How to secure an aging PC from the switch/router side?











up vote
2
down vote

favorite












I have an aging Windows XP PC whose purpose is to feed code to a manufacturing machine via a RS-232 connection using machine-specific software. The PC needs to retrieve its code from a network file share. This PC came with the manufacturing machine (purchased used), and I do not have / cannot obtain its administrator password. Furthermore, the PC has automatic updates disabled and its firewall disabled and these cannot be turned on without admin access. I am concerned about the security risk of having an un-updated / un-firewalled PC on my network.



Can I somehow secure this machine through settings on our Cisco managed switch (SG300) in order to limit it to its one and only network related task - which is to connect to a network file share? The machine does not need internet access. It only needs access to a single network file share. Is there a way this can be done?



Here is more detailed info about our network configuration:




  • The managed switch is a Cisco SG300. It is handling all Layer 3 switching.

  • The file server is connected to the Cisco SG300 switch.

  • The router is a Ubiquiti Edgerouter X, however I believe this is out of the picture because the Cisco switch is doing all internal switching and handling Vlans.

  • The aging PC is connected to the network via Wifi.

  • The aging PC does not have a Wifi card, so it is connecting to Wifi via a wired-ethernet to wifi adapter (IOGear GWU627W6).

  • The wireless access point is a Ubiquiti Unifi AP-LR, which is connected to the Cisco SG300 switch.










share|improve this question




















  • 1




    We need more information. At least a good description of the network, the network device models, and the network device configurations. Refer to the Network Engineering Question Checklist for guidance, then edit your question.
    – Ron Maupin
    Dec 4 at 15:06












  • Basically the only thing you could do on the switch is VLAN segmentation. With this, you would have a seperate logical broadcast domain but no chance to control the traffic like a firewall does. Furthermore you would need something for routing. As Ron already wrote we need some more details. If you have a firewall in your network, a simple solution could be to do basic stateful packet inspection between your WinXP PC (which is in a seperate VLAN) and the file server.
    – Markus
    Dec 4 at 15:20












  • Hello PMetal and welcome to Network Engineering. What manufacturer and model of switch is Aging PC plugged into? Is server on same switch?
    – jonathanjo
    Dec 4 at 16:11










  • We still need the network device configurations. It sounds like you need a separate SSID and VLAN for the PC (much like a guest SSID and VLAN), which you can then use ACLs to restrict access, but we cannot help unless you give us enough information.
    – Ron Maupin
    Dec 4 at 16:37










  • Thank you for your input - I have updated the original post with additional network details. I like the idea to use a separate VLAN to separate it. I could certainly use a separate SSID for this machine as well.
    – PMetal
    Dec 4 at 16:41

















up vote
2
down vote

favorite












I have an aging Windows XP PC whose purpose is to feed code to a manufacturing machine via a RS-232 connection using machine-specific software. The PC needs to retrieve its code from a network file share. This PC came with the manufacturing machine (purchased used), and I do not have / cannot obtain its administrator password. Furthermore, the PC has automatic updates disabled and its firewall disabled and these cannot be turned on without admin access. I am concerned about the security risk of having an un-updated / un-firewalled PC on my network.



Can I somehow secure this machine through settings on our Cisco managed switch (SG300) in order to limit it to its one and only network related task - which is to connect to a network file share? The machine does not need internet access. It only needs access to a single network file share. Is there a way this can be done?



Here is more detailed info about our network configuration:




  • The managed switch is a Cisco SG300. It is handling all Layer 3 switching.

  • The file server is connected to the Cisco SG300 switch.

  • The router is a Ubiquiti Edgerouter X, however I believe this is out of the picture because the Cisco switch is doing all internal switching and handling Vlans.

  • The aging PC is connected to the network via Wifi.

  • The aging PC does not have a Wifi card, so it is connecting to Wifi via a wired-ethernet to wifi adapter (IOGear GWU627W6).

