Network

[herme3]

I work for a company that has around 12 different locations. Each of these locations have computers, and the company has around 30 total computers. They also have a server, where they keep customer information files. Right now, each individual location has a LAN network but they are not connected to each other.

 

The company would like to setup one central network. They want to be able to monitor and limit the use of the computers. This is because employees have been playing games and checking their personal e-mail when they should be working. The company wants to limit the web sites that each computer can access, and they also want to be able to change the settings from one central location.

 

A networking company sent us a proposal about what they can do. They plan to setup NetScreen firewalls at each location. They will also install a program called SurfControl to monitor and limit the use of each computer. They are going to put everything on a Virtual Private Network. The only problem is that they are going to charge around $200,000 to do this. I think there has to be a less expensive way to setup the central network that my company wants to have.

 

All of the computers will need Windows XP Professional to run the programs that my company uses. However, I was thinking about setting up a VPN by installing FreeBSD on some of the computers, and using them as the hardware for the network. I found some information about http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html but I'm not really sure if it will be able to do what my company is trying to accomplish.

 

Can anybody please give me any advice about this? Nobody at my company really knows that much about networking, so I would appreciate any advice that you could give me. Thank you.

[Klaynos]

In what way do the LAN's currently connect to the internet?

What type of games are they playing?

How far apart geographically are the locations?

[herme3]

All of the LANs currently connect to the Internet using either DSL or cable modem. Most of the games were downloaded from the Internet. Many of them contained spyware or viruses. The company I work for wants to block anything that isn't related to work, including online shopping and checking personal e-mail.

 

All of the locations are in the same state. The furthest distance between two locations is about 170 miles.

[Klaynos]

They're running XP, why are they allowed to install software?

 

By how do they connect I mean what network method, not which connection type... A windows box tha forwards it's connection, or a router that connects to the DSL?

[herme3]

That's right, Windows XP can be set to only allow certain users to install software. I never setup any of the computers, but I'm sure whoever did never created individual user accounts. However, that still won't prevent people from playing online games, or checking personal e-mail.

 

All of the computers at each location are connected to a router, and the router is connected to the DSL or cable modem.

[Klaynos]

Well step one is set up a proper network, with authentification across the LAN's. Using a *nix server on each of the LAN's, to deal with the authentification, and with a very restrictive firewall installed on it to deal with the gaming sites/personal email sites (I'm against disallowing people access to this and feel it infringes their human rights).

 

And giveing every an individule user account or access to a comunial USER account with VERY restricted priveledges. Don't let them use IE, don't let them install stuff. If they need a web browser install firefox on a network drive with NO plugins installed and give them access to it.

 

I think it should then be possible to use the *nix servers to talk to each other and act as a VPN accross the internet.

[herme3]

Thank you for your advice. What is a *nix server? Can it be a regular PC with special server software installed, or is it a separate piece of hardware? Where can I get it and also find instructions that can tell me how to setup the firewall? Will it allow my company to monitor and control the computers from a central location?

 

Also, all of the employees will need IE. I tried installing Firefox, but it won't load the software on the server correctly. The program's navigation won't load, and the text is all scrambled. Then it brings up an error message that says, "You must have Internet Explorer 5 or higher to run this program."

[Rakdos]

What is a *nix server?

 

It's a server that runs a variant of UNIX (Linux, BSD, and the like).

[Dave]

A *nix server is just a term for a server running some UNIX-like operating system; for example, FreeBSD or just bog standard Linux. In terms of the software, VPN stuff can be quite complex under linux, although there are many good guides out there.

 

I also feel that "firewall" is very much an overused phrase these days; a firewall is used to determine whether incoming and outgoing traffic should be blocked using a series of very simple rules, such as MAC address testing and the like. What you're after is a proxy server which filters out all of the websites that you don't necessarily want employees looking at. On linux, something like Squid is probably your best bet (do a google search for "squid proxy"). Either that or you could just use mod_proxy on apache.

[Klaynos]

I'd expect it to be just a normal PC with some form of *nix <--- which is a unix or a linux (so freebsd would count, as bsd is a form of unix).

 

Ah they've got a broken application. In that case setup the firewall to block all sites except ones which are specifically allowed. BUT this will stop anyone doing any research online. But it's the only way to stop gaming sites. You could try removing flash and java from all the computers IE installs as well, I've never tried that though so not sure how easy that would be, once that's done if they can't install stuff, then no gameplaying for them.

 

Search google for "linux firewall" or "bsd firewall" or some similar string, you might have to search around a bit first, one good site is:

 

http://www.debian-administration.org/

 

That'd cover specifically debian (a linux distrobution) though, but the concepts would be the same.

 

I'm not 100% sure what it'll allow, what do you want to be able to do? If you do it right it'll possibly allow network installed programs, and autoupdate all of the computers when it's needed etc.... But if you want to be able to fully "control" all of the individule nodes on the network you may have to invest in some software like netware. I'm not sure what opensource alternatives are around as I've never set up a networt that's required that type of control over workstations...

[Klaynos]

I also feel that "firewall" is very much an overused phrase these days; a firewall is used to determine whether incoming and outgoing traffic should be blocked using a series of very simple rules, such as MAC address testing and the like. What you're after is a proxy server which filters out all of the websites that you don't necessarily want employees looking at. On linux, something like Squid is probably your best bet (do a google search for "squid proxy"). Either that or you could just use mod_proxy on apache.

 

 

Yes a very good point, damn my sloppy typing :s

[Dave]

Sorry, just so I made this clear; I'm not saying that you shouldn't run a firewall, because of course you should. Leaving services such as ssh exposed un-necessarily is a big security risk. However, there's a distinction between blocking and allowing traffic on certain ports, and filtering out a webpage based upon content