Is it possible to add workstations to networkand keep them isolated from rest of network

[Mike]

We have a network with >1200 pcs. on the sixth floor of the facility we
have a mediation dispensing server that we want to connect to a workstation
on the first floor. The problem - medication server is on a closed network
with five workstations on the sixth floor. Is there a way we can connect to
medication server to the network backbone to the medication workstation on
the first floor without the rest of the network seeing it. We can't put the
medication server on the facility network due to security reasons and we
don't want to run a dedicated cable from the sixth floor to the first floor.
I hope I described the problem clearly.

Thanks,

Mike

 

[Mike]

Let me know if this isn't the correct newsgroup for this question or if I
didn't describe the problem clearly.

Mike

 

[Richard G. Harper]

It appears you have little choice but to cable this single connection
separately. The only other option would be to purchase routers and seperate
the two networks physically with routers to prevent access from one network
to the other.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Mike]

Yep, that's what I was thinking. Hoping somebody might have another idea.

Mike

It appears you have little choice but to cable this single connection
separately. The only other option would be to purchase routers and
seperate the two networks physically with routers to prevent access from
one network to the other.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

We have a network with >1200 pcs. on the sixth floor of the facility we
have a mediation dispensing server that we want to connect to a
workstation on the first floor. The problem - medication server is on a
closed network with five workstations on the sixth floor. Is there a way
we can connect to medication server to the network backbone to the
medication workstation on the first floor without the rest of the network
seeing it. We can't put the medication server on the facility network
due to security reasons and we don't want to run a dedicated cable from
the sixth floor to the first floor.
I hope I described the problem clearly.

Thanks,

Mike

 

[Richard G. Harper]

Probably not. Once you connect the Ethernet from the private network to the
public network it's no longer possible to keep them separated without a
physical barrier (routers) between them. Theoretically you could use IP
address ranges to divide the networks but that would only slow down anyone
who is determined to get in.

If I may ask, why so paranoid about the medication server? Doesn't it have
its own software and access control to keep unwanted guests out, or is it
some sort of home-brew software with no access control?

Personally, I'm the network engineer for a hospital network with about 250
workstations and a number of servers [including pharmacy servers] and we
didn't buy the song-n-dance the pharmacy vendor gave us about keeping the
pharmacy system on its own network. Since we need that server to talk to
other devices, we put it on our main network.

To this day we have never had an intrusion into the pharmacy system.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Yep, that's what I was thinking. Hoping somebody might have another idea.

Mike

It appears you have little choice but to cable this single connection
separately. The only other option would be to purchase routers and
seperate the two networks physically with routers to prevent access from
one network to the other.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

We have a network with >1200 pcs. on the sixth floor of the facility we
have a mediation dispensing server that we want to connect to a
workstation on the first floor. The problem - medication server is on
a closed network with five workstations on the sixth floor. Is there a
way we can connect to medication server to the network backbone to the
medication workstation on the first floor without the rest of the
network seeing it. We can't put the medication server on the facility
network due to security reasons and we don't want to run a dedicated
cable from the sixth floor to the first floor.
I hope I described the problem clearly.

Thanks,

Mike

 

[Mike]

Security issue, The neducation system vendor uses a modem to dial in for
maintenance.
Can't have it on the hospital network.

Mike

Probably not. Once you connect the Ethernet from the private network to
the public network it's no longer possible to keep them separated without
a physical barrier (routers) between them. Theoretically you could use IP
address ranges to divide the networks but that would only slow down anyone
who is determined to get in.

If I may ask, why so paranoid about the medication server? Doesn't it
have its own software and access control to keep unwanted guests out, or
is it some sort of home-brew software with no access control?

Personally, I'm the network engineer for a hospital network with about 250
workstations and a number of servers [including pharmacy servers] and we
didn't buy the song-n-dance the pharmacy vendor gave us about keeping the
pharmacy system on its own network. Since we need that server to talk to
other devices, we put it on our main network.

To this day we have never had an intrusion into the pharmacy system.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Yep, that's what I was thinking. Hoping somebody might have another
idea.

