Can a subnet be used to isolate computers from other parts of a network and prevent virus transmission?

Joe Videtto May 15, 2012
Pinterest Stumbleupon Whatsapp

I work in a school, and would like to try some new operating systems (Ubuntu) not supported by the IT group – of course, we want the Internet connectivity provided by our infrastructure. The IT group has the legitimate concern regarding the security of these machines, and level of protection afforded by virus protection software on these Ubuntu machines (for which I created another question).

Can a network ‘subnet’ be used to isolate a portion of a network with the new operating systems from possibly infecting the remainder of the network with viruses ?
Ifnot, are there any ways to ensure Internet connectivity of the new machines while isolating them from the possibility of infecting the remainder of the network with viruses ?

Ads by Google

  1. Naoman Saeed
    September 17, 2012 at 4:10 am

    you should use a firewall

  2. Oron
    May 15, 2012 at 4:28 pm

    Joe, simply putting the machines in a subnet which is part of another network (e.g. 192.168.0.* for the school, 19.168.200.* for your lab) will do very little, but Laga's solution is neat, and if you combine it with a physical firewall (as per Bruce's suggestion), perhaps only letting limited traffic (port 80?) in and out then you'll have a fairly secure solution.

  3. Laga Mahesa
    May 15, 2012 at 9:54 am

    My lab's 20 workstations are on 10.0.0.x while the rest of the school is on 192.168.x.x.

    The lab computers are all connected to a switch whose sole access to the internet is *MY* computer, which has two LAN cards.

    IT has no say in what happens in my lab.

    • Joe Videtto
      May 16, 2012 at 1:17 am

      you cowboy...I'm trying to be like you : )

  4. Bruce Epper
    May 15, 2012 at 9:09 am

    Rather than simply using subnetting to isolate the network, you could consider building a firewall to do the job. In this manner you can still have internet connectivity, but block all access to other machines on the network. This would probably make your IT group feel better as it can offer complete isolation between the operating system groups. Since it is for isolating a small group of computers, it does not have to be a heavy-duty machine either. A small multi-homed Linux box with iptables is able to do the job. You could even configure ufw on all of the Ubuntu boxes to allow the same capability, but any changes would need to be made to each machine in turn instead of having a central point of control.

    Also, the likelihood of the Ubuntu machines infecting the Windows machines on the network or vice versa is quite low in the first place. You can also install ClamAV (open-source, free). There are Linux versions of proprietary AV solutions as well, but I don't know if they would be free for educational usage (they are for home use).

  5. Richard Carpenter
    May 15, 2012 at 5:34 am

    I would recommend putting those servers on a different class ip addressing scheme. That would be easiest, less time consuming, way to do it.

    Also, you might want to look at setting them up in a DMZ, if you have managed switches.

    • Richard Carpenter
      May 15, 2012 at 8:23 pm

      To add to my comment earlier... a subnet is a logical separation using the subnet mask to isolate or control the number of computers on a network. Basically a computer on the IP address 172.168.0.1 with the mask of 255.255.0.0 will not chat with a computer 172.168.0.2 with a mask of 255.255.255.0. This works because the subnet mask determines the broadcast ip address.

      This is not the same as completely changing to a different IP Class (Ex. A - 0-127 B- 128-191 C-192-223), which is probably the better option.

      If anyone has any question, please ask.

Ads by Google