[SOLVED] Protecting Older PC's on a Network

[ZachTG]

Hey, definitely not a network or network security expert by any stretch, but I've been tasked with looking at protecting older computers on my network at work; as a means to protect those machines and the rest of the network. To give you guys some idea of the setup, all computers are wired in to a network switch and then wired to a modem. The computers we are concerned about operate using either Windows XP or Windows NT, as they interface with older CNC mills/grinders/lathes. A concern was raised that they pose a risk, I'm unsure how valid this concern is but it seems logical. The original thought was to try and isolate the them from the internet but continue to allow access to them over our network. Does anyone have any guidance on this issue?

 

[bobalazs]

Disconnect from internet is the one and only security concern, and you got that covered.

 

[bill001g]

To really protect it you would need a firewall and even then it would take a fairly complex configuration depending on what access you actually needed to allow.

You can accomplish most your goal with a fairly simple trick of removing the default gateway from the old machines. Since they have no way to leave the local network they can only talk to the local machines but not get out to the internet.

This tends to be good enough for most people. You need to be sure you keep the machines that can actually connect to the internet patched. In theory at least one of the machines could be infected from the internet and then attack one of the old machine via the lan. But there really is no completely protection from this kind of attack even on machines that are fully patched win10 since there tends to be less restrictions between any machines internally. It would be extremely costly to try to even partially mitigate it with a fancy firewall.

The virus and malware protection just in the default windows prevents most of this. The really is nothing you can do about a employee who for example downloads something they shouldn't and hurts the internal network.

Unless you are willing to actually replace the older machines removing the gateway likely will be good enough protection.

 

[nigelivey]

Hey, definitely not a network or network security expert by any stretch, but I've been tasked with looking at protecting older computers on my network at work; as a means to protect those machines and the rest of the network. To give you guys some idea of the setup, all computers are wired in to a network switch and then wired to a modem. The computers we are concerned about operate using either Windows XP or Windows NT, as they interface with older CNC mills/grinders/lathes. A concern was raised that they pose a risk, I'm unsure how valid this concern is but it seems logical. The original thought was to try and isolate the them from the internet but continue to allow access to them over our network. Does anyone have any guidance on this issue?

Manually set thier network properties and dont set a gateway?

 

[kanewolf]

Manually set thier network properties and dont set a gateway?

That is definitely the easiest option.
A completely isolated network with just the CNC machines and the PCs would be another. A single up-to-date host could be setup with double networks to allow a drop box type access for files going to the CNC network.

 

[gggplaya]

For CNC/Mills/Lathes, I would first and foremost make a clone of the hard drive. Have a backup image of each computer saved somewhere or simply clone the hard drive and have a spare. Time is money on these things, so downtime is bad and setup can take some time. If any of these computers get a virus, you can use your clean backup image to restore them very quickly.

Do these PC's need access to other PC's on the LAN. Do pc's on the LAN need access to these CNC/mill/lathe computers? If not, then I would implement a VLAN and put these machines on their own LAN. That way, if someone does hack into these older XP computers, they can't get onto your main network with all your critical information. I doubt these CNC/Mill/Lathe computers have anything of value on them to a hacker, but it would allow them access to your LAN where they could do things like packet sniffing. They could install a network logger and log all LAN traffic to look for things like credit card or personal info, passwords etc.... They could try to break into NAS servers as well. Using a separate VLAN will help to mitigate that.

Do these CNC/Mill/Lathe machines need constant access to the internet? You could simply disconnect them, and only connect them to do updates. Or you can buy a FIREWALL unit to block access to the internet and only allow LAN access to these machines. Make sure these machines have a static IP address or you can use their MAC address.

 

[ZachTG]

To really protect it you would need a firewall and even then it would take a fairly complex configuration depending on what access you actually needed to allow.

You can accomplish most your goal with a fairly simple trick of removing the default gateway from the old machines. Since they have no way to leave the local network they can only talk to the local machines but not get out to the internet.

This tends to be good enough for most people. You need to be sure you keep the machines that can actually connect to the internet patched. In theory at least one of the machines could be infected from the internet and then attack one of the old machine via the lan. But there really is no completely protection from this kind of attack even on machines that are fully patched win10 since there tends to be less restrictions between any machines internally. It would be extremely costly to try to even partially mitigate it with a fancy firewall.

The virus and malware protection just in the default windows prevents most of this. The really is nothing you can do about a employee who for example downloads something they shouldn't and hurts the internal network.

Unless you are willing to actually replace the older machines removing the gateway likely will be good enough protection.

Thanks for the response! Just wondering if you had anything I could read on gateways and how so that I could start looking into it. My first skim through google didn't really show anything clear on this.

 

[ZachTG]

For CNC/Mills/Lathes, I would first and foremost make a clone of the hard drive. Have a backup image of each computer saved somewhere or simply clone the hard drive and have a spare. Time is money on these things, so downtime is bad and setup can take some time. If any of these computers get a virus, you can use your clean backup image to restore them very quickly.

Do these PC's need access to other PC's on the LAN. Do pc's on the LAN need access to these CNC/mill/lathe computers? If not, then I would implement a VLAN and put these machines on their own LAN. That way, if someone does hack into these older XP computers, they can't get onto your main network with all your critical information. I doubt these CNC/Mill/Lathe computers have anything of value on them to a hacker, but it would allow them access to your LAN where they could do things like packet sniffing. They could install a network logger and log all LAN traffic to look for things like credit card or personal info, passwords etc.... They could try to break into NAS servers as well. Using a separate VLAN will help to mitigate that.

