7

On occasion, some of my coworkers feel compelled to bring their children to work with them. (I feel compelled to smack them, but that's probably a topic for Parenting.SE.) To ensure that the brats^H^H^H^H^H children stay out of everyone's way, my boss had me set up a few older computers in the breakroom for them to play on. To ensure that they wouldn't be able to Ruin Everything, I wired a 4-port ethernet hub into one of the empty ports on the back of our cable modem, and put the "fun" computers on their own subnet. This way, they have internet access, but they're not part of our network. (At least, that's what I'm counting on.)

We've been using this setup for about a month or so, and the mighty power of Facebook has been keeping the kids (more or less) out of our hair. Well, tonight, while I was doing some routine maintenance on all the systems, I decided to see what the kids had been up to. Apparently, they've taken it upon themselves to snag every piece of sketchy malware that the Internet's ever been home to. I set passwords on the systems (so that they can't get on until I sort things out) and shut them down, but all of a sudden I'm pretty worried now - is there any way for those systems to access our internal network? Also, I'm a little concerned that they may have gotten some stuff that could be getting their personal information.

Obviously, my next step is going to be cleaning the computers out and giving them limited-user-only access, but I'm wondering - were the systems ever a threat to our network?

In case I wasn't clear enough earlier, here's a quick diagram:

     |
     |
     |
 Internet
     V
     |
     |
 |Cable Modem|
     |  L___________________
     |                     |
     |                |4-port switch|
     |                     |
|Router/DHCP Server|       |
| / Firewall       | [Kids' Computers]
     |
     |
|Network Switch|
     |
     |
[Rest of Network]

Thanks for any input.

DISCLAIMER: I like kids. I really do. I just hate interruptions and yelling, and I think that's perfectly reasonable.

eckza
  • 273
  • 2
  • 11
  • 2
    bahaha just as well you added that disclaimer because I was about to get all huffy and self-rightous. Because *my son* is *alllllwayyys* so well behaved ;) – Mark Henderson Apr 13 '11 at 04:01
  • 2
    You set up a network of unprotected computers and let kids play on them? [This XKCD instantly comes to mind](http://xkcd.com/350/)... – Josh Apr 13 '11 at 12:50

5 Answers5

6

You don't really make mention of the current setup in terms of what access the subnet the kids are on has via the default gateway to your workplace subnet: I'll assume that you did not define any explicit denies.

1.) I would check to see if any of your work IP addresses are blacklisted. I don't know if you host your own mail server or not, but if you do and you get added to an RBL due to sending spam (a lot of malware like to send spam) that could be a problem. I like this site for rbl status checking - Multi-RBL Check

2.) If you don't have explicit denies in your router that allow traffic from the 'fun' subnet only to the internet and allow no interaction with your workplace subnet - I would do that as soon as possible.

3.) If you're still worried - it wouldn't hurt to run Malware Bytes on one of your machines that should have been relatively clean prior to this occurrence.

AndrewPK
  • 303
  • 1
  • 7
  • 1
    Good point about the IP address potentially being blacklisted. – JS. Apr 13 '11 at 10:10
  • be sure to run malware bytes in safe mode – Doug T. Apr 13 '11 at 12:14
  • 1
    How would #2 work? The subnet's not attached to the router at all... it's plugged straight into the back of the cable modem. – eckza Apr 13 '11 at 13:19
  • If you have a 4 port switch, and your router/dhcp/firewall box plugged in to the same cable modem - I'm assuming your cable modem is also functioning as a router (unless you have 5 IP's from your ISP). If this is the case, more than likely any malware that would scan for additional computers to spread to would be stopped at your firewall/router. If you wanted to be safe, you could throw in an ACL on your firewall/router that explicitly blocked traffic from the "fun subnet". 'deny to/from 192.168.1.0/24 allow to/from all' something along those lines depending on your firewall's syntax – AndrewPK Apr 15 '11 at 03:11
4

As far as the kids dumping PII, that's a worry for their parents, not you. Based on your drawing I'd say your pretty safe as it looks like the kids network is outside your firewall. Firewalls deny inbound traffic from the outside except for traffic that you specifically allow via firewall rules. If you're allowing inbound HTTP, SMTP, etc. traffic for internal servers it's doubtful there's any more risk of the kids exploiting it than there is the general public.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
3

So long as the two networks were not routable, you shouldn't have had a problem. If you're connected directly with the cable modem on the kids network, and then the business network is behind a firewall that also connects in with another port on the cable modem, looks like you shouldn't have any issue that your firewall wouldn't have kept out.

One thing you might add, is to make sure that data from the outside of the firewall couldn't be sniffed out from the kids network. You should be able to do this with some kind of DMZ zone that you would setup for the kids network.

Nixphoe
  • 4,584
  • 7
  • 34
  • 52
  • The switch should prevent the kid's PC from seeing the traffic going from the real network to Internet. Unless, of course, its a managed switch and they someone how turn on port mirroring on the switch. – poke Apr 13 '11 at 03:40
  • If they were capable of turning on port mirroring, I'd have a /whole lot more/ to worry about than I do right now. :D That's why I dropped the switch in. – eckza Apr 13 '11 at 13:17
3

No disclaimer needed. Kids don't belong in the workplace, short of a bring your kids to work day, and even then I wouldn't expect my office to be keeping them busy, that's my job.

In theory, these boxes are no more a threat than any ouside box, that however is assuming that your cable modem/isp is not doing any type of filtering that you are counting on for security.

rfelsburg
  • 767
  • 3
  • 7
2

Put the kids on an IPv6 only connection.

That way, they'll only be able to get to a handful of websites anyway. Mostly the good ones, Facebook, Google, Youtube..

Tom O'Connor
  • 27,480
  • 10
  • 73
  • 148