Here is the problem...

a computer needs to be isolated from a network because it controls a critical piece of equipment. Yet it still needs to have access to the network and I was told that another PC acting as a firewall could make this possible. The connections would be...

control pc to the hub
firewall pc to the hub
network to firewall PC to a secondary lan card installed in it.

How does the isolation occur?

thanks

In the manufacturing world, I usually see it done using a hardware router. The router is configured to allow traffic out, but not in. Much like your home router, but more configurable.

If you want to go cheap, look into DD-WRT.

any router can do this, or, as you say, by bridging two network cards in another computer.

the bridge would be easiest/cheapest.

simply install a second network card in the second PC, connect the isolated machine to the second network card, open up network properties on the intermediate PC, highlight both connections and right click, then hit "bridge network connections" or some such (forget the exact wording).

as for enabling the firewall, as long as you have XP SP2 or later, you can enable the windows firewall on bridged connections. by default, the windows firewall will allow outgoing traffic and persistent connections initiated from the firewalled machine, but will not allow connections that originate from outside of the firewalled machine.

http://support.microsoft.com/kb/884905

any router can do this, or, as you say, by bridging two network cards in another computer.

the bridge would be easiest/cheapest.

simply install a second network card in the second PC, connect the isolated machine to the second network card, open up network properties on the intermediate PC, highlight both connections and right click, then hit "bridge network connections" or some such (forget the exact wording).

as for enabling the firewall, as long as you have XP SP2 or later, you can enable the windows firewall on bridged connections. by default, the windows firewall will allow outgoing traffic and persistent connections initiated from the firewalled machine, but will not allow connections that originate from outside of the firewalled machine.

http://support.microsoft.com/kb/884905

still need to include the item the pc is controlling...no good without this!

In the manufacturing world, I usually see it done using a hardware router. The router is configured to allow traffic out, but not in. Much like your home router, but more configurable.

If you want to go cheap, look into DD-WRT.

Matt,
How would a regular hub not work in this instance?

A hub connects everything together. You'd have a hub or switch on the equipment side and your office network switch/hub. The router would connect between them. Same thing you are trying to do with a PC, but the router would be more reliable and efficient.

You could however do 2 nics in the PC controlling the equipment if it is OK for office network traffic to see that PC and just not the equipment. One NIC would attach to your office network, the other to a hub/switch or directly to the equipment. That is also commonly done--say for a database server that collects data from the plant floor and presents reports to the office network. Windows Firewall could be used to lock down access to the PC pretty tightly.

IPCop (http://www.ipcop.org/) is a very versatile solution, but perhaps for some too versatile.

Another one, quicker, simpler and likely cheaper is a configurable router or managed switch. I use a similar setup where the main router A takes care of the WAN connection. An additional router B sits on a different subnet with the gateway defined as the IP of the main router. That way I can define which node is allowed to see what and what is allowed to see it. I can also define the most efficient routes, although on asmall network it's not that important. The routers I use are Linksys RV082 which can be had for about $250.

With a managed switch you can also shape traffic to your liking but to get a real power you'd be looking at about $1000 for the low end CISCO, Dell or HP device. You'll also need to learn the command language.

Oh, and I'd replace all hubs with unmanaged switches.

Do the network computers need any access to the crucial one?

Do the network computers need any access to the crucial one?

no only in onew direction for data flow.

Then I'd put in a router between the crucial computer and the office network. Yes you could do it with a computer but its one more computer to buy, maintain, and hope works right. The router would be smaller, use less power, and should just work once configured. Or if you really want to use a PC I like pfSense (http://www.pfsense.org). IPCop that Darius recommended is good as well. Both are purpose-made to do what you want and turn a computer into a router without a ton of overhead. With either, you are going to find someone who at least kind of knows what they are doing to get them configured. pfSense has a commercial arm that might be able to help out. It might be easier to find local support for a commercial hardware router.

Here is the problem...

a computer needs to be isolated from a network because it controls a critical piece of equipment. Yet it still needs to have access to the network and I was told that another PC acting as a firewall could make this possible. The connections would be...

control pc to the hub
firewall pc to the hub
network to firewall PC to a secondary lan card installed in it.

