Isolating a computer from the network

[Bob Day]

We install stand alone Dell XP systems with our customer software that are
hooked to the customers network/internet only so we can access it via
PcAnywhere using TCP/IP.

We want to make that one computer so that it a) cannot access anything else
on the customers network and b) cannot be accessed by anything else on the
customer's network. It simply terms, we want to isolate it and lock it
down.

The customer's local IT guy is suppose to be doing this, and they always say
they do, but I have one IT guy saying it is impossible to isolate it and
lock it down. I can view their entire network under My Network Places while
connected via PcAnywhere, and quite honestly, don't like to have access to
things that I shouldn't.

I am not a network person, so any help would be apprecated. We basically
are trying to help the customer's onsite IT person understand how to do
this. Any URL's would be great.

Thanks!
Bob

 

[Chuck]

We install stand alone Dell XP systems with our customer software that are
hooked to the customers network/internet only so we can access it via
PcAnywhere using TCP/IP.

We want to make that one computer so that it a) cannot access anything else
on the customers network and b) cannot be accessed by anything else on the
customer's network. It simply terms, we want to isolate it and lock it
down.

The customer's local IT guy is suppose to be doing this, and they always say
they do, but I have one IT guy saying it is impossible to isolate it and
lock it down. I can view their entire network under My Network Places while
connected via PcAnywhere, and quite honestly, don't like to have access to
things that I shouldn't.

I am not a network person, so any help would be apprecated. We basically
are trying to help the customer's onsite IT person understand how to do
this. Any URL's would be great.

Thanks!
Bob

Bob,

If you want to only access the computer in question, have them stop and disable
the server and workstation services. This will prevent Windows Networking
access to and from the rest of the network.

For any more robust solution, put the computer behind a dedicated firewall or
NAT router. Of course then you have to setup the firewall or router, to allow
your PCAW access.

 

[Al Dykes]

We install stand alone Dell XP systems with our customer software that are
hooked to the customers network/internet only so we can access it via
PcAnywhere using TCP/IP.

We want to make that one computer so that it a) cannot access anything else
on the customers network and b) cannot be accessed by anything else on the
customer's network. It simply terms, we want to isolate it and lock it
down.

Disconnect the ethernet cable. based on your description, that's what
you say want to do.

What you *really* want to do depends on your risk and threat assesment
and the concusion for potential dollar loss if your computer is
breached. I can't answer that for you, but if your potential loss is
a million bucks I could solve your problem for a tiny fraction of that
amount. If your potential loss is in thousands, then a good software
firewall, system lockdown, and a an ongoing audit of the system would
suffice and cost little or nothing except for someone's time.

 

[Guest]

Disabling the Server service will stop it from browsing the LAN, or creating
shares. It won't stop a knowledgeable user from typing 'NET USE
\\server\sharename' though. But it will stop most casual attempts.

A decent firewall with password-protection (e.g. Kerio) would offer close
control over connections, including the ability to limit which IP addresses
PC-Anywhere connections come from.

Or, make the subnet-mask 255.255.255.255. This will prevent any access to
the local network, because as far as it's concerned that network consists of
only one host, itself.

The most secure arrangement woudl be to block all local ports except one,
and install secure-tunnelling software such as Zebedee or SSH to communicate
over this one port. Somewhat more complex though, and possibly overkill.