Looking for suggestions

usasma

Retired Admin
Joined
Feb 20, 2012
Posts
2,126
My wife's office has a file server, 5 workstations (plus an XP computer running the security cameras - that's currently turned off), VOIP phones, a credit card machine, and lab equipment all connected to the network. One of the workstations is also the system that she does her research on, runs the business from, and uses Quickbooks on.
The network has evolved over the years, but currently it runs through a NetGear VPN firewall device into a Comcast modem.
Attached to the VPN firewall device (with cat6 cable) are 2 wireless access points/routers (it's a concrete block building)

One of the wired connections (and one wireless access point) is in the apartment in the basement.
The people living there now are starting to use XBox live and other devices (my wife's son and his fiance).
They aren't all that technically sophisticated and I am worried that their surfing habits may endanger the work network.

What are your suggestions for protecting the work network?

This is a typical setup in our area for a veterinary hospital.
When my wife retires (in 5-8 years) I expect that the purchaser will want to live in the apartment (and use the internet for recreation).

To add to the confusion here, my wife has signed a contract to move her practice to a wood-frame building across the street.
This will happen by mid-spring.
At that time we intend to expand security with several wireless cameras and an internet capable DVR recording system.

I am hoping to connect all devices with cat6 cable in the new building, but haven't discussed this with the contractor yet.
I'm also wondering about wireless access - and maybe restricting the apartment to wifi only.

Again, any suggestions?
Particularly those needed to protect the work network?
 
Last edited:
Is the apartment below technically a different address? That is, is it zoned and/or have a different post office address? If so, though I realize they are family, technically, they should be not sharing the Internet access with the business Internet account, and could be charged with "theft of services" - a felony!

The building across the street would surely have a different address so I don't any connection.

Attached to the VPN firewall device (with cat6 cable) are 2 wireless access points/routers (it's a concrete block building)
I would put the apartment on it's own router. That will create a separate network for the apartment and you can block any devices from that network from the office network in the office router. A good way to do that is to allow only the MAC addresses of office devices into the office network.

That said, if someone in the apartment does something they shouldn't, intentionally or not, it will still appear as coming from the same Internet connection as the office. Not sure that would be good for business if Comcast shuts down your account because of something going on in the apartment. Though you may trust the kids, can you trust any guests they may invite in?
 
The apartment is the same address. When we installed the cable and the internet, we wanted the apartment to have it also.
All veterinary hospitals in our area have an apartment - so that doctors/technicians can spend the night to care for sick animals (and any boarders that the facility may have).
In this case, my son's fiance is also an employee and she takes care of the resident animals in the evenings and on weekends.

I mentioned the building across the street in order to let you know that we have 2 different situations, and that might affect the suggestions that are given.

The kids have been using the current internet connection for a couple of years now, and I've only had to cut them off once (they got infected).
Amazingly, my son has stated that if I can't secure the work network adequately, then he'll just have to get a second cable line run into the building and pay for it himself!
He a good kid - much better than I was at his age!

They are currently hooked to a wireless access point - which is actually a Netgear router.
It's plugged into the Netgear VPN Firewall device - which is then plugged into the cable modem.
I guess my next question is how to make that a separate network?
 
Whilst I can't actually guide you through how to do this, the only options I can currently think of would be to split the office network and apartment networks into their own separate subnets or VLANs. Subnetting allows you to split the network into different IP address groups. It means you could set it up so a computer with IP 192.168.101.05 could not communicate with a computer 192.168.105.01.

A practical example would be the IP of 192.168.0.103 with a mask of 255.255.255.252. This would create 2 possible IPs - 192.168.0.101 and 192.168.0.102 (the other two (.0.100 and .0.103) are reserved IPs for the start of the network and the broadcast address).

A VLAN would probably the best solution here for network isolation. They are more effective than subnetting due to it allowing the network to be split physically rather than just logically.

Subnet Vs VLAN:

Though a VLAN has a lot in common with the subnet (like restricting broadcast domains, security through isolation of different sub-networks, etc), there are some important differences between the two.