  • The wireless access point is a Ubiquiti Unifi AP-LR, which is connected to the Cisco SG300 switch.










share|improve this question




















  • 1




    We need more information. At least a good description of the network, the network device models, and the network device configurations. Refer to the Network Engineering Question Checklist for guidance, then edit your question.
    – Ron Maupin
    Dec 4 at 15:06












  • Basically the only thing you could do on the switch is VLAN segmentation. With this, you would have a seperate logical broadcast domain but no chance to control the traffic like a firewall does. Furthermore you would need something for routing. As Ron already wrote we need some more details. If you have a firewall in your network, a simple solution could be to do basic stateful packet inspection between your WinXP PC (which is in a seperate VLAN) and the file server.
    – Markus
    Dec 4 at 15:20












  • Hello PMetal and welcome to Network Engineering. What manufacturer and model of switch is Aging PC plugged into? Is server on same switch?
    – jonathanjo
    Dec 4 at 16:11










  • We still need the network device configurations. It sounds like you need a separate SSID and VLAN for the PC (much like a guest SSID and VLAN), which you can then use ACLs to restrict access, but we cannot help unless you give us enough information.
    – Ron Maupin
    Dec 4 at 16:37










  • Thank you for your input - I have updated the original post with additional network details. I like the idea to use a separate VLAN to separate it. I could certainly use a separate SSID for this machine as well.
    – PMetal
    Dec 4 at 16:41















up vote
2
down vote

favorite









up vote
2
down vote

favorite











I have an aging Windows XP PC whose purpose is to feed code to a manufacturing machine via a RS-232 connection using machine-specific software. The PC needs to retrieve its code from a network file share. This PC came with the manufacturing machine (purchased used), and I do not have / cannot obtain its administrator password. Furthermore, the PC has automatic updates disabled and its firewall disabled and these cannot be turned on without admin access. I am concerned about the security risk of having an un-updated / un-firewalled PC on my network.



Can I somehow secure this machine through settings on our Cisco managed switch (SG300) in order to limit it to its one and only network related task - which is to connect to a network file share? The machine does not need internet access. It only needs access to a single network file share. Is there a way this can be done?



Here is more detailed info about our network configuration:




  • The managed switch is a Cisco SG300. It is handling all Layer 3 switching.

  • The file server is connected to the Cisco SG300 switch.

  • The router is a Ubiquiti Edgerouter X, however I believe this is out of the picture because the Cisco switch is doing all internal switching and handling Vlans.

  • The aging PC is connected to the network via Wifi.

  • The aging PC does not have a Wifi card, so it is connecting to Wifi via a wired-ethernet to wifi adapter (IOGear GWU627W6).

  • The wireless access point is a Ubiquiti Unifi AP-LR, which is connected to the Cisco SG300 switch.










share|improve this question















I have an aging Windows XP PC whose purpose is to feed code to a manufacturing machine via a RS-232 connection using machine-specific software. The PC needs to retrieve its code from a network file share. This PC came with the manufacturing machine (purchased used), and I do not have / cannot obtain its administrator password. Furthermore, the PC has automatic updates disabled and its firewall disabled and these cannot be turned on without admin access. I am concerned about the security risk of having an un-updated / un-firewalled PC on my network.



Can I somehow secure this machine through settings on our Cisco managed switch (SG300) in order to limit it to its one and only network related task - which is to connect to a network file share? The machine does not need internet access. It only needs access to a single network file share. Is there a way this can be done?



Here is more detailed info about our network configuration:




  • The managed switch is a Cisco SG300. It is handling all Layer 3 switching.

  • The file server is connected to the Cisco SG300 switch.

  • The router is a Ubiquiti Edgerouter X, however I believe this is out of the picture because the Cisco switch is doing all internal switching and handling Vlans.

  • The aging PC is connected to the network via Wifi.

  • The aging PC does not have a Wifi card, so it is connecting to Wifi via a wired-ethernet to wifi adapter (IOGear GWU627W6).

