Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 12048 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Creating Separate Networks

Jessie Hammer

Hello everyone,

I was recently given control of my companies networking(i have limited knowledge of I.T. stuff). We do not have and can not afford an I.T. company to come in and take care of this stuff for us. We have a sophos UTM 9 model SG105. 

Currently it is hooked up to an HP switch that all of our computers, printer, phones, and wireless router is hooked up to(24 ports total). We have a linksys wireless router, and the DHCP is off to downgrade it to a AP.

Since our office handles sensitive medical information, I need to make separate networks to isolate the computers that handle the sensitive information. All the computers handling that are hard-lined. So basically i need to completely separate the wireless AP network. Now for the kicker(to me atleast) I also need to add in settings to where while the networks are completely separate, both networks can communicate with the printer to print. 

The other thing I would like to do but I dont HAVE to do is to be able to block certain web content on our computer network(like facebook, instagram, gaming, etc) since they are work computers and are not supposed to be getting used for personal things like that.

Any help would be great!



This thread was automatically locked due to age.
Parents
  • 0

    Quite a thing to do and possibly a steep learning curve for you but not impossible. First thing out of the box for any separation here is the switch. It needs to be a managed switch in which you can create vlans (virtual lans) or if not, you will need another switch so you can create physical separation ie one network on one switch and the other network on the other.

    Once you have the above, you can then create the networks on the UTM following the same route ie vlans in which you will use one interface and cable to connect to the switch and carry both networks or two interfaces with a cable from each going off to the separate switches

    You already have a network in place so I would use that as one network. You then create the other network (I wouldn't make it too similar to what you already have so that you can easily recognize it eg coporate 192.168.1.0/24 and guest 10.0.0.0/24) The UTM will act as the dhcp, dns server for both networks although you will have a few complications if using web filtering as opposed to just firewalling as the web filter can confuse people a little here.

    Main thing here is to decide on a plan and then go for it. Read the RULZ on here and then read them again and again and take in rule #1 & #2 so you understand how the traffic is hitting the UTM. Learn the web filter and read some of the key documents on here. They have been created by some knowlegable people who I'm sure will also add their advice here to assist you.

    For you setup, I would use the existing network and then create the new network and place a test pc on there in which you can test everything yourself without causing disruption. When it's all ok, simply move the users you want separated on to it.

Reply
  • 0

    Quite a thing to do and possibly a steep learning curve for you but not impossible. First thing out of the box for any separation here is the switch. It needs to be a managed switch in which you can create vlans (virtual lans) or if not, you will need another switch so you can create physical separation ie one network on one switch and the other network on the other.

    Once you have the above, you can then create the networks on the UTM following the same route ie vlans in which you will use one interface and cable to connect to the switch and carry both networks or two interfaces with a cable from each going off to the separate switches

    You already have a network in place so I would use that as one network. You then create the other network (I wouldn't make it too similar to what you already have so that you can easily recognize it eg coporate 192.168.1.0/24 and guest 10.0.0.0/24) The UTM will act as the dhcp, dns server for both networks although you will have a few complications if using web filtering as opposed to just firewalling as the web filter can confuse people a little here.

    Main thing here is to decide on a plan and then go for it. Read the RULZ on here and then read them again and again and take in rule #1 & #2 so you understand how the traffic is hitting the UTM. Learn the web filter and read some of the key documents on here. They have been created by some knowlegable people who I'm sure will also add their advice here to assist you.

    For you setup, I would use the existing network and then create the new network and place a test pc on there in which you can test everything yourself without causing disruption. When it's all ok, simply move the users you want separated on to it.

Children
  • 0 in reply to Louis-M

    Louis, thank you very much for your response. Our HP switch is a managed switch. I had not even thought about the switch because i had the mind-set that i would plug the wireless router into one of the other ports on the back of the firewall and create another network within the firewall.

    I'm not going to do any webfiltering. Creating the 2 vLAN networks on the switch all makes sense and seems quite do-able for me. I still have the issue(for me atleast) of the printer. With the information i have now, I am under the assumption that i would create a 3rd vLAN network and allow network 3 communicate with both network 1 and 2, but not allow 1 or 2 to communicate?

  • 0 in reply to Jessie Hammer

    You could do it that way and purely use the wireless access point. That would simplify it a little but you would be tied to wireless only.

    If you go that route, it's as simple as creating another lan on the UTM. If you ain't using web filtering, it's as easy as making the firewall rules up like so:

    1. New lan > internet (if you want them to browse internet eg dns & web browsing)

    2. New lan > existing lan printer ip (this to allow anybody on the new lan to use the printer only)

     

    My advice would be to use the web filtering and DNS proxy on the UTM. Makes it more secure but will involve extra config to keep everything separate.

  • 0 in reply to Jessie Hammer

    Hi, Jessie, and welcome to the UTM Community!

    My best advice for you would be to suggest that you ask Sophos for a recommendation of a reseller with a lot of experience installing UTMs and designing configurations with WebAdmin.  This device is very easy to manage and administer once it's been setup correctly.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML