Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Isolate a computer from the VLAN
New Posts  All Forums:Forum Nav:

Isolate a computer from the VLAN

post #1 of 8
Thread Starter 
I am currently hosting the computer of my friend because I have a really good internet connection and we use it as a server (Minecraft, Teamspeak, web, SSH,etc.). The server is running Ubuntu and my friend, that has and need the total control of it (via SSH and TeamViewer), already tried to brute force my router password (with Hydra) and to sniff my VLAN (with Ettercap using ARP protocol). By the way, the sniffing worked because he told me my main password the next morning! Now, I am really affraid about what he can do, but I want to keep the server (too much fun). So, is there a way to isolate the server to block his access to the VLAN (local network)? By the way, I have a 3COM SuperStack III 3300XM switch and it is a managed one. I already tried to create another VLAN but it did not seems to work (no internet). Any ideas? Thanks!
post #2 of 8
If the router sufficiently encrypts the password, and you make it long enough, and totally random, there shouldn't be any feasible way to bruteforce it. You should also be able to set up a MAC address white list, so only devices with MAC addresses that you have specified can connect.

You probably lost connectivity on the new VLAN because there was no device on the new VLAN to connect you to the outside (the router).
Edited by W4nderer - 4/3/13 at 9:27pm
Cool'n'Quiet
(9 items)
 
  
CPUMotherboardGraphicsRAM
Core i7-3770T Gigabyte GA-Z77X-UD4H GeForce GT 640 (fanless) Mushkin 2x 8GB DDR3 1600 CL8 
Hard DriveCoolingOSPower
Samsung 256GB 840 Pro SSD Noctua NH-U9B SE2 Linux Mint Debian Edition 201303 64-bit SeaSonic 400W 80+Platinum (fanless) 
Case
Corsair Obsidian 550D 
  hide details  
Reply
Cool'n'Quiet
(9 items)
 
  
CPUMotherboardGraphicsRAM
Core i7-3770T Gigabyte GA-Z77X-UD4H GeForce GT 640 (fanless) Mushkin 2x 8GB DDR3 1600 CL8 
Hard DriveCoolingOSPower
Samsung 256GB 840 Pro SSD Noctua NH-U9B SE2 Linux Mint Debian Edition 201303 64-bit SeaSonic 400W 80+Platinum (fanless) 
Case
Corsair Obsidian 550D 
  hide details  
Reply
post #3 of 8
I'm thoroughly confused about your post. In it, you say that your friend has and needs total control over the server. Are you saying that he's using THAT server to hack into your private network, and you want to prevent him from doing so?

Simple, get a router that has a DMZ on it, and put the server in the DMZ. It will segment your LAN and prevent the server from accessing anything on the internal, protected side of your private network. But, you will still be able to access the server, and so will he.

If your router doesn't have a DMZ connection, then you may need a double-router configuration. Basically, it's going to look like this:

Internet - Router #1 - Switch - Router #2 - Private LAN

The "server" hooks up to the switch in the middle, this is essentially a classical DMZ. Then, Router #2 acts as a firewall for the Private LAN, preventing anything from the outside, OR the DMZ switch in the middle from accessing the inside LAN.

You can do all of this with a high end ($1K+) managed switch, but ONLY if that switch has a firewall node in it -- that would be advertised as a "Layer 4" switch. Your average network closet managed switch is going to be Layer 3 or Layer 2, and won't have this functionality.

Greg
post #4 of 8
You need to do inter vlan routing if you wish to put the server on a new vlan, which requires a layer 2/3 switch or a router thats properly setup to inter-vlan route (not that hard)
Silent Dominator
(28 items)
 
Classy Lady
(26 items)
 
TUF Inside
(18 items)
 
  hide details  
Reply
Silent Dominator
(28 items)
 
Classy Lady
(26 items)
 
TUF Inside
(18 items)
 
  hide details  
Reply
post #5 of 8
Sounds to be like he wants to be able to firewall the vlan that the server would be on from his personal vlan, not simply open inter-vlan routing or bridging. Can you do that with layer 3, or do you need something more elaborate? I thought layer 3 would permit all traffic, and filter broadcasts, but not allow you to block or allow specific ports, etc.

Greg
post #6 of 8
kick him in the nuts, he won't do it again ;-)

Seriously now, create a DMZ and put the server in it. Your isp router should alow you to do it.
Or Vlan one for the server, one for the private lan and both for the internet router. Then administration of the switch via private vlan only and strong passwords everywhere.
deus ex machina
(14 items)
 
  
Reply
deus ex machina
(14 items)
 
  
Reply
post #7 of 8
Get a Cisco switch and setup primary vlans and isolated ports.

Isolated VLAN —An isolated VLAN is a secondary VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports. You can configure multiple isolated VLANs in a private VLAN domain; all the traffic remains isolated within each one. Each isolated VLAN can have several isolated ports, and the traffic from each isolated port also remains completely separate.
post #8 of 8
Thread Starter 
@W4nderer, yes I want to prevent him to doing so and he need the total control of it because I don't know how to configure these servers.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Isolate a computer from the VLAN