Do these CNC/Mill/Lathe machines need constant access to the internet? You could simply disconnect them, and only connect them to do updates. Or you can buy a FIREWALL unit to block access to the internet and only allow LAN access to these machines. Make sure these machines have a static IP address or you can use their MAC address.

The machines only need to be accessed locally but they do not need to access the internet in anyway. We simply use them to interface with the machines themselves. Hopefully that gives you a better idea of the setup and thanks for the help!

 

[ZachTG]

Manually set thier network properties and dont set a gateway?

Thanks for the advice, but do you perhaps have any resources or videos that might explain that process in more detail. Like I said, definitely not a network expert so I have a lot to catch up on. Thanks again for the help.

 

[ZachTG]

That is definitely the easiest option.
A completely isolated network with just the CNC machines and the PCs would be another. A single up-to-date host could be setup with double networks to allow a drop box type access for files going to the CNC network.

Yeah, an isolated network was the first thing we discussed but I have a lot to catch up on before we'd try to set one up. Do you have any videos/articles you'd recommend to learn more about it? Thanks for the help too.

 

[kanewolf]

Yeah, an isolated network was the first thing we discussed but I have a lot to catch up on before we'd try to set one up. Do you have any videos/articles you'd recommend to learn more about it? Thanks for the help too.

If you need videos/articles then you should request a consultant or other support to set this up. Business networks shouldn't be run via YouTube help.

 

[bill001g]

To a point this is almost scary that you don't know something extremely basic like how to remove the gateway. This is trivial so if you are going to do anything more advanced I would pay for help because things like separate network or vlans it takes a bit more knowledge....although even this is not all that advanced.

In any case go to the IPV4 setting in the nic and look at the setting options. This is where I assumed you had already been in these screens because almost all server type machines you tend to set fixed IP addresses so you can get easy access to them. What you want to do is leave the gateway IP address field blank. Now if you do not even know what a static IP is and these are still getting IP from the router via DHCP you have a bit more to learn.

You might find a video on how to assign a static IP address, I mean children are doing this in their house to setup their minecraft servers.

 

[ZachTG]

To a point this is almost scary that you don't know something extremely basic like how to remove the gateway. This is trivial so if you are going to do anything more advanced I would pay for help because things like separate network or vlans it takes a bit more knowledge....although even this is not all that advanced.

In any case go to the IPV4 setting in the nic and look at the setting options. This is where I assumed you had already been in these screens because almost all server type machines you tend to set fixed IP addresses so you can get easy access to them. What you want to do is leave the gateway IP address field blank. Now if you do not even know what a static IP is and these are still getting IP from the router via DHCP you have a bit more to learn.

You might find a video on how to assign a static IP address, I mean children are doing this in their house to setup their minecraft servers.

Sorry you feel that way and I really don't agree with you at all that this should be common knowledge. Not everyone, or even a majority of people, take up networking as a hobby. I was only on here to evaluate and learn about potential solutions for our current situation, not be ridiculed for my lack of personal experience in the world of networking. I also thought I made my experience level clear from the beginning. I hope no-one treats you like that when you go seeking advice and guidance on anything.

 

[ex_bubblehead]

I'm going to agree with @bill001g here. You are in way over your head. A business network is absolutely NOT the place for a novice. You have demonstrated that you do not have even the most basic of network knowledge, which will cause your employer no end of problems if you continue. You have been given good advice here. This is where you absolutely MUST be bringing in experts to advise. A great number of the people giving you advice have decades of experience to back them up. You would do well to listen to them.

 

[kanewolf]

Sorry you feel that way and I really don't agree with you at all that this should be common knowledge. Not everyone, or even a majority of people, take up networking as a hobby. I was only on here to evaluate and learn about potential solutions for our current situation, not be ridiculed for my lack of personal experience in the world of networking. I also thought I made my experience level clear from the beginning. I hope no-one treats you like that when you go seeking advice and guidance on anything.

You asked for advice. The consensus advice is don't do what you are attempting. That is the same advice you would get if you asked "How do I rewire a power supply to provide different voltages?" You would get a consensus of "Don't". That is not the answer you thought you would get, and are interpreting that answer as criticism. It isn't criticism, it is an understanding, gained from years of experience in business settings, that sending an untrained person to do a job is likely to fail and cause worse problems. Your boss is the villain, not you. You are asked to do something that you are not qualified to do. BUT, you feel uncomfortable asking your boss for help. So you are forced to "crowd source" experience. That is a bad plan.

 

[ZachTG]

You asked for advice. The consensus advice is don't do what you are attempting. That is the same advice you would get if you asked "How do I rewire a power supply to provide different voltages?" You would get a consensus of "Don't". That is not the answer you thought you would get, and are interpreting that answer as criticism. It isn't criticism, it is an understanding, gained from years of experience in business settings, that sending an untrained person to do a job is likely to fail and cause worse problems. Your boss is the villain, not you. You are asked to do something that you are not qualified to do. BUT, you feel uncomfortable asking your boss for help. So you are forced to "crowd source" experience. That is a bad plan.

I think I understand where the issue is, if it takes bringing someone in then that's what it takes. I don't have a problem with that at all, its just a shop project that is too much for anyone else's plate. Its not that I don't agree with Bill's idea of not doing it myself, I took issue with the fact that he was a bit passive aggressive about my lack of experience. I'm just not a fan of that.

Nonetheless, I think everything's been said the could be, I appreciate everyone's good advice, and I apologize if I took something to heart I shouldn't have. The topic is steering a bit wide so maybe we should wrap up here.