How to secure an aging PC from the switch/router side?
up vote
2
down vote
favorite
I have an aging Windows XP PC whose purpose is to feed code to a manufacturing machine via a RS-232 connection using machine-specific software. The PC needs to retrieve its code from a network file share. This PC came with the manufacturing machine (purchased used), and I do not have / cannot obtain its administrator password. Furthermore, the PC has automatic updates disabled and its firewall disabled and these cannot be turned on without admin access. I am concerned about the security risk of having an un-updated / un-firewalled PC on my network.
Can I somehow secure this machine through settings on our Cisco managed switch (SG300) in order to limit it to its one and only network related task - which is to connect to a network file share? The machine does not need internet access. It only needs access to a single network file share. Is there a way this can be done?
Here is more detailed info about our network configuration:
- The managed switch is a Cisco SG300. It is handling all Layer 3 switching.
- The file server is connected to the Cisco SG300 switch.
- The router is a Ubiquiti Edgerouter X, however I believe this is out of the picture because the Cisco switch is doing all internal switching and handling Vlans.
- The aging PC is connected to the network via Wifi.
- The aging PC does not have a Wifi card, so it is connecting to Wifi via a wired-ethernet to wifi adapter (IOGear GWU627W6).
- The wireless access point is a Ubiquiti Unifi AP-LR, which is connected to the Cisco SG300 switch.
cisco networking
add a comment |
up vote
2
down vote
favorite
I have an aging Windows XP PC whose purpose is to feed code to a manufacturing machine via a RS-232 connection using machine-specific software. The PC needs to retrieve its code from a network file share. This PC came with the manufacturing machine (purchased used), and I do not have / cannot obtain its administrator password. Furthermore, the PC has automatic updates disabled and its firewall disabled and these cannot be turned on without admin access. I am concerned about the security risk of having an un-updated / un-firewalled PC on my network.
Can I somehow secure this machine through settings on our Cisco managed switch (SG300) in order to limit it to its one and only network related task - which is to connect to a network file share? The machine does not need internet access. It only needs access to a single network file share. Is there a way this can be done?
Here is more detailed info about our network configuration:
- The managed switch is a Cisco SG300. It is handling all Layer 3 switching.
- The file server is connected to the Cisco SG300 switch.
- The router is a Ubiquiti Edgerouter X, however I believe this is out of the picture because the Cisco switch is doing all internal switching and handling Vlans.
- The aging PC is connected to the network via Wifi.
- The aging PC does not have a Wifi card, so it is connecting to Wifi via a wired-ethernet to wifi adapter (IOGear GWU627W6).
- The wireless access point is a Ubiquiti Unifi AP-LR, which is connected to the Cisco SG300 switch.
cisco networking
1
We need more information. At least a good description of the network, the network device models, and the network device configurations. Refer to the Network Engineering Question Checklist for guidance, then edit your question.
– Ron Maupin♦
Dec 4 at 15:06
Basically the only thing you could do on the switch is VLAN segmentation. With this, you would have a seperate logical broadcast domain but no chance to control the traffic like a firewall does. Furthermore you would need something for routing. As Ron already wrote we need some more details. If you have a firewall in your network, a simple solution could be to do basic stateful packet inspection between your WinXP PC (which is in a seperate VLAN) and the file server.
– Markus
Dec 4 at 15:20
Hello PMetal and welcome to Network Engineering. What manufacturer and model of switch is Aging PC plugged into? Is server on same switch?
– jonathanjo
Dec 4 at 16:11
We still need the network device configurations. It sounds like you need a separate SSID and VLAN for the PC (much like a guest SSID and VLAN), which you can then use ACLs to restrict access, but we cannot help unless you give us enough information.
– Ron Maupin♦
Dec 4 at 16:37
Thank you for your input - I have updated the original post with additional network details. I like the idea to use a separate VLAN to separate it. I could certainly use a separate SSID for this machine as well.
