I have an older HP desktop that is on my isolated network. The network in itself has no internet connection, neither do the rest of the workstations.
It's long and involved, but it's kinda a museum network: Many, many OSs, various ages, all running fine.
But what I want to do is have that old HP desktop be the only internet-capable machine on the isolated network. Is there a way I can secure a Win7 puter to where it's still on the network (accessing shares, etc) and have another NIC port connected to internet - yet remain secure and isolated? For the odd download/research as needed, kind of thing, so I don't have to keep going into the other room with a USB stick.
I'd already thought about still having to use the USB stick on a stand-alone puter, in the same room. But I'm hoping to eliminate those few steps. I'd like to be able to download -> dump onto server, rather than go to another room, or keep using the USB option.
Once you have one computer on that isolated LAN have access to the internet, then the whole network is reachable to an outside attacker. If the attacker can reach that one old HP, then he can jump around the network because it is also connected to the 'isolated' LAN, even if the 'isolated' network is connected via a different network card.
If this museum is lacking in funds, you can purchase a refurbished Chromebook (~$200) , it is less of a target than a Windows PC.
Then have that Chromebook set aside as the only internet connect device, and do not connect it to the isolated network. So if you want to move downloaded stuff to some device on the isolated LAN, you will still need that USB memory stick.
Why do you have this network isolated from the Internet? The answer to the question will dictate the next moves on what to do about your question. If it's for security reasons, then having even a single terminal on that network having Internet access violates that purpose. There are ways to move data securely into an isolated network. These technologies are called one way throws or data diodes. There is a company that produces such products. Here is the link to their offering:
The problem is these setups are very expensive and typically used in classified environments.
There are other methods to establish what you want such as ACL rules applied at a router interface that connects to this isolated network which accomplishes layer 3 isolation. If you want layer 2 isolation, then the use of private VLANs will be the method of choice. If you need total isolation down to layer 1, then your only choice is the above data diode card. To give you an indication of how much those data diode cards can be, the setup when I last worked with this type of technology over 10 years ago ran about $20k. I don't remember if that was per data diode card or for the pair.
They're just old. And took a lot of time, money and effort to build up.
I have a 486-100 running Win 3.1, a Pentium-III OS/2 Warp 4 station, just to name a couple. Just a bunch of classic things that shouldn't be online to begin with. Should they get infected, it wouldn't take much to reimage them, but it's time and effort I'd rather not deal with, so I keep them offline.
So, actually, I could use a hardware A/B switch on the NIC to go internet/local as needed. I could do that.
The classic way to go about invading an isolated LAN is to play the waiting game to wait for a connection to the 'inside' LAN; then wake up to carry out the infection. Modern scenario is the internet connected laptop and an air gapped LAN. So A/B switches are dangerous.
Having a standalone internet connected device and an USB stick is the better solution. And have a malware scanner on the receiving side to scan the USB stick. Having a vintage malware scanner that can catch old viruses would be the ideal.
In your router's admin menu, block access to the Internet all the other computers.
That said, understand when you connect that legacy computer, it becomes a threat to the rest of us! Not good.
I recommend you put a current version of Linux on it.
Status
Not open for further replies.
You have insufficient privileges to reply here.
Related Threads
?
?
?
?
?
Tech Support Guy
9.9M posts
859.7K members
Since 1998
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!