Protection against malicious laptops

From Ammrl

Jump to: navigation, search

This article is under construction actually. As soon as this is ready, this notice becomes removed.


Laptops connected to a corporate network are a permanent source of trouble. Because the owner of the corporate network cannot influence the content of these laptops, the computers might be a source of trouble. Due to this reason laptops sometimes are strictly banned from corporate networks. On the other hand sometimes the use of laptops is desired, especially in schools and universities.

What can you do to protect your network against unwanted activities starting from these laptops. That might be worms or the undesired exchange of copyright protected material.

One solution is the installation of a separate cabeling system for laptops only. This special network becomes connected to the general network through a firewall with correponsing rules. This is a very extansive solution.

Here is the presentation of a solution, which doesn't need either a separate cabeling not the use of internal virtual private networks. The protection is not fully perfect, but sufficient for the most environments.

Let us start with the underlying idea.

Usage of computers with 3 different network address classes
Usage of computers with 3 different network address classes

Assign all of your computers including the laptops into three different address ranges. At the moment we leave the question open, how we organize this. We assign three different colous to the address ranges:

  • blue: public address range 129.187.121.x using the subnet mask 255.255.255.0
  • red: private address range 192.168.5.x using the subnet mask 255.255.255.0
  • green: private address range 192.168.17.x using the subnet mask 255.255.255.0

According to the rules of the IP protocol blue computers can see only the other blue computers, green computers can exchange data only with green computers and the same is true for the red computers. 

There is no connection possible between green and red computers.

In this scheme you can work with the blue computers and the green and red stations might be infected with any malicious software, but have no chance to influence the blue devices. Even more, no red or green station can communicate with any station on the other side of the firewall. This seems to be a nice solution. Unfortunately no data exchange between blue and green stations is possible.

Next let us group the computers with the three different colours.

  • blue: permanent installed computers under the control of the local admin and very, very reliable laptops
  • red: known laptops of the coworkers
  • green: completely unknown laptops, i.e. from guests
Retrieved from "http://www.org.chemie.tu-muenchen.de/ammrl/index.php/Protection_against_malicious_laptops"
Personal tools