How can we selectively distribute secure broadband Internet access through our LAN?

We have a network of approximately 100 users. Internet service is there for all staff via our LAN, which can be slow and painful -- for IT staff in particular. This has motivated us to get broadband Internet access for only the IT group (staff of 10). We want to keep this totally separate from our LAN for security reasons, but at the same time (if possible) use our LAN to distribute broadband to the entire IT staff. Using a firewall is an option, but we do not want to spend a lot of money on this. We were thinking of having a separate subnet, a dedicated PC for the broadband with a hub, which would distribute to the IT staff who will have two NICs in their PCs. Is this secure enough or can you suggest a better solution?
I'm afraid no solution can guarantee absolute security, but for every solution we need to strive to provide the best we can. Unfortunately, not firewalling any access to the Internet is NOT an option. Simply placing the access point in a separate subnet is not secure, and what security will the IT department have? Secondly, once an attacker compromises one of the dual-homed systems, she's ready to attack the rest of your network.

How were you planning to offer the rest of your LAN access to the Internet? You don't say how you are getting access via your LAN now. Is it not firewalled? There are both hardware and software firewall products in every price range. Since you were planning to dedicate a server for the broadband connection, you might consider Microsoft's Internet Security and Acceleration Server. In addition to being an excellent firewall, it can also act as a proxy and limit access to the Internet. IT could be given different access than the rest of the LAN, or even be the only ones allowed access. There are also hardware-based firewalls and software-based "personal" firewalls. You may want to consider determining what your organization's security policy is or should be, and then developing a solution that provides faster access, but is secure.

In addition, don't make the mistake of thinking that "just" having a firewall will make you secure. There are many other components you might want to think about in your security plan, such as intrusion detection and response, antivirus protection, etc. Remember, fast but insecure not only has the danger of slowing you down in the future, it can put you out of business.

This was first published in November 2002

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top