On occasion, some of my coworkers feel compelled to bring their children to work with them. (I feel compelled to smack them, but that's probably a topic for Parenting.SE.) To ensure that the brats^H^H^H^H^H children stay out of everyone's way, my boss had me set up a few older computers in the breakroom for them to play on. To ensure that they wouldn't be able to Ruin Everything, I wired a 4-port ethernet hub into one of the empty ports on the back of our cable modem, and put the "fun" computers on their own subnet. This way, they have internet access, but they're not part of our network. (At least, that's what I'm counting on.)
We've been using this setup for about a month or so, and the mighty power of Facebook has been keeping the kids (more or less) out of our hair. Well, tonight, while I was doing some routine maintenance on all the systems, I decided to see what the kids had been up to. Apparently, they've taken it upon themselves to snag every piece of sketchy malware that the Internet's ever been home to. I set passwords on the systems (so that they can't get on until I sort things out) and shut them down, but all of a sudden I'm pretty worried now - is there any way for those systems to access our internal network? Also, I'm a little concerned that they may have gotten some stuff that could be getting their personal information.
Obviously, my next step is going to be cleaning the computers out and giving them limited-user-only access, but I'm wondering - were the systems ever a threat to our network?
In case I wasn't clear enough earlier, here's a quick diagram:
|
|
|
Internet
V
|
|
|Cable Modem|
| L___________________
| |
| |4-port switch|
| |
|Router/DHCP Server| |
| / Firewall | [Kids' Computers]
|
|
|Network Switch|
|
|
[Rest of Network]
Thanks for any input.
DISCLAIMER: I like kids. I really do. I just hate interruptions and yelling, and I think that's perfectly reasonable.
You don't really make mention of the current setup in terms of what access the subnet the kids are on has via the default gateway to your workplace subnet: I'll assume that you did not define any explicit denies.
1.) I would check to see if any of your work IP addresses are blacklisted. I don't know if you host your own mail server or not, but if you do and you get added to an RBL due to sending spam (a lot of malware like to send spam) that could be a problem. I like this site for rbl status checking - Multi-RBL Check
2.) If you don't have explicit denies in your router that allow traffic from the 'fun' subnet only to the internet and allow no interaction with your workplace subnet - I would do that as soon as possible.
3.) If you're still worried - it wouldn't hurt to run Malware Bytes on one of your machines that should have been relatively clean prior to this occurrence.
As far as the kids dumping PII, that's a worry for their parents, not you. Based on your drawing I'd say your pretty safe as it looks like the kids network is outside your firewall. Firewalls deny inbound traffic from the outside except for traffic that you specifically allow via firewall rules. If you're allowing inbound HTTP, SMTP, etc. traffic for internal servers it's doubtful there's any more risk of the kids exploiting it than there is the general public.
So long as the two networks were not routable, you shouldn't have had a problem. If you're connected directly with the cable modem on the kids network, and then the business network is behind a firewall that also connects in with another port on the cable modem, looks like you shouldn't have any issue that your firewall wouldn't have kept out.
One thing you might add, is to make sure that data from the outside of the firewall couldn't be sniffed out from the kids network. You should be able to do this with some kind of DMZ zone that you would setup for the kids network.
No disclaimer needed. Kids don't belong in the workplace, short of a bring your kids to work day, and even then I wouldn't expect my office to be keeping them busy, that's my job.
In theory, these boxes are no more a threat than any ouside box, that however is assuming that your cable modem/isp is not doing any type of filtering that you are counting on for security.
Put the kids on an IPv6 only connection.
That way, they'll only be able to get to a handful of websites anyway. Mostly the good ones, Facebook, Google, Youtube..