Afternoon All,
After some advice please.
Attached is a partial diagram of a network comprising:
4 x Laptop
1 x File Server
1 x Backup Server
4 X Attack Lab Machines
2 x Test Lab Machines
In addition there is an ADSL modem which provides Internet access, and you can assume that I have as many hubs/switches and additional machines as may be required to make this work.
The network is effectively split into 2 halves. The laptops on the left-hand side (LHS) need to have full access to the Internet, and must be able to access the file server and the shares that are on it. Additionally it should be possible to re-image the laptops from the backup server if required, but they do not routinely need access to the files on it. The file server should have access to the backup server, to facilitate backups....ummm....der.....
In addition to this, the laptops all require access to the four 'Attack lab' machines on the right-hand side (RHS) of the network. The 'Attack lab' machines will be built (and rebuilt) on an ad-hoc basis, using various operating systems. The purpose of this is to allow the users of the laptops to explore the vulnerabilities on those 'Attack lab' machines, learn how to exploit them, and then learn how to patch them. It may be necessary to pull images from the backup server occasionally, but this can be done via CD/DVD transfer if required. The four 'Attack lab' machines require some access to the Internet for the purpose of applying patches, but if this can be done manually then that's probably better.
It can be assumed that the users can be trusted not to trash each others laptops, although a mechanism for preventing any 'accidents' might not be a bad idea
The two 'Test lab' machines will be used for examining malicious code/virii and for studying its effects on various operating systems. They should preferably have access to the Internet for the purposes of downloading patches, but if there is a manual way of accomplishing this then they could be completely stand-alone from everything else.
The constraints as I see them are:
1. The whole of the RHS of the diagram should ideally be completely segregated from the Internet. We have 6 unpatched and highly vulnerable machines there which oculd easily be taken over/subverted if there was an easy channel to them from the outside world.
2. The laptops *need* Internet access, and also *need* access to the RHS of the network. They also *need* to be able to share files with each other via the file server.
3. Nothing from the RHS of the network should be able to 'write' to anything on the LHS. That is, any exploits used/malicious code being studied should not be able to affect any part of the LHS.
Now, I could manage any single part of this. networking half a dozen machines together is simplicity in itself. What I can't work out is how to accomplish what I'm after above. It seems that I effectively need two different networks, but that they should be connected somehow.
Am I over complicating this? Is there a better way to do it? Can I accomplish what I'm trying to do above, or should I just have two physically distinct networks, and manually change cables to change the laptops between the two? If I segregate the 6 machines on the RHS and stop them accessing the Internet, how do I manage patches etc when I need/want to?
Is this post too long (probably!)
Any and all advice gratefully received. I'm sure there's a simple way of accomplishing this, I just can't see it.
BTW - I'd appreciate it if we could keep this purely to a discussion about the network topography itself, not about what it will be used for/why as that discussion could very easily start to drift into areas that are against the Ts and Cs of CF. Suffice to say though that the network is fully under my control and that of my employers, and that I have full authority to implement it as described above