– PMetal
Dec 4 at 16:41
add a comment |
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I have an aging Windows XP PC whose purpose is to feed code to a manufacturing machine via a RS-232 connection using machine-specific software. The PC needs to retrieve its code from a network file share. This PC came with the manufacturing machine (purchased used), and I do not have / cannot obtain its administrator password. Furthermore, the PC has automatic updates disabled and its firewall disabled and these cannot be turned on without admin access. I am concerned about the security risk of having an un-updated / un-firewalled PC on my network.
Can I somehow secure this machine through settings on our Cisco managed switch (SG300) in order to limit it to its one and only network related task - which is to connect to a network file share? The machine does not need internet access. It only needs access to a single network file share. Is there a way this can be done?
Here is more detailed info about our network configuration:
- The managed switch is a Cisco SG300. It is handling all Layer 3 switching.
- The file server is connected to the Cisco SG300 switch.
- The router is a Ubiquiti Edgerouter X, however I believe this is out of the picture because the Cisco switch is doing all internal switching and handling Vlans.
- The aging PC is connected to the network via Wifi.
- The aging PC does not have a Wifi card, so it is connecting to Wifi via a wired-ethernet to wifi adapter (IOGear GWU627W6).
- The wireless access point is a Ubiquiti Unifi AP-LR, which is connected to the Cisco SG300 switch.
cisco networking
I have an aging Windows XP PC whose purpose is to feed code to a manufacturing machine via a RS-232 connection using machine-specific software. The PC needs to retrieve its code from a network file share. This PC came with the manufacturing machine (purchased used), and I do not have / cannot obtain its administrator password. Furthermore, the PC has automatic updates disabled and its firewall disabled and these cannot be turned on without admin access. I am concerned about the security risk of having an un-updated / un-firewalled PC on my network.
Can I somehow secure this machine through settings on our Cisco managed switch (SG300) in order to limit it to its one and only network related task - which is to connect to a network file share? The machine does not need internet access. It only needs access to a single network file share. Is there a way this can be done?
Here is more detailed info about our network configuration:
- The managed switch is a Cisco SG300. It is handling all Layer 3 switching.
- The file server is connected to the Cisco SG300 switch.
- The router is a Ubiquiti Edgerouter X, however I believe this is out of the picture because the Cisco switch is doing all internal switching and handling Vlans.
- The aging PC is connected to the network via Wifi.
- The aging PC does not have a Wifi card, so it is connecting to Wifi via a wired-ethernet to wifi adapter (IOGear GWU627W6).
- The wireless access point is a Ubiquiti Unifi AP-LR, which is connected to the Cisco SG300 switch.
cisco networking
cisco networking
edited Dec 4 at 16:34
asked Dec 4 at 14:43
PMetal
134
134
1
We need more information. At least a good description of the network, the network device models, and the network device configurations. Refer to the Network Engineering Question Checklist for guidance, then edit your question.
– Ron Maupin♦
Dec 4 at 15:06
Basically the only thing you could do on the switch is VLAN segmentation. With this, you would have a seperate logical broadcast domain but no chance to control the traffic like a firewall does. Furthermore you would need something for routing. As Ron already wrote we need some more details. If you have a firewall in your network, a simple solution could be to do basic stateful packet inspection between your WinXP PC (which is in a seperate VLAN) and the file server.
– Markus
Dec 4 at 15:20
Hello PMetal and welcome to Network Engineering. What manufacturer and model of switch is Aging PC plugged into? Is server on same switch?
– jonathanjo
Dec 4 at 16:11
We still need the network device configurations. It sounds like you need a separate SSID and VLAN for the PC (much like a guest SSID and VLAN), which you can then use ACLs to restrict access, but we cannot help unless you give us enough information.
– Ron Maupin♦
Dec 4 at 16:37
Thank you for your input - I have updated the original post with additional network details. I like the idea to use a separate VLAN to separate it. I could certainly use a separate SSID for this machine as well.
