Hi, [Apologies - this is long - I just wanted to explain the whole story]. I work in an educational institute & have inherited a departmental network of machines connected via router to a central network which is connected to the Net. All machines have a class C address. The big problem: there are no firewalls in place departmentally or centrally. There doesnt seem to be any router filtering in place either departmentally or centrally. There are obvious "political" issues to be addressed but I want to put some "protection" in place asap. I have control over dept. machines (unix/NT), but no control over any routers (centrally controlled). I have 3 class C subnets, 2 of which contain a mixture of dedicated staff unix & NT machines, including web servers, NIS slaves, PDC's etc. The NIS master lives on the central network - I have slaves, (I will move on to our own dedicated NIS/ldap setup once I completely untangle myself from the central setup - a long job). The 3rd is a lab of 250 dual boot (NT/linux) student pc's which mounts home areas (unix and NT) from servers living on one of the other 2 networks. Likewise for package servers etc. I'm generally worried by the lack of consideration given to security & want to (in the medium term) protect departmental services, but my immediate concern is the student subnet which I believe to be most open to external attack and internal abuse. I dont have budget (yeah whats new!) for a commercial solution but can use linux/*BSD etc. I would like to stick some kind of "solution" on the student sub. to restrict access to services in and out of this subnet, but in the short term I would probably need to allow NFS, NIS, NT access to the servers on the other subnets (I know this is bad - but I want to do this in a piece by piece approach and can control these when I get protection in place at the departmental level). If I can help with bandwidth issues (ie napster - I know what the FAQ says :-) as a side affect - even better. The student subnet is using 250 class C IP's - it would be nice to do NAT or something to free up IP's, else do I have to get into putting routing in place on my firewall solution and allowing DHCP thru as well? So I have internal routing? - but that sounds complicated to me. Can someone pls offer advise (other than you work in a crazy place :-) on what I could stick on the student subnet to protect it, allowing for NFS, NT, NAT, NIS etc (I know I know), phase 2 would be to move protection on to the departmental level - but I have to prove the theory first with phase 1 (student subnet) and proof of concept etc and I mistrust this subnet the most - esp from internal users. I will tackle "political" issues but the nature of the institution is that technology will do more quicker. I really dont know the best way forward, I have bits and pieces, I cant go for all out attack straightaway - so I'd like to prove the concept and get ppl on side without affecting the use of legitamate services and possibly in the process recover some IP's and maybe bandwidth, by tackling this subnet I can make progress. All advise gratefully received and once again apols for the lengthy message. rgds Shin
