Sign in with
Sign up | Sign in
Your question

Need help with Office Network Design, Access Management and Traffic Monitoring

Last response: in Networking
Share
November 14, 2013 4:50:11 PM

Hi, I have been tasked with some network improvement in our office. Though I'm not a networking guy, I know some of the very basics and am usually very much interested in these things.

Our network previously had 2 separate internet connections and two wireless routers, all of the PCs connected wirelessly, about 15 PCs and a bunch of mobile devices, a wireless IP Camera and a wireless Printer.

The first thing I did 2-3 days ago was get a TPLink TL-R480T+ Load Balance Router for load balancing and a Cisco e1200 Wifi-Router and connected it in AP only mode. This load balancing and a single Access Point was the whole improvement idea.

Then the management asked me to block some social networking sites during office hours, which I did using Basic Domain Filtering on the router.

Now there are two more requirements, and I'm kinda afraid that the last purchase would be wasted. They want to limit access to the allowed devices only, for that I can do MAC filtering or use the PPPoE server on this router combined with MAC bindings the PPPoE accounts. But the MAC addresses are spoofable. :( 

This other requirement is to make them be able to monitor traffic to report internet misuse. They want to be able to see sites visited for each user/PC. For this we can use some packet sniffer (Wireshark) on a PC which can monitor all wireless traffic, or use the router's Port Mirroring. But wireshark gives way too much info. They are asking for a solution which can make a management friendly log and using which some sort of reporting can be done.

On the internet, some are talking about firewalls like pfSense or Smoothwall, but that would also make our load balance router go useless, as pfSense can itself load balance.

Another issue raised now is, there is a separate office going to be functional in 1-2 months, this office is in a separate building, next to the first office's building. Distance between two building will be 100-150 feet. New hirings are being done. Eventually there will be equal devices there too. Every policy here will be applied there too. Our recent purchased router doesn't support VPN.

Now my questions are, in accordance with usual practices, what are the best ways to
1) Filter Prohibited Sites / Apps (torrents etc)
2) Control access - Is using PPPoE in private LANs a good idea. (Besides the fact that I dont even know if there would be any benefit?) How would we handle MAC cloning.
3) Traffic Monitoring - Do tell me every possible alternate you can think of, in every possible setup
4) Handle Second Office - Should we try to connect them physically somehow? (Cable/Wireless). Should it be handled via VPN? (Would VPN makes second network go slow?)
5) Should I think about DD-WRT/OpenWRT on the router? Are there any benefits?

P.S. This post has gone so long, I didn't think of this before. Ofcourse we should have some dedicated human resource for it or some consultancy, but I have to do it because I have to do it now.

Thanks, even if you only read (all of it).
November 15, 2013 7:48:15 AM

Oh boy. I think I would suggest a single subnet link between the two offices. You aren't handling that much traffic, about 30 PC's total. You could use two linux systems, one at each office to create the link with openVPN and a little iptables setup. All Internet traffic would route from your new office to your current office and then out to the Internet. That makes it easy to monitor Internet traffic.

I seldom monitor users myself. It's tacky and I'm not employed to be a snitch. But when necessary I use tcpdump. It's light weight and it is easy to edit the output for specific reports.

What you are trying to do is fairly common. If you need specific instructions you can find me on portdefender.net. Just click on SUPPORT and leave a message.

sysadm - portdefender.net
November 16, 2013 2:32:47 AM

thanks @cptmikey

What I want to ask is, how does VPN affect network speeds? I mean given the small distance between offices, we could try to connect them physically maybe? But the question about these alternatives is, what difference do they make in such a scenario?
Related resources
a b X LAN
November 16, 2013 3:35:30 AM

You are likely going to have to start doing things like a real company. The best security is achieved using 802.1x which is part of the enterprise setting in wireless. 802.1x is the best solution to protection of wired ports also. It is in effect a mac filter which has protection against spoofing. On the cabled ports it prevent installation of a router and cloning of mac addresses also. When you already have a Microsoft domain server it is pretty easy since you can turn on the radius server and it will then use the domain credentials both for accessing the domain as well as access to the network.

Traffic filter and monitoring is best done with a proxy server. The logging and filtering capabilities are the best you can get compared to a router or even a dedicated firewall. Most people run with the proxy required to be configured in the clients but it is possible to put them inline in transparent mode. There will be a small number of ports you will likely need to allow directly though the router/firewall...ssh and ftp tend to be common ones. You do have to be somewhat careful bit torrent can run though pretty much any port so you want as few as possible. Torrent by default is almost impossible to get to work though a proxy. You need to make sure you use the option that prevents "connect" on ports other than 443 (https) since torrent uses that method. Some torrent also try to use connect on 443 and then not run SSL encryption. Higher end proxies (maybe the free ones not sure) can see if the initial traffic over 443 follow the rules of ssl session setup.

The largest problem to try to prevent are SSL/TLS VPN tunnels used to bypass your restrictions. You will need to block a list of sites that provide proxy and vpn services. Then to catch the rare ones or the guy who set a vpn up to his house you need to watch the proxy logs for https sessions that transfer large amounts of data and stay connected for very long periods of time. They tend to stand out in the logs.

Connection to the second building is always easiest if you can get a physical connection, fiber of copper ethernet being the optimum. At your distance simple point to point wireless bridges will be pretty easy to.
November 16, 2013 11:16:11 AM

Bilal Haider said:
thanks @cptmikey

What I want to ask is, how does VPN affect network speeds? I mean given the small distance between offices, we could try to connect them physically maybe? But the question about these alternatives is, what difference do they make in such a scenario?


Most people will say yes, VPN's are slower. In theory perhaps, but if they are set up right your users will never notice. I often access the Internet through a WIFI and sometimes the VPN is actually faster than the unencrypted traffic. Consider that you get a standard 20meg fiber connection at each site. A couple of 'off the shelf' PC's runing openVPN on Linux can easily out pace the fiber through put and 20meg is plenty for the number of users you are quoting. Well, unless they are all watching HULU.

There's also another advantage to this scheme, you could have employees access your network from home or while traveling through the VPN without worries about security. And their access can be disabled, encase of termination or something, by simply revoking their certificate.

If, in the future, your business adds more offices they can be incorporated into the existing network.

Lastly, if you put in your own dedicated line you will have to maintain it where a telco line is someone else's headache.
November 18, 2013 1:51:01 AM

How to split a wireless / wired network securely and easily:

http://arcainsula.co.nz/2013/build-your-own-security-ap...

How to install Webmin on Ubuntu - it is a server management package, but one of the included modules is bandwidth management:

http://arcainsula.co.nz/2013/webmin-on-ubuntu-12-04-ser...

I've recently stared blogging again. I have over 20 years expereince in this field you are starting out in, if you can suggest an area you are battling with, I'll happily explain it in a blog post format as I could use some ideas for more posts.

Hope the posts help, they are written for peole that are new to infrastructure or at least, your feedback would help.

Cheers.
!