Would a subnet protect the rest of the network when testing for viruses, etc?

Currently I have a standard SOHO router that we connect to browse the Internet, etc. As I doing my internship in networking I would like to know whether a subnet would protect the rest of the network when I am testing other computers.

For example I would like to set up a scenario where I browse the Internet with no antivirus, anti-malware, etc. If one of the test computers I set up is infected I would like to make sure that none of the other computers that are used regularly will be infected.

Does a subnet provide such security? If not what type of setup should I consider and how should I set it up?

PeanutsMonkey

Posted 2011-10-27T22:19:10.683

Reputation: 7 780

1The Internet is a different subnet than your LAN; Have you ever caught a virus from the Internet? :) – Ƭᴇcʜιᴇ007 – 2011-10-27T22:24:17.263

Answers

It depends on if the subnets are set up to talk to each other. If they are, then it makes no difference and makes more work for you. If they are actually isolated and can only see the Internet, then you should be safe. Try to ping a computer on a separate subnet, and see if you can access it. If you can't, and firewalls are off, then it's likely a safe bet.

Here at my computer shop, we have our Modem plugged into a switch, then two routers off of the switch. One for the 'tech' side, and one for the 'infected' side (aka Customer machines)

Canadian Luke

Posted 2011-10-27T22:19:10.683

Reputation: 22 162

Thanks. I am curious as to how I can set them up so they cannot communicate with each other. What would I need do? – PeanutsMonkey – 2011-10-27T22:28:45.133

Well, one switch and two routers is the quick, no-config-needed route. If you want to use your built in router, I'd suggest using DD-WRT if it's compatible – Canadian Luke – 2011-10-27T22:29:27.580

Sorry for being a n00b for seeing I have one ADSL router, would that connect to the switch off which the 2 additional routers would hang off? – PeanutsMonkey – 2011-10-27T22:33:04.117

Moden -> Switch -> Router 1, then Modem -> Switch ->Router 2 – Canadian Luke – 2011-10-27T22:36:23.890

so that would be 2 switches and 2 routers? – PeanutsMonkey – 2011-10-27T22:39:23.577

Internet (Modem) -> Firewall/NAT Router (Attach dirty computers here, in subnet 1) -> Firewall/NAT Router (Attach clean computers here, in subnet 2). :) – Ƭᴇcʜιᴇ007 – 2011-10-27T22:41:21.937

1 switch, 2 routers, 1 modem for my setup. If you want to use your router for it all and have the security enabled so subnets can't talk to each other, then we need to knwo what the router model is – Canadian Luke – 2011-10-27T23:03:04.653

@Luke/techie007 - I don't see how that would work unless I have completely misunderstood your suggestions. Essentially what you are suggesting is a single Modem and 2 routers. The modem would have the ability to connect to both routers and the computers hangoff each respective router. My understanding is that if a computer on subnet 1 started communicating to the computers on subnet 2 the following would happend assuming subnet 1 is 192.168.1.0/24 and subnet 2 is 192.168.2.0/24. PC 1 with the IP address 192.168.1.2 would request PC 2 with the IP address 192.168.2.2. – PeanutsMonkey – 2011-10-28T00:33:20.393

The packet would be forwarded to router 1 which would the forward it to the ADSL modem. Not sure if the ADSL modem would be able to foward it to router 2 and hence PC 2. – PeanutsMonkey – 2011-10-28T00:34:28.287

@Luke- Any reason why I could not set up 2 separate VLANs for each subnet? – PeanutsMonkey – 2011-10-28T00:46:44.540

If you know how to set up VLANs then absolutely! I was not sure on your network knowledge, that's why I kept it simple – Canadian Luke – 2011-10-28T01:21:27.337

@Luke - Thanks. My knowledge is rather basic but am willing to learn how to do it better. I'll give VLANs a go. As for my question above i.e. Will the ADSL modem forward the packets? – PeanutsMonkey – 2011-10-28T01:31:09.207

Creating a separate subnet doesn't really offer any additional security unless there is some kind of firewall between the two subnets that is filtering traffic.

If malware is going to scan the other network for systems to exploit, they would probably start on the subnet that is in-used on the local machine, but it doesn't stop their, it could simply start scanning other networks.

Zoredache

Posted 2011-10-27T22:19:10.683

Reputation: 18 453

So what Luke has suggested would not work without a firewall? I want to setup a scenario where each subnet can share the same internet connection but NOT see each other or communicate, etc – PeanutsMonkey – 2011-10-27T22:29:49.033

@PeanutsMonkey You want the "clean" side fire-walled against attacks from the "dirty" side. – Ƭᴇcʜιᴇ007 – 2011-10-27T22:37:27.777

The only effect different subnets have on virus propagation is if that particular piece of malware only scans the local subnet as an expansion vector. Subnets just mean it has to pass through a layer three device to reach the other subnet. If you were using an old pix or ASA between the two subnets then one would be able to initiate contact in to the other but not vice versa. This is the benefit of using a real SOHO firewall over a soho router with DMZ hosting. The soho router does no isolation on the DMZ host. In this way it is effectively not a DMZ or separate network.

The solution for what you are trying to do if you want not to get infected by infected PCs is to use a real soho firewall that has a real DMZ set up. A pix 501 is pretty cheap on flea-bay. Alternately, you could get an old computer with three network cards and install a linux distro on it...then configure ipchains/iptables appropriately.

RobotHumans

Posted 2011-10-27T22:19:10.683

Reputation: 5 758

What do you mean by If you were using an old pix or ASA between the two subnets then one would be able to initiate contact in to the other but not vice versa? – PeanutsMonkey – 2011-10-28T00:35:40.483

The pix is configured by zones. ports in one zone cannot initiate contact to more secure zones. ports in more secure zones can initialize contact to less secure zones. So it helps in keeping malware in the less secure zone – RobotHumans – 2011-10-28T02:06:07.737