Mike

It appears you have little choice but to cable this single connection
separately. The only other option would be to purchase routers and
seperate the two networks physically with routers to prevent access from
one network to the other.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


We have a network with >1200 pcs. on the sixth floor of the facility
we have a mediation dispensing server that we want to connect to a
workstation on the first floor. The problem - medication server is on
a closed network with five workstations on the sixth floor. Is there a
way we can connect to medication server to the network backbone to the
medication workstation on the first floor without the rest of the
network seeing it. We can't put the medication server on the facility
network due to security reasons and we don't want to run a dedicated
cable from the sixth floor to the first floor.
I hope I described the problem clearly.

Thanks,

Mike

 

[Richard G. Harper]

Then your choices are pretty much what I outlined earlier.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Security issue, The neducation system vendor uses a modem to dial in for
maintenance.
Can't have it on the hospital network.

Mike

Probably not. Once you connect the Ethernet from the private network to
the public network it's no longer possible to keep them separated without
a physical barrier (routers) between them. Theoretically you could use
IP address ranges to divide the networks but that would only slow down
anyone who is determined to get in.

If I may ask, why so paranoid about the medication server? Doesn't it
have its own software and access control to keep unwanted guests out, or
is it some sort of home-brew software with no access control?

Personally, I'm the network engineer for a hospital network with about
250 workstations and a number of servers [including pharmacy servers] and
we didn't buy the song-n-dance the pharmacy vendor gave us about keeping
the pharmacy system on its own network. Since we need that server to
talk to other devices, we put it on our main network.

To this day we have never had an intrusion into the pharmacy system.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Yep, that's what I was thinking. Hoping somebody might have another
idea.

Mike

It appears you have little choice but to cable this single connection
separately. The only other option would be to purchase routers and
seperate the two networks physically with routers to prevent access
from one network to the other.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


We have a network with >1200 pcs. on the sixth floor of the facility
we have a mediation dispensing server that we want to connect to a
workstation on the first floor. The problem - medication server is
on a closed network with five workstations on the sixth floor. Is
there a way we can connect to medication server to the network
backbone to the medication workstation on the first floor without the
rest of the network seeing it. We can't put the medication server on
the facility network due to security reasons and we don't want to run
a dedicated cable from the sixth floor to the first floor.
I hope I described the problem clearly.

Thanks,

Mike

 

[Phillip Windell]

How about an IPSec situation? Could something be done with that?

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Then your choices are pretty much what I outlined earlier.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Security issue, The neducation system vendor uses a modem to dial in for
maintenance.
Can't have it on the hospital network.

Mike

Probably not. Once you connect the Ethernet from the private network to
the public network it's no longer possible to keep them separated without
a physical barrier (routers) between them. Theoretically you could use
IP address ranges to divide the networks but that would only slow down
anyone who is determined to get in.

If I may ask, why so paranoid about the medication server? Doesn't it
have its own software and access control to keep unwanted guests out, or
is it some sort of home-brew software with no access control?

Personally, I'm the network engineer for a hospital network with about
250 workstations and a number of servers [including pharmacy servers] and
we didn't buy the song-n-dance the pharmacy vendor gave us about keeping
the pharmacy system on its own network. Since we need that server to
talk to other devices, we put it on our main network.

To this day we have never had an intrusion into the pharmacy system.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Yep, that's what I was thinking. Hoping somebody might have another
idea.

Mike

It appears you have little choice but to cable this single connection
separately. The only other option would be to purchase routers and
seperate the two networks physically with routers to prevent access
from one network to the other.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


We have a network with >1200 pcs. on the sixth floor of the facility
we have a mediation dispensing server that we want to connect to a
workstation on the first floor. The problem - medication server is
on a closed network with five workstations on the sixth floor. Is
there a way we can connect to medication server to the network
backbone to the medication workstation on the first floor without the
rest of the network seeing it. We can't put the medication server on
the facility network due to security reasons and we don't want to run
a dedicated cable from the sixth floor to the first floor.
I hope I described the problem clearly.

Thanks,

Mike

 

[Richard G. Harper]

Honestly, I'm not 100% sure it would provide the level of quarantine the OP
needs. An insider could obtain a valid certificate or authentication and
still get in.

In fact you and I may be looking at this backwards, if the worry is that the
outside vendor dialing in on the pharmacy system needs to be isolated from
the rest of the network then you'd pretty much have to secure the entire
network and make the pharmacy system the "untrusted" side of the network.

That's not a solution I could live with.

From what I'm seeing in the MS whitepapers on the subject IPSec is more of a
speed bump than a stop sign. Without application-level security IPSec will
slow down but not stop a determined attempt to penetrate the system once a
certain level of trust has been granted.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

How about an IPSec situation? Could something be done with that?