– PMetal
Dec 4 at 16:41
add a comment |
1
We need more information. At least a good description of the network, the network device models, and the network device configurations. Refer to the Network Engineering Question Checklist for guidance, then edit your question.
– Ron Maupin♦
Dec 4 at 15:06
Basically the only thing you could do on the switch is VLAN segmentation. With this, you would have a seperate logical broadcast domain but no chance to control the traffic like a firewall does. Furthermore you would need something for routing. As Ron already wrote we need some more details. If you have a firewall in your network, a simple solution could be to do basic stateful packet inspection between your WinXP PC (which is in a seperate VLAN) and the file server.
– Markus
Dec 4 at 15:20
Hello PMetal and welcome to Network Engineering. What manufacturer and model of switch is Aging PC plugged into? Is server on same switch?
– jonathanjo
Dec 4 at 16:11
We still need the network device configurations. It sounds like you need a separate SSID and VLAN for the PC (much like a guest SSID and VLAN), which you can then use ACLs to restrict access, but we cannot help unless you give us enough information.
– Ron Maupin♦
Dec 4 at 16:37
Thank you for your input - I have updated the original post with additional network details. I like the idea to use a separate VLAN to separate it. I could certainly use a separate SSID for this machine as well.
– PMetal
Dec 4 at 16:41
1
1
We need more information. At least a good description of the network, the network device models, and the network device configurations. Refer to the Network Engineering Question Checklist for guidance, then edit your question.
– Ron Maupin♦
Dec 4 at 15:06
We need more information. At least a good description of the network, the network device models, and the network device configurations. Refer to the Network Engineering Question Checklist for guidance, then edit your question.
– Ron Maupin♦
Dec 4 at 15:06
Basically the only thing you could do on the switch is VLAN segmentation. With this, you would have a seperate logical broadcast domain but no chance to control the traffic like a firewall does. Furthermore you would need something for routing. As Ron already wrote we need some more details. If you have a firewall in your network, a simple solution could be to do basic stateful packet inspection between your WinXP PC (which is in a seperate VLAN) and the file server.
– Markus
Dec 4 at 15:20
Basically the only thing you could do on the switch is VLAN segmentation. With this, you would have a seperate logical broadcast domain but no chance to control the traffic like a firewall does. Furthermore you would need something for routing. As Ron already wrote we need some more details. If you have a firewall in your network, a simple solution could be to do basic stateful packet inspection between your WinXP PC (which is in a seperate VLAN) and the file server.
– Markus
Dec 4 at 15:20
Hello PMetal and welcome to Network Engineering. What manufacturer and model of switch is Aging PC plugged into? Is server on same switch?
– jonathanjo
Dec 4 at 16:11
Hello PMetal and welcome to Network Engineering. What manufacturer and model of switch is Aging PC plugged into? Is server on same switch?
– jonathanjo
Dec 4 at 16:11
We still need the network device configurations. It sounds like you need a separate SSID and VLAN for the PC (much like a guest SSID and VLAN), which you can then use ACLs to restrict access, but we cannot help unless you give us enough information.
– Ron Maupin♦
Dec 4 at 16:37
We still need the network device configurations. It sounds like you need a separate SSID and VLAN for the PC (much like a guest SSID and VLAN), which you can then use ACLs to restrict access, but we cannot help unless you give us enough information.
– Ron Maupin♦
Dec 4 at 16:37
Thank you for your input - I have updated the original post with additional network details. I like the idea to use a separate VLAN to separate it. I could certainly use a separate SSID for this machine as well.
– PMetal
Dec 4 at 16:41
Thank you for your input - I have updated the original post with additional network details. I like the idea to use a separate VLAN to separate it. I could certainly use a separate SSID for this machine as well.
