Setting up dedicated network for infected machines - who does this?

[tankman1989]

About 1/2 my calls are virus/trojan/fave-AV related calls and I bring the machine back to my house to clean. I don't feel very comfortable putting these directly on my main network and I'm wondering if anyone esle feels the same way. I have a number of Linksys WRT54GL (With DDWRT on them) available to setup another network but I'm a little fuzzy on how to do it but I'm sure I can figure out how to do it.

So, how many of you have a dedicated network for putting questionable machines on?

 

[Daifne]

See how I have it setup here: http://www.technibble.com/forums/showthread.php?t=24297

 

[MobileTechie]

I don't bother to be honest. 99% of them are rogueware, not worms. My bench machine has a decent firewall on it. I don't see the need to worry. Maybe that will change.

 

[red12049]

I don't bother to be honest. 99% of them are rogueware, not worms. My bench machine has a decent firewall on it. I don't see the need to worry. Maybe that will change.

I used to think the same. Then, a ways back, we had a virus that spread by autorun from USB, AND network shares. Have a separated network now.

Rick

 

[MobileTechie]

I used to think the same. Then, a ways back, we had a virus that spread by autorun from USB, AND network shares. Have a separated network now.

Rick

When I connect a machine to my network, it's only using the internet. My setup is a domain so any shares are available only to authenticated domain users - not that I connect a client's machine to those shares.

Given that, is there a much of a risk?

 

[dk99]

When I connect a machine to my network, it's only using the internet. My setup is a domain so any shares are available only to authenticated domain users - not that I connect a client's machine to those shares.

Given that, is there a much of a risk?

That's how I have mine setup Domain no shares . I never use wireless for customers computers always wired. I have never had an issue with spreading over the network also all of my drives I use to connect to customers computers are write protected so not to worried....

 

[Martyn]

Make sure your viruses are pretty much gone before you connect to the network

 

[Knightsman]

I don't see the risk if you use a shared folder, that only has read access. But I have been running shared from a single computer.

My most important machines have av, mbam, firewall, etc so not a huge risk of getting infected. However I think if i did this in a store environment where I could have 15+ machines hooked up, I would separate the domain.

 

[shamrin]

About 1/2 my calls are virus/trojan/fave-AV related calls and I bring the machine back to my house to clean. I don't feel very comfortable putting these directly on my main network and I'm wondering if anyone esle feels the same way. I have a number of Linksys WRT54GL (With DDWRT on them) available to setup another network but I'm a little fuzzy on how to do it but I'm sure I can figure out how to do it.

So, how many of you have a dedicated network for putting questionable machines on?

I use a separate wireless network behind my main one, with a different subnet (192.168.9.1). There's a red Ethernet cable coming out of it that I hook up potentially infected machines on. This network is throttled to no more than half my internet bandwidth. Nothing goes on even this network until I'm reasonably sure it is clean though. Non-virused machines are allowed on the main network.

 

[anth]

Have not the problem, I always ran my scans without the computer connected to the network, once it's clean then a connect and finish the cleaning, after I have run hijack this.

I am using pfsense as my firewall and it does support VLAN, just have not set it up yet.

 

[NETWizz]

I have a separate VLAN.

Both VLANs connect to the Internet, but they cannot see stuff on the other VLAN.

 

[ajc196]

We do this. Our office computers are on a domain on a separate network from my tech room, which we dubbed "TechBay".

This was done about 2 years before I started working at this shop, since a worm caused some pretty major troubles in the past. Or at least that's what I hear.

 

[NETWizz]

We use a 48 Port HP Procurve Layer-3 Switch.

We have the Internet on VLAN 1 and it is on Port 1.

All of our stuff is setup for the first 24 ports (actually Ports 2 - 23) VLAN 2 (though we don't use that many).

Ports 25 through 47 are each on a separate VLAN with routing to the Internet VLAN1.


This means each customer's machine is on its own VLAN with connectivity to the Internet.

 

[Steve202]

Make sure your viruses are pretty much gone before you connect to the network

This is what I do. Remove the virus and when I'm sure its gone, connect it to the network to do any other work that needs doing to it.

 

[wtigger]

My own personal network is very open and shared well between systems, so NO customer machines EVER see my personal network...

I have a separate (physically) LAN for customer work, with it's OWN separate DSL Internet line... Ya, it cost me $40 a month for the DSL, but my personal LAN and data are PRICELESS...

The two LAN's are NEVER connected for any reason...

 

[tankman1989]

My own personal network is very open and shared well between systems, so NO customer machines EVER see my personal network...

I have a separate (physically) LAN for customer work, with it's OWN separate DSL Internet line... Ya, it cost me $40 a month for the DSL, but my personal LAN and data are PRICELESS...

The two LAN's are NEVER connected for any reason...

If I had more business I would definately have a dedicated network and DSL/cable connection but at this point I can't really justify it. So do you not even connect from one to the other at ANY point - using a secure VPN or whatever?

 

[MobileTechie]

So what is the cheapest way of setting up a separate lan or vlan capable of sharing the same internet connection as your private lan?

 

[alluseridsrejected]

So what is the cheapest way of setting up a separate lan or vlan capable of sharing the same internet connection as your private lan?

Got an extra router laying around? Then you have what you need. Just configure it on a different subnet. Instead of the PCs all being 192.168.1.xxx or whatever your current network is, set the router to 192.168.2.xxx for example.

 

[alluseridsrejected]

The way I setup a separate network was flashing a second router (I hook customer PCs to) with DD-WRT and configuring it for "Client Mode". Instructions for doing this are at http://www.dd-wrt.com/wiki/index.php/Client_Mode. This was perfect for my situation since I did not want to run a cable between the 2 routers, they connect to each other wireless . Clients can not connect through the DD-WRT router wireless though. The need a cable.

 

[scoop818]

My business internet service came with 5 static IPs. I run a seperate ip through a router and connect all repair machines on that network.