How does the isolation occur?

thanks

As a network engineer, I do this for a living. The simplest design is shown in the diagram below. The firewall can be a PC with two NICs (network interface cards) installed and firewall software, or you can buy a special-purpose device dedicated to this purpose. The security will be better with a commercial firewall instead of a PC that is easier for people to tinker with. We are a Cisco shop here, and you can get their smallest firewall, a Cisco ASA 5505 (http://www.amazon.com/Asa-5505-Security-Appliance-10/dp/B000O0Z8GC/ref=sr_1_1?ie=UTF8&qid=1295961389&sr=8-1) for less than $400 USD. It has a GUI interface for configuring the device. Of course, you can get consumer-grade devices for much less too. You could even install Linux on an old PC and use the firewall software that comes with Linux.

179674

As a network engineer, I do this for a living. The simplest design is shown in the diagram below. The firewall can be a PC with two NICs (network interface cards) installed and firewall software, or you can buy a special-purpose device dedicated to this purpose. The security will be better with a commercial firewall instead of a PC that is easier for people to tinker with. We are a Cisco shop here, and you can get their smallest firewall, a Cisco ASA 5505 (http://www.amazon.com/Asa-5505-Security-Appliance-10/dp/B000O0Z8GC/ref=sr_1_1?ie=UTF8&qid=1295961389&sr=8-1) for less than $400 USD. It has a GUI interface for configuring the device. Of course, you can get consumer-grade devices for much less too. You could even install Linux on an old PC and use the firewall software that comes with Linux.

179674

Lex,

The setup is almost like the diagram but device to be controlled is attached via lan cable to the isolated computer.

You'd replace that cable with a small switch, so you'd have cables to the device-switch, computer-switch, and router/firewall-switch. Or put a second NIC in the computer, leave the existing cable and run the new cable to the router/firewall.

You can add a switch to that side of the network.

The only thing I'd caution about adding a switch is that if the computer is vendor-supplied, they of course are going to blame your switch for any issues that come up. You could have issues too depending on whatever network addressing they used--could conflict with IP addresses on your network, etc. That's why I suggested the 2nd NIC as a possiblity.

A small sketch....
I think in this case a switch is better than a hub? What brand works well...i need a lot of throughput...1gbit at least.179719

redundant post

A switch is always better than a hub. A hub splits your bandwidth, whereas a switch creates an end to end full bandwidth connection betwen the two devices.

what switch can you recommend?

Netgear makes good mid-range equipment. Cisco makes very good, very expensive gear.

Here is the problem...

a computer needs to be isolated from a network because it controls a critical piece of equipment. Yet it still needs to have access to the network and I was told that another PC acting as a firewall could make this possible. The connections would be...

control pc to the hub
firewall pc to the hub
network to firewall PC to a secondary lan card installed in it.

How does the isolation occur?

thanks

Get any router than you can load DDWRT firmware on and setup a VLAN. Something like a Linksys WRTG54L. The router goes to the internet or other network, and you program one or more of the jacks on the switch to be part of whatever VLAN you want. You can setup permissions for everyone to go out the internet/network, or to one VLAN or the other. Its easy, and these routers are like 30 bucks nowdays.

I set one of these up awhile ago for one of our employees that had to work from home. I needed a VLAN plus VPN but we do not allow the computer to connect to their home network, other than a one way connection to a printer.

Basically the WAN part will stay the same. VLAN one can be 192.168.x.x/24 with the router interface as 192.168.1.1. The PCs on that LAN will be in the 192.168.x.x/24 subnet. VLAN two can be 10.10.x.x/24 with the router gateway set as 10.10.10.1. The PCs on VLAN two will be in the 10.10.10.x/24 subnet.

The only thing you'd be concerned about is saturating the router with traffic. They have 10/100 interfaces but the sustained throughput is not that much. Our Juniper NS50 firewalls are expensive and can only maintain about 50mbps throughput. The Cisco 2800 series routers will only sustain about 15mbps depending on what you have the router doing.