– PMetal
Dec 4 at 16:41
add a comment |
1 Answer
1
active
oldest
votes
up vote
4
down vote
accepted
- Consider adding MAC based access-control lists to your switch. This will make it so that Aging PC can only send and receive frames to and from the server
- Consider IP address and port ACLs, so it can only do file-share related tasks even with this server
- Consider changing Aging PC to wired: then only frames have to go through the switch to the PC
- Consider putting Aging PC's wifi in a SSID of its own, if you can't make it wired
- Consider direct wire from PC to second NIC on server, with otherwise unrouted IP address
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "496"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f55187%2fhow-to-secure-an-aging-pc-from-the-switch-router-side%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
4
down vote
accepted
- Consider adding MAC based access-control lists to your switch. This will make it so that Aging PC can only send and receive frames to and from the server
- Consider IP address and port ACLs, so it can only do file-share related tasks even with this server
- Consider changing Aging PC to wired: then only frames have to go through the switch to the PC
- Consider putting Aging PC's wifi in a SSID of its own, if you can't make it wired
- Consider direct wire from PC to second NIC on server, with otherwise unrouted IP address
add a comment |
up vote
4
down vote
accepted
- Consider adding MAC based access-control lists to your switch. This will make it so that Aging PC can only send and receive frames to and from the server
- Consider IP address and port ACLs, so it can only do file-share related tasks even with this server
- Consider changing Aging PC to wired: then only frames have to go through the switch to the PC
- Consider putting Aging PC's wifi in a SSID of its own, if you can't make it wired
- Consider direct wire from PC to second NIC on server, with otherwise unrouted IP address
add a comment |
up vote
4
down vote
accepted
up vote
4
down vote
accepted
- Consider adding MAC based access-control lists to your switch. This will make it so that Aging PC can only send and receive frames to and from the server
- Consider IP address and port ACLs, so it can only do file-share related tasks even with this server
- Consider changing Aging PC to wired: then only frames have to go through the switch to the PC
- Consider putting Aging PC's wifi in a SSID of its own, if you can't make it wired
- Consider direct wire from PC to second NIC on server, with otherwise unrouted IP address
- Consider adding MAC based access-control lists to your switch. This will make it so that Aging PC can only send and receive frames to and from the server
- Consider IP address and port ACLs, so it can only do file-share related tasks even with this server
- Consider changing Aging PC to wired: then only frames have to go through the switch to the PC
- Consider putting Aging PC's wifi in a SSID of its own, if you can't make it wired
- Consider direct wire from PC to second NIC on server, with otherwise unrouted IP address
edited Dec 4 at 17:58
answered Dec 4 at 17:00
jonathanjo
10.1k1632
10.1k1632
add a comment |
add a comment |
Thanks for contributing an answer to Network Engineering Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f55187%2fhow-to-secure-an-aging-pc-from-the-switch-router-side%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
We need more information. At least a good description of the network, the network device models, and the network device configurations. Refer to the Network Engineering Question Checklist for guidance, then edit your question.
– Ron Maupin♦
Dec 4 at 15:06
Basically the only thing you could do on the switch is VLAN segmentation. With this, you would have a seperate logical broadcast domain but no chance to control the traffic like a firewall does. Furthermore you would need something for routing. As Ron already wrote we need some more details. If you have a firewall in your network, a simple solution could be to do basic stateful packet inspection between your WinXP PC (which is in a seperate VLAN) and the file server.
– Markus
Dec 4 at 15:20
Hello PMetal and welcome to Network Engineering. What manufacturer and model of switch is Aging PC plugged into? Is server on same switch?
– jonathanjo
Dec 4 at 16:11
We still need the network device configurations. It sounds like you need a separate SSID and VLAN for the PC (much like a guest SSID and VLAN), which you can then use ACLs to restrict access, but we cannot help unless you give us enough information.
– Ron Maupin♦
Dec 4 at 16:37
Thank you for your input - I have updated the original post with additional network details. I like the idea to use a separate VLAN to separate it. I could certainly use a separate SSID for this machine as well.
– PMetal
Dec 4 at 16:41