  • The wireless access point is a Ubiquiti Unifi AP-LR, which is connected to the Cisco SG300 switch.







cisco networking






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 4 at 16:34

























asked Dec 4 at 14:43









PMetal

134




134








  • 1




    We need more information. At least a good description of the network, the network device models, and the network device configurations. Refer to the Network Engineering Question Checklist for guidance, then edit your question.
    – Ron Maupin
    Dec 4 at 15:06












  • Basically the only thing you could do on the switch is VLAN segmentation. With this, you would have a seperate logical broadcast domain but no chance to control the traffic like a firewall does. Furthermore you would need something for routing. As Ron already wrote we need some more details. If you have a firewall in your network, a simple solution could be to do basic stateful packet inspection between your WinXP PC (which is in a seperate VLAN) and the file server.
    – Markus
    Dec 4 at 15:20












  • Hello PMetal and welcome to Network Engineering. What manufacturer and model of switch is Aging PC plugged into? Is server on same switch?
    – jonathanjo
    Dec 4 at 16:11










  • We still need the network device configurations. It sounds like you need a separate SSID and VLAN for the PC (much like a guest SSID and VLAN), which you can then use ACLs to restrict access, but we cannot help unless you give us enough information.
    – Ron Maupin
    Dec 4 at 16:37










  • Thank you for your input - I have updated the original post with additional network details. I like the idea to use a separate VLAN to separate it. I could certainly use a separate SSID for this machine as well.
    – PMetal
    Dec 4 at 16:41
















  • 1




    We need more information. At least a good description of the network, the network device models, and the network device configurations. Refer to the Network Engineering Question Checklist for guidance, then edit your question.
    – Ron Maupin
    Dec 4 at 15:06












  • Basically the only thing you could do on the switch is VLAN segmentation. With this, you would have a seperate logical broadcast domain but no chance to control the traffic like a firewall does. Furthermore you would need something for routing. As Ron already wrote we need some more details. If you have a firewall in your network, a simple solution could be to do basic stateful packet inspection between your WinXP PC (which is in a seperate VLAN) and the file server.
    – Markus
    Dec 4 at 15:20












  • Hello PMetal and welcome to Network Engineering. What manufacturer and model of switch is Aging PC plugged into? Is server on same switch?
    – jonathanjo
    Dec 4 at 16:11










  • We still need the network device configurations. It sounds like you need a separate SSID and VLAN for the PC (much like a guest SSID and VLAN), which you can then use ACLs to restrict access, but we cannot help unless you give us enough information.
    – Ron Maupin
    Dec 4 at 16:37










  • Thank you for your input - I have updated the original post with additional network details. I like the idea to use a separate VLAN to separate it. I could certainly use a separate SSID for this machine as well.
    – PMetal
    Dec 4 at 16:41










1




1




We need more information. At least a good description of the network, the network device models, and the network device configurations. Refer to the Network Engineering Question Checklist for guidance, then edit your question.
– Ron Maupin
Dec 4 at 15:06






We need more information. At least a good description of the network, the network device models, and the network device configurations. Refer to the Network Engineering Question Checklist for guidance, then edit your question.
– Ron Maupin
Dec 4 at 15:06














Basically the only thing you could do on the switch is VLAN segmentation. With this, you would have a seperate logical broadcast domain but no chance to control the traffic like a firewall does. Furthermore you would need something for routing. As Ron already wrote we need some more details. If you have a firewall in your network, a simple solution could be to do basic stateful packet inspection between your WinXP PC (which is in a seperate VLAN) and the file server.
– Markus
Dec 4 at 15:20






Basically the only thing you could do on the switch is VLAN segmentation. With this, you would have a seperate logical broadcast domain but no chance to control the traffic like a firewall does. Furthermore you would need something for routing. As Ron already wrote we need some more details. If you have a firewall in your network, a simple solution could be to do basic stateful packet inspection between your WinXP PC (which is in a seperate VLAN) and the file server.
– Markus
Dec 4 at 15:20














Hello PMetal and welcome to Network Engineering. What manufacturer and model of switch is Aging PC plugged into? Is server on same switch?
– jonathanjo
Dec 4 at 16:11




