"Insecure subnet" through secure gateway PC?

Bossk128 · 20 Oct 2015 at 16:52

Good afternoon,
I'm trying to help someone solve a solution but I'm not sure how to explain what I want, or even if it's possible.

I want a number of PCs on my network to be run without Windows Updates, so technically 'unsecure'. Is there a way to allow these machines access to the rest of the network/the internet by going though only one fully patched secured machine, which will monitor traffic from the unsecure PCs?

Is there a way to configure the unsecure machines to be be physically attached to the same network as the rest of the PCs, but be kept apart e.g. by subnet, or would they have to be physically isolated to ensure potential malicious traffic is kept separate?

The proposed fix is that all machines must be patched and fully up to date, which is a solution that doesn't work for me.

I'm really looking to see if my idea is possible (or the correct terminology) rather than how to do it.

Note this is a work related question, so don't answer if you think I should be paying for consultation!

bremen1874 · 20 Oct 2015 at 17:44

Look into putting them on their own VLAN. How easy this would be will depend on your existing network infrastructure.

Sin_Chase · 20 Oct 2015 at 18:09

This is a nightmare situation.

Segregating the machines is easy. As mentioned above. VLAN them.

However, you complete negate the point when you want said unsecure group of machines to access the rest of the network via another machine. What's the point of VLANing them when you are giving them a route to the network anyway? When you say 'monitor traffic' what exactly do you mean? What do you expect to happen with this traffic? What do you want to do with this traffic? There is also the question of what environment are you running? Domain Controller Windows environment? What network resources need to be accessed by both groups? Does your environment support a multi VLAN multi subnet configuration?

The real question is, why do you want to keep the unpatched machines separate from the others?

The even better question is, why can't you patch them? Legacy software I am guessing?

lude1962 · 20 Oct 2015 at 18:27

'Note this is a work related question, so don't answer if you think I should be paying for consultation! '

but you want a free consultation from OCUK forum.

' which will monitor traffic from the unsecure PCs'
Who is using these pc's?
Does the work IT policy allow pc's to be monitored?
DPI on the network traffic?
Does the work IT security manager know what you're doing?

and the list goes on....

Caged · 20 Oct 2015 at 19:20

If an unpatched machine can access the Internet then it can be compromised by a zero-day exploit. The only way to do this is to put the machines in their own network and have a hefty firewall between them and everything else, one that inspect traffic as it passes through.

If you can't run Windows Update on them, can you at least run up-to-date antivirus? Do they really need Internet access, or do they just need to access a couple of sites?

Bossk128 · 21 Oct 2015 at 08:14

bremen1874 said:
Look into putting them on their own VLAN. How easy this would be will depend on your existing network infrastructure.

VLANs! Thanks, that helps me figure out what to research. I wasn't sure on the terminology.

Sin_Chase said:
This is a nightmare situation.

Segregating the machines is easy. As mentioned above. VLAN them.

However, you complete negate the point when you want said unsecure group of machines to access the rest of the network via another machine. What's the point of VLANing them when you are giving them a route to the network anyway? When you say 'monitor traffic' what exactly do you mean? What do you expect to happen with this traffic? What do you want to do with this traffic? There is also the question of what environment are you running? Domain Controller Windows environment? What network resources need to be accessed by both groups? Does your environment support a multi VLAN multi subnet configuration?

The real question is, why do you want to keep the unpatched machines separate from the others?

The even better question is, why can't you patch them? Legacy software I am guessing?

Yep, software recording data from attached hardware. The unsecure machines need to save the data to a network drive. Some of them, for licensing issues, need access to the internet. I guess internally, they only need access to the shared drive and the domain controller. This connectivity ideally needs to be safe, and I'm not sure how to do that. All machines are Windows, and I think the servers are Windows too. Whether Windows Server is at an advanced level or not to allow more than one LAN, I'll have to ask. IT does not want unpatched machines on the network for security reasons, but I want them on the network to transfer data to shared drives.

lude1962 said:
'Note this is a work related question, so don't answer if you think I should be paying for consultation! '

but you want a free consultation from OCUK forum.

' which will monitor traffic from the unsecure PCs'
Who is using these pc's?
Does the work IT policy allow pc's to be monitored?
DPI on the network traffic?
Does the work IT security manager know what you're doing?

and the list goes on....

I'd love free consultation from the OCUK forum, but I certainly don't expect it. The forums are a two way street, and I'd like to think I've helped somebody in the past. I'm extremely grateful for the responses I've had so far. I thought it would be fair to be up front and state why I was asking so people don't get upset figuring out later that it's a work issue. If nobody answered that would be fine too and I'd try and find out another way, but it's great that on these forums people are pretty helpful. Your list goes on, but the main thing is the IT manager does not yet know what is 'going on', I'm looking for info to have the discussion with them. Obviously any changes will be managed though them, I don't have admin rights.

Bossk128 · 21 Oct 2015 at 08:19

Caged said:
If an unpatched machine can access the Internet then it can be compromised by a zero-day exploit. The only way to do this is to put the machines in their own network and have a hefty firewall between them and everything else, one that inspect traffic as it passes through.

If you can't run Windows Update on them, can you at least run up-to-date antivirus? Do they really need Internet access, or do they just need to access a couple of sites?

Some machines may be OK with our choice of AV, that will be vendor specific. Many if them actually won't need internet access at all.

And I'm planning on proposing applying Windows updates perhaps quarterly, after testing on a per machine basis for compatibility, but that won't be popular as it will be time consuming.

I'm now thinking split into VLANs, firewall(s) can be configured on a per machine basis to allow only the required ports for each machine, and perhaps a proxy machine attahgced to both VLANs may be able to act as a quarantine relay to the shared drives. The proxy can AV scan before copying to the network. I'll have to investigate if that is transparent.

mrkev · 21 Oct 2015 at 09:56

Personally I would think again before using the same shared drives with the "insecure" PCs. That is one prime example for malware/viruses to spread not to mention those nasties like cryptlocker!

Sin_Chase · 22 Oct 2015 at 16:57

Personally, I would kill them from the domain completely.

VLAN them off for physical segregation. Put them on a separate subnet. Throw them behind a cheap (but capable) router, use existing one if it has separate ports you can isolate, and lock down all traffic except that too/from the NAS and to the internet on the required ports only (IE 80 and 443 or whichever port the licensing requires) You could even consider using a HTTP proxy machine for the licensing connectivity for that extra step of separation.

As stated, ideally you want a separate NAS for the data also.

Bossk128 · 22 Oct 2015 at 17:09

All good ideas but they need to be on the domain, and with access to the storage, to enable some degree of audit-ability from where the files originated and under whose user account.

Thanks for the to VLANs and subnets etc, top stuff. I just need to figure out how to get the files moved from the quarantine area to the network storage. Perhaps some kind of script polling drives every minute or something.

Sin_Chase · 22 Oct 2015 at 17:15

If they have domain access you may as well just leave them as is on the same network fabric.

VLANing them out at client side but integrating them with the rest of the network down the line is a somewhat pointless endeavour for the purposes you require.

Which specific patch renders the legacy software inoperable? Usually it's Java tosh.