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Then your choices are pretty much what I outlined earlier.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Security issue, The neducation system vendor uses a modem to dial in for
maintenance.
Can't have it on the hospital network.

 

[Mike]

The security policy doesn't allow for modems on the network.

Mike

Honestly, I'm not 100% sure it would provide the level of quarantine the
OP needs. An insider could obtain a valid certificate or authentication
and still get in.

In fact you and I may be looking at this backwards, if the worry is that
the outside vendor dialing in on the pharmacy system needs to be isolated
from the rest of the network then you'd pretty much have to secure the
entire network and make the pharmacy system the "untrusted" side of the
network.

That's not a solution I could live with.

From what I'm seeing in the MS whitepapers on the subject IPSec is more of
a speed bump than a stop sign. Without application-level security IPSec
will slow down but not stop a determined attempt to penetrate the system
once a certain level of trust has been granted.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

How about an IPSec situation? Could something be done with that?

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Then your choices are pretty much what I outlined earlier.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Security issue, The neducation system vendor uses a modem to dial in for
maintenance.
Can't have it on the hospital network.

 

[Phillip Windell]

Maybe looking at Layer 3 & 4 are they wrong way to approach it. Maybe you
should look at a more "high-level" solution involving the permissions in the
OS (Share and NTFS) or whatever permissions may be built into the
Application that is used from the Server.

People tend to get "tunnel vision" with this stuff and think that somehow
"firewalling" and blocking IP#s encompasses everything in "security" as if
there was nothing else. Just because one machine can "ping" another doesn't
mean the same machine has "access". Ping only means exactly that,...you can
ping it,..it doens't mean anything else. Also having Layer 3 & 4
"connectivity" does not mean you have "access",...connectivity and access
are two different things.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The security policy doesn't allow for modems on the network.

Mike

Honestly, I'm not 100% sure it would provide the level of quarantine the
OP needs. An insider could obtain a valid certificate or authentication
and still get in.

In fact you and I may be looking at this backwards, if the worry is that
the outside vendor dialing in on the pharmacy system needs to be isolated
from the rest of the network then you'd pretty much have to secure the
entire network and make the pharmacy system the "untrusted" side of the
network.

That's not a solution I could live with.

From what I'm seeing in the MS whitepapers on the subject IPSec is more of
a speed bump than a stop sign. Without application-level security IPSec
will slow down but not stop a determined attempt to penetrate the system
once a certain level of trust has been granted.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

How about an IPSec situation? Could something be done with that?

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Then your choices are pretty much what I outlined earlier.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Security issue, The neducation system vendor uses a modem to dial in
for
maintenance.
Can't have it on the hospital network.

 

[Mike]

Interesting suggestion. Don't have to make a decision right away.

Mike

Maybe looking at Layer 3 & 4 are they wrong way to approach it. Maybe you
should look at a more "high-level" solution involving the permissions in
the
OS (Share and NTFS) or whatever permissions may be built into the
Application that is used from the Server.

People tend to get "tunnel vision" with this stuff and think that somehow
"firewalling" and blocking IP#s encompasses everything in "security" as if
there was nothing else. Just because one machine can "ping" another
doesn't
mean the same machine has "access". Ping only means exactly that,...you
can
ping it,..it doens't mean anything else. Also having Layer 3 & 4
"connectivity" does not mean you have "access",...connectivity and access
are two different things.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The security policy doesn't allow for modems on the network.

Mike

Honestly, I'm not 100% sure it would provide the level of quarantine
the
OP needs. An insider could obtain a valid certificate or
authentication
and still get in.

In fact you and I may be looking at this backwards, if the worry is
that
the outside vendor dialing in on the pharmacy system needs to be isolated
from the rest of the network then you'd pretty much have to secure the
entire network and make the pharmacy system the "untrusted" side of the
network.

That's not a solution I could live with.

From what I'm seeing in the MS whitepapers on the subject IPSec is more of
a speed bump than a stop sign. Without application-level security
IPSec
will slow down but not stop a determined attempt to penetrate the
system
once a certain level of trust has been granted.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


How about an IPSec situation? Could something be done with that?

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Then your choices are pretty much what I outlined earlier.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Security issue, The neducation system vendor uses a modem to dial in
for
maintenance.
Can't have it on the hospital network.