So, yeah, no need to spend any crazy amounts of money. $30 and less than an hour to configure, even for a rookie. :)

Netgear makes good mid-range equipment. Cisco makes very good, very expensive gear.

Their routers are nice. I don't care for Cisco switches. They have junk warranties and are not very reliable. It seems ours are always dropping power supplies and fans. The hp stuff we have all has lifetime warranties and very very rarely fail (I think I've replaced 1 bus fan in like 10 years on an ancient 4000M). Their layer 3 stuff is good and the OS is basically a clone of IOS so they're easy enough to program.

Is the real problem keeping the piece of equipment off the network? If so, by far the simplest and most robust solution is to add another ethernet port. Then the PC can live on the network and still control the device, which is off the network.

Is the real problem keeping the piece of equipment off the network? If so, by far the simplest and most robust solution is to add another ethernet port. Then the PC can live on the network and still control the device, which is off the network.

that may be something we will try.

Get any router than you can load DDWRT firmware on and setup a VLAN. Something like a Linksys WRTG54L. The router goes to the internet or other network, and you program one or more of the jacks on the switch to be part of whatever VLAN you want. You can setup permissions for everyone to go out the internet/network, or to one VLAN or the other. Its easy, and these routers are like 30 bucks nowdays.

I set one of these up awhile ago for one of our employees that had to work from home. I needed a VLAN plus VPN but we do not allow the computer to connect to their home network, other than a one way connection to a printer.

Basically the WAN part will stay the same. VLAN one can be 192.168.x.x/24 with the router interface as 192.168.1.1. The PCs on that LAN will be in the 192.168.x.x/24 subnet. VLAN two can be 10.10.x.x/24 with the router gateway set as 10.10.10.1. The PCs on VLAN two will be in the 10.10.10.x/24 subnet.

The only thing you'd be concerned about is saturating the router with traffic. They have 10/100 interfaces but the sustained throughput is not that much. Our Juniper NS50 firewalls are expensive and can only maintain about 50mbps throughput. The Cisco 2800 series routers will only sustain about 15mbps depending on what you have the router doing.

So, yeah, no need to spend any crazy amounts of money. $30 and less than an hour to configure, even for a rookie. :)

Bryan,

the speed has to be maintained at all points for this to work. Since the controller card in the device being controlled is 1gigb, the pc has to be at the same speed. this is the problem. we want to remove from the control computer all things network like mcafee and another application we use. Its all because of a bottleneck in the system. By the way is there some way to remove mcafee corporate? also is there a resource on the net where i can read up on networks?

Make sure to set up routing if you need to access it from the network ever.

Is the real problem keeping the piece of equipment off the network? If so, by far the simplest and most robust solution is to add another ethernet port. Then the PC can live on the network and still control the device, which is off the network.

This is true too. We use a similar method to control a giant laser device. The device itself must be hooked into a spooler PC via SCSI. The spooler software must talk to the work PC via ethernet. Easiest solution was to add another NIC to the work PC. Their little private network is a 10.10.x.x while the main network is a 192.168.x.x. The only downside is you can't get to the spooler PC from any machine besides the work PC without bridging and routing on the work PC. Fine in our case but I don't know if thats what the OP wants. Throughput will be kind of crappy that way.

Bryan,

the speed has to be maintained at all points for this to work. Since the controller card in the device being controlled is 1gigb, the pc has to be at the same speed. this is the problem. we want to remove from the control computer all things network like mcafee and another application we use. Its all because of a bottleneck in the system. By the way is there some way to remove mcafee corporate? also is there a resource on the net where i can read up on networks?

How much throughput do you actually need? Have you ever measured what you are actually using? No 1 gig devices ever run at 1 gig that I know of. The most I've ever seen is about 600 Mbps. We've always had to use trunking to get a lot of throughput.

You can remove any program you want. It should have its own uninstaller. If not there are many ways to do it manually or via a 3rd party uninstaller.

Heres a place to start reading about networks: http://www.beginnersguide.com/computer-networks/