So now, I set to ping/udp scan from 192.168.1.2 to .254 and take note of all alive hosts. Now, one by one, I scan those alive hosts for open ports, and vulnerabilities. Take note of those who have issues found, and run attacks against those. I could also utilize brute forcing, network packet sniffing, MITM attacks, redirects/hijacks/poisoning, and break in other ways too.

Again all of this can be done with no human interaction what so ever.
Click to expand...
 
Last edited:
You must log in or register to reply here.

Similar threads

HCHTech
Alerts!
Replies
10
Views
259
Sky-Knight
Sky-Knight
thecomputerguy
Adding EDR to my stack and how to sell it.
Replies
6
Views
846
Sky-Knight
Sky-Knight
HCHTech
[SOLVED] RDS server not allowing more than 2 sessions
Replies
11
Views
6K
HCHTech
HCHTech
thecomputerguy
New clients MFA is all out of whack and not sure how to fix it.
2 3 4
Replies
60
Views
6K
Rosco
Rosco
thecomputerguy
How is this possible? Client receiving spam emails from himself...
2
Replies
24
Views
3K
britechguy
britechguy
Back
Top