Protecting your home network while servicing PC's

[Petes_IT]

Hi

I have a home computer repair business and I want to protect my home network from becoming infected by PC's that I connect while doing repairs.

Ive read that using a second router with DMZ is a possible solution but I also read that this method exposes the PC in the DMZ to potential attack.

Do you have any suggestions to solve this problem or comments regarding the use of a DMZ?

Thanks

Peter

 

[phaZed]

Run a search for VLANs here on the forums or google. It's definitely the way to go.

 

[ComputerRepairTech]

Hi

I have a home computer repair business and I want to protect my home network from becoming infected by PC's that I connect while doing repairs.

Ive read that using a second router with DMZ is a possible solution but I also read that this method exposes the PC in the DMZ to potential attack.

Do you have any suggestions to solve this problem or comments regarding the use of a DMZ?

Thanks

Peter

My networking skills are not high but I don't see why you would need to set dmz. You'll have a router behind router situation which can cause issues with certain activities on the computers connected to the 2nd router but you should be able to do things like browse the web, ftp, remote in with a gateway based remote tool such as teamviewer etc.

 

[carrcomp]

Buy a router that offers guest wireless. Easy setup and the networks can be set to not route to each other.

 

[YeOldeStonecat]

Depending on what your router is at home...(if you have a business grade one) it may support port based VLANs.....example, select port #4 and set that to VLAN 2, while leaving your wireless and home rigs to VLAN 1. Hang a switch off of port 4 so you can work with multiple computers.

If your router does not support those features with its native firmware, depending on what make/model you have, it may support some 3rd party firmware that adds those features, such as DD-WRT or Tomato.

If none of the above work....as you mention, daisy chaining 2x routers will give you a sort of safer setup. Have the outside main router you have now, with your computers, have its IP range at something like 192.168.10.xxx. And then grab a second router, set its WAN to obtain auto, make sure its internal range is different than yours....like 192.168.9.xxx. And work on your clients computers behind that one. Yeah they'll will be double NAT'd but for just downloading drivers 'n windows updates 'n malware tools 'n all that stuff so who really cares.

Now, "technically"...one could argue that if an infected computer was plugged into that second router, it could have some malware on it that is network aware and able to scan the local subnet and infect it...and one may debate that it could also scan the outside subnet (your home network)....but I highly highly doubt you'll run across that. Malware that scans local networks pretty much just scan local networks, and I've seen mention that some are coded to scan the "common" IP ranges of home networks (192.168.0.xxx and 192.168.1.xxx and prolly 10.1.1.xxx). Hence, I like changing those 3rd octects....

So although one can argue that the double NAT setup with your network on the outside technically isn't secure from an attack from the inside network....in the real world, you're pretty safe.

 

[SilverLeaf]

This is actually a complex question. A separate VLAN will certainly work to isolate your personal network from a possibly infected machine that you are working on. However, if you are working on more than one computer at a time, a single VLAN attached to a switch, will not protect the machines you are working on from each other. So, essentially you would need a separate VLAN for each infected machine you are currently working on. Your best bet in this case would probably be to use port #1 of your router (combined with a separate switch) for your home network. Then configure ports 2,3, and 4 as separate VLANs for the machines your are working on. That way you can work on 3 at the same time without worry.

As far as the two-router setup goes, things can get interesting here as well. It seems counter intuitive, but by default, devices connected to the second router can see devices connected to the first router; but not vice versa. So, if you connect your infected computers to the second router, not only would they pose a risk to each other (as above); theoretically, they could threaten the devices connected to the first router as well. Granted, the threat here would require a semi-sophisticated worm, but certainly possible.

Things get even more complex if you need to have some of your equipment available to the same network as the infected computers you are working on...say a file server for backup, PXE, or WSUS, and so on.

I guess the good news is that it's been a while since we have had a widespread, sophisticated worm outbreak, so the risk isn't high. But, that can always change.

 

[skdmaster]

Another option - if you are using cable you could see about getting a static IP address. I have found most of the time with cable you can run two networks - one from the static and one from the DHCP of the cable. From the cable modem use a simple 5-port switch and split the signal to two routers - one router is programed with the static and the other DHCP. Both networks are completely independent of another. I typically use this setup when doing a restaurant to will offer public wifi. For $4-$6 a month you can get a static usually and also gives you further options later with have a static.

 

[Go-To Gordon]

As far as the two-router setup goes, things can get interesting here as well. It seems counter intuitive, but by default, devices connected to the second router can see devices connected to the first router; but not vice versa. So, if you connect your infected computers to the second router, not only would they pose a risk to each other (as above); theoretically, they could threaten the devices connected to the first router as well. Granted, the threat here would require a semi-sophisticated worm, but certainly possible.