  • VLAN is a Layer-2 Concept & Subnet is a Layer-3 Concept (MAC address vs IP address).
  • VLAN’s allow for creation of different logical and physical networks but subnets allow for creation of different logical networks only.
  • If a network sniffer is employed, users from one subnet can discover the existence of other subnets, but this cannot happen with users of different VLAN’s.
  • With Subnets, since the physical network is same for all networks, the available backbone bandwidth for each subnet is shared and hence reduced.
  • VLAN’s are more efficient and easier to implement / manage than Subnets.
  • Within an enterprise, VLAN’s are more secure than subnets. But VLAN’s are also vulnerable – mostly from hacking attempts from outside the network.
The best practice is to have different VLAN’s in a network (through network switches) and then having a different subnet for each VLAN.

Why are Subnets required & Subnet vs VLAN | excITingIP.com


Here is a guide from NETGEAR on how to set up a VLAN with a VPN Firewall and switch: NETGEAR Support | Answer | 2 Vlans accessing internet using layer 2 switch & Router

I'm not sure if VLANs will even be possible in your scenario (you may need a managed switch?) so subnetting may have to do.

Hopefully this gives you something to start with.

Stephen
 
Hi John,

Per our PM conversation, here’s my feedback. :eek4:

This is an issue, if some are utilizing the bandwidth for personal pleasure and not work related, it’s not healthy for your network.
"The people living there now are starting to use XBox live and other devices (my wife's son and his fiance)."

I’m not that familiar with your Netgear’s model but if it’s more than 3 yr old, I would consider investing for a security device that offers a lot more enhanced and security features if you’re concerned about security in your network. I love the SonicWALL device, we’ve been using SonicWALL for over 10 yrs now and it’s an excellent appliance. I have to make sure that I replace it every 2 to 3 yrs. to keep us updated and have the current security features.

For now, your Netgear should have a Quality of Service(QoS) option that you may limit the bandwidth for the Users that you think is abusing the internet so that the employees can be more productive.

You may use AdvancedIPScanner to scan all the network devices (e.g. computers, printers, smart phones, etc..) and see their IP/Mac Addresses/Hosts Names so that you’d know which ones need to be restricted.
I’m assuming that you have multiple SSIDs setup in your router. For example one SSID can access your LAN/shared resources, the other one is only for Internet connectivity and you may easily disable the LAN access. You may also be apply different restrictions having multiple SSIDs.

You don’t have to buy another device as long the Netgear can do all the restrictions based on your needs. You should have an Internet policy written for the employees so that they will be fully aware of the risks that they’ll be facing just in case. If they follow the company protocols, give them treats, LOL….

Optional advice:

Are you going to need more storage in your File Server? If you do, I would recommend a NAS. You can get a 2TB Buffalo with disks for less than $200. You may also buy a diskless NAS if you need RAID for a better throughput performance.

Cloud storage solution is another popular option nowadays for redundancy backups. Some providers offer free storage for a very limited amount to be stored and they will be encrypted. Of course, paid cloud solution is another option if it's right for your budget. :grin1:
12 free cloud storage options | Network World

Disaster Recovery plan is a must

Backup plan - onsite and offsite

Good reads - my Articles:
Why Upgrade to the latest Technology
Network Security

Finally…..I'm all for productivity and high on network security. We have at least triple layered protection at work that I’ve implemented. Hope this helps “for now”. Please let us know if there’s something that I didn't cover and need more information.
 
Last edited:
Thanks Rayda! We're still working on things here and will likely go with a SonicWall device per your recommendation.
Most employees have been with my wife for over 10 years, and they are as protective of the business as they are of their own stuff.

Backup isn't an issue here - and I'm going to add a Cloud subscription to beef it up in the near future..
Currently we backup to:
- another hard drive on the file server
- a spare hard drive on another computer in another office
- to my NAS at home (a Western Digital MyCloud device)
We also backup the POS system to a series of external HDD's on a daily and weekly schedule
 
John,

You can't go wrong with SonicWall, you'll sleep so well knowing that your network is secured. :s2:

You're Welcome.

Rayda
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top