Hello PMetal and welcome to Network Engineering. What manufacturer and model of switch is Aging PC plugged into? Is server on same switch?
– jonathanjo
Dec 4 at 16:11












We still need the network device configurations. It sounds like you need a separate SSID and VLAN for the PC (much like a guest SSID and VLAN), which you can then use ACLs to restrict access, but we cannot help unless you give us enough information.
– Ron Maupin
Dec 4 at 16:37




We still need the network device configurations. It sounds like you need a separate SSID and VLAN for the PC (much like a guest SSID and VLAN), which you can then use ACLs to restrict access, but we cannot help unless you give us enough information.
– Ron Maupin
Dec 4 at 16:37












Thank you for your input - I have updated the original post with additional network details. I like the idea to use a separate VLAN to separate it. I could certainly use a separate SSID for this machine as well.
– PMetal
Dec 4 at 16:41






Thank you for your input - I have updated the original post with additional network details. I like the idea to use a separate VLAN to separate it. I could certainly use a separate SSID for this machine as well.
– PMetal
Dec 4 at 16:41












1 Answer
1






active

oldest

votes

















up vote
4
down vote



accepted











  • Consider adding MAC based access-control lists to your switch. This will make it so that Aging PC can only send and receive frames to and from the server

  • Consider IP address and port ACLs, so it can only do file-share related tasks even with this server

  • Consider changing Aging PC to wired: then only frames have to go through the switch to the PC

  • Consider putting Aging PC's wifi in a SSID of its own, if you can't make it wired

  • Consider direct wire from PC to second NIC on server, with otherwise unrouted IP address






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "496"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f55187%2fhow-to-secure-an-aging-pc-from-the-switch-router-side%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    4
    down vote



    accepted











    • Consider adding MAC based access-control lists to your switch. This will make it so that Aging PC can only send and receive frames to and from the server

    • Consider IP address and port ACLs, so it can only do file-share related tasks even with this server

    • Consider changing Aging PC to wired: then only frames have to go through the switch to the PC

    • Consider putting Aging PC's wifi in a SSID of its own, if you can't make it wired

    • Consider direct wire from PC to second NIC on server, with otherwise unrouted IP address






    share|improve this answer



























      up vote
      4
      down vote



      accepted











      • Consider adding MAC based access-control lists to your switch. This will make it so that Aging PC can only send and receive frames to and from the server

      • Consider IP address and port ACLs, so it can only do file-share related tasks even with this server

      • Consider changing Aging PC to wired: then only frames have to go through the switch to the PC

      • Consider putting Aging PC's wifi in a SSID of its own, if you can't make it wired

      • Consider direct wire from PC to second NIC on server, with otherwise unrouted IP address






      share|improve this answer

























        up vote
        4
        down vote



        accepted







        up vote
        4
        down vote



        accepted







        • Consider adding MAC based access-control lists to your switch. This will make it so that Aging PC can only send and receive frames to and from the server

        • Consider IP address and port ACLs, so it can only do file-share related tasks even with this server

        • Consider changing Aging PC to wired: then only frames have to go through the switch to the PC

        • Consider putting Aging PC's wifi in a SSID of its own, if you can't make it wired

        • Consider direct wire from PC to second NIC on server, with otherwise unrouted IP address






        share|improve this answer















        • Consider adding MAC based access-control lists to your switch. This will make it so that Aging PC can only send and receive frames to and from the server

        • Consider IP address and port ACLs, so it can only do file-share related tasks even with this server

        • Consider changing Aging PC to wired: then only frames have to go through the switch to the PC

        • Consider putting Aging PC's wifi in a SSID of its own, if you can't make it wired

        • Consider direct wire from PC to second NIC on server, with otherwise unrouted IP address







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Dec 4 at 17:58

























        answered Dec 4 at 17:00









        jonathanjo

        10.1k1632




        10.1k1632






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Network Engineering Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f55187%2fhow-to-secure-an-aging-pc-from-the-switch-router-side%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            flock() on closed filehandle LOCK_FILE at /usr/bin/apt-mirror

            Mangá

            Eduardo VII do Reino Unido