I finally got around to trying this today. I have two e1200's with ddwrt and tried to set up vlan on one of them. After many hours and searching around I found that the vlan gui on ddwrt doesn't work (at least with my router).

So I daisy chained the two together. Router one is on the 192.168.1.1xx range (I'm gonna change that) and router two is on 10.1.1.1 (gonna change that as well) with wireless turned off. Router two is set to a static ip in router one, for example 192.168.104

I can connect to the internet from router two but can't see any other devices on the network. That is unless I ping. I'm able to ping all other devices on my network by ip but not by name. So not able to view in networks but can ping. I have a windows home server and cannot connect to it from router two but again I can ping it.

On router one I can not ping router two or the pc connected to it. I found this post on an old thread here

Actually, I set mine up opposite to that. My office machines are on the second router (10.50.100.*), and the machines in for service are on the first router (192.168.1.*). The first router can't see anything on the second router, as 10.50.100.* is not in its routing table. However, since the second router has a 192.168.1.* WAN connection, it can find the first router and use resources (printer for example) if you specify the correct IP

So obviously if the routers were reversed my home network would in fact be isolated but it would be double NAT! So what to do to get around this? Would simply making the IP range a non standard one on both routers be enough to feel secure? I understand there would still be a limited risk, like you said a sophisticated worm could find them.

I know my current setup would be good enough 95% of the time and until now I've just been connecting client machines to my switch off the main router so it's certainly better than what I have been doing. Just wondering if there is anything to do to stop the ability to ping the other network?

 

[SAG]

I have a vlan setup (my office is in my home).
I use an EFW as my main router and 3 vlans (home, office, bench)
Neither Home nor Office trust Bench.
Bench trusts Home and Office.
Home trusts Office.
Office does not trust Home.

I have firewall rules on the Bench vlan to DENY ALL outgoing traffic.
Then I open up ports that I have found necessary (http, https, etc).
I also have an inter zone firewall (obviously).

This has served me well and keeps my Office network protected from the Bench as well as anything my kids might bring past the security net at Home. But still allows me to RDP into a Bench machine from my Office desktop or Home laptop should I get too lazy to go downstairs where my work area is.

 

[drjones]

Call me nuts, but I've only experienced one true network-spreading worm in my 4 years of doing IT work full-time.

The first step I always take for virus removal is to run a bootable disk (usually Windows Defender offline) anyway, so any virus that could spread, can't since I don't boot to Windows until after the bootable disk scan is done.

That said, if you are *that* worried about it - and it's a valid concern, I just think the chances are too miniscule - then yes, VLAN is the way...

 

[SpaceSquad]

I have a vlan setup (my office is in my home).
I use an EFW as my main router and 3 vlans (home, office, bench)
Neither Home nor Office trust Bench.
Bench trusts Home and Office.
Home trusts Office.
Office does not trust Home.

This is a nice idea! Any old PFsense box could do this...one nic for WAN, one for office, one for bench...etc...

I have firewall rules on the Bench vlan to DENY ALL outgoing traffic.
Then I open up ports that I have found necessary (http, https, etc).
I also have an inter zone firewall (obviously).

What other ports would be necessary for day-to-day? I guess nothing unless you have a home webserver or something.

This has served me well and keeps my Office network protected from the Bench as well as anything my kids might bring past the security net at Home. But still allows me to RDP into a Bench machine from my Office desktop or Home laptop should I get too lazy to go downstairs where my work area is.

haha well done

 

[SAG]

This is a nice idea! Any old PFsense box could do this...one nic for WAN, one for office, one for bench...etc...

True. I wen all out with a 1U Atom server (dual NIC) and installed an additional 4 port Intel NIC (6 ports total).
My zones/vlans are:
Red
Home
Office
Bench
DMZ

What other ports would be necessary for day-to-day? I guess nothing unless you have a home webserver or something.

The DMZ is for publicly accessible servers.
The Bench is the locked down vlan, so I don't need any "day-to-day" ports open other than http, https, and my screen connect ports so that I can remote access the computers on the bench from upstairs should I feel the need. I've run into a few issues in the past where some off the wall scanner or wot-not tried to update on some other defined port, so I quickly add a rule for that when I am sure it is not something nasty trying to get out but then revert back to my normal 4-port-open firewall config afterwards.

haha well done

Thank you.
To be honest, I set it up like that to begin with just for kicks and giggles. My wife kept laughing at me for making things so complicated. But I feel good knowing I've done what I can do,,, and on the cheap for the most part.