Network security and control

scarletwitch

Disciple
I have 10 machines all running on Windows 7 Pro. 3 machines running on windows 11. 1 Windows server acting as the server and a few printers. All connected through Dlink unmanaged 24 port switch.

I'd like to monitor local transfers, in case somebody copies huge data from a PC on a hard drive, all the internet connections made by the applications and block certain hosts and computers on the go. I currently do this with the individual host files. I'd also like to see and block devices using my Wifi by their name or Mac address on the go. Just wanting to have control over who gets connected to my network and what comes into the network and what goes out. I also have a few notorious students sometimes coming into my office and plugging in their laptops with loads of illegal software which I really resent but I understand where they're coming from. I'd like to block all their apps connecting to the internet but chrome. Any solution for this?

Somebody told me that I should get a Switch Pro 24 PoE from Ubiquiti and I can set up VLANs for the rules.

I don't really know where to start :( Any help in this direction would be greatly appreciated.
 
I'd like to monitor local transfers, in case somebody copies huge data from a PC on a hard drive
This is completely different from everything else you're looking for. This has nothing to do with network and can't be prevented by a network device. The easiest solution would be to disable USB file copy on Window using Group Policy editor.
I'd also like to see and block devices using my Wifi by their name or Mac address on the go.
I don't know what you mean by "on the go", but as far as I know, almost all routers allow this. Look for MAC filtering and blacklist the IPs. However, given your usecase, it would be better to follow a whitelisting model where only specifically permitted devices can connect.

I'd like to block all their apps connecting to the internet but chrome. Any solution for this?
Blocking specific apps is only possible through on-device firewall software. Network device does not know what app is connecting, it only knows the device, IP, and port.

Look at TP-Link omada controller. You'll need a compatible router, which may cost 10k or more depending on your requirements.

Also, for manageability, I'd recommend taking and resolving one issue at a time.
 
This is completely different from everything else you're looking for. This has nothing to do with network and can't be prevented by a network device. The easiest solution would be to disable USB file copy on Window using Group Policy editor.
I know I can do this. I don't want to disable it. I just want to see if somebody copied something huge. Just a total of data copied would do. I understand this can't be done on a network level. I'll try to find a local PC-level solution for this.

I don't know what you mean by "on the go", but as far as I know, almost all routers allow this. Look for MAC filtering and blacklist the IPs. However, given your usecase, it would be better to follow a whitelisting model where only specifically permitted devices can connect.
I know the router gives the MAC filtering but I was hoping for a better interface where I can name those devices and see how much bandwidth they've consumed. You know, just more data and controls. I'll explore the whitelisting now.
Look at TP-Link omada controller. You'll need a compatible router, which may cost 10k or more depending on your requirements.

Also, for manageability, I'd recommend taking and resolving one issue at a time.
Gotcha! I'll explore this.

Thanks a lot, @gourav for taking the time and replying so quickly.
 
all the internet connections made by the applications and block certain hosts and computers on the go. I currently do this with the individual host files. I'd also like to see and block devices using my Wifi by their name or Mac address on the go. Just wanting to have control over who gets connected to my network and what comes into the network and what goes out.
You may use Pi-hole for this one. It can keep log of which computer is connecting to which website etc. You can either install it on a small computer like raspberrypi or use your windows server. It can be installed on WSL.

I also have a few notorious students sometimes coming into my office and plugging in their laptops with loads of illegal software which I really resent but I understand where they're coming from. I'd like to block all their apps connecting to the internet but chrome. Any solution for this?
If by illegal you mean pirated then do understand that without piracy India wouldn't have any software, graphics etc developers. India would remain in stone age. There's an unwritten principle that students are allowed to use pirated apps. And it's okay. Pirated apps aren't always bad and don't pose any threat to your internet.

Secondly, there's no way knowing if certain network requests were originated by chrome as these requests are encrypted. You can only block select apps from accessing the internet only if you could control the firewall on the students' laptops.

But for your own computers, you can have them in master-slave relationship with your windows server. Windows server can tell its slaves to block applications. This is infact why windows server is very popular in most corporate environments. It can be central command to control all of the windows machines in the company.

I'd like to monitor local transfers, in case somebody copies huge data from a PC on a hard drive,
I'm sure there's some application exists for this sole purpose. You will have to find it and install it on all of your computers for monitoring.
 
I was hoping for a better interface where I can name those devices and see how much bandwidth they've consumed.
Naming devices is possible in recent TP link routers (mine is a year old and has that feature).

However, for the kind of controls you're looking, you definitely need a prosumer level router/switch TP Link Omada routers are ones I'm aware of. Then there's Ubiquity routers. Unfortunately I don't have any experience with these products. You can check YouTube reviews to see if they have the features you want.

@enthusiast29 uses pfSense router and might be able to chime in on whether something like that will be a good for for this kind of usecase. However, the hardware for that might work out to be pricy.
 
If by illegal you mean pirated then do understand that without piracy India wouldn't have any software, graphics etc developers. India would remain in stone age. There's an unwritten principle that students are allowed to use pirated apps. And it's okay. Pirated apps aren't always bad and don't pose any threat to your internet.
I totally understand your sentiment and I am all pro for this but certain software companies have sent legal notices for using pirated software. If a student's computer is connected to my network then I am responsible for them according to their legal team. It's not just me, it has happened in the past for other peers of mine too. These are big companies and have managed to strong-arm a lot of my peers. There's a reason I pay for those software. That's why I want to be pretty wary of which computer's which app is sending and receiving data on my premises.

However, for the kind of controls you're looking, you definitely need a prosumer level router/switch TP Link Omada routers are ones I'm aware of. Then there's Ubiquity routers. Unfortunately I don't have any experience with these products. You can check YouTube reviews to see if they have the features you want.
Yes, I was recommended a Ubiquiti Pro Switch and its controller too. Wanted to know more about it. Shall study on Youtube.
I am okay with investing about 1L for the hardware if it solves my purpose.
 
Last edited:
So far 3 people have spoken. I wished to see what AI has to say on this matter. It has given 3 different answers. If we retry it can keep giving different answers every time.

I have 10 machines all running on Windows 7 Pro. 3 machines running on windows 11. 1 Windows server acting as the server and a few printers. All connected through Dlink unmanaged 24 port switch. I'd like to monitor local transfers, in case somebody copies huge data from a PC on a hard drive, all the internet connections made by the applications and block certain hosts and computers on the go. I currently do this with the individual host files. I'd also like to see and block devices using my Wifi by their name or Mac address on the go. Just wanting to have control over who gets connected to my network and what comes into the network and what goes out. I also have a few notorious students sometimes coming into my office and plugging in their laptops with loads of illegal software which I really resent but I understand where they're coming from. I'd like to block all their apps connecting to the internet but chrome. Any solution for this?
Answer 1:

It sounds like you are looking for a network monitoring and management solution that can help you monitor and control network traffic on your network. There are many different solutions available that can help you do this, and the best one for you will depend on your specific needs and budget.​
One solution you could consider is using a network monitoring and management tool like SolarWinds Network Performance Monitor (NPM). This tool allows you to monitor network traffic in real-time, including local transfers, internet connections, and device connections. It also provides the ability to block certain hosts or devices based on their name or MAC address, and can alert you when certain network activity occurs.​
Another option is to use a network firewall, such as the built-in Windows Firewall, to control network traffic and block access to certain applications or devices. This can help you prevent unauthorized devices from accessing your network and block unwanted traffic from entering or leaving your network.​
Overall, there are many different solutions available that can help you monitor and control network traffic on your network. It may be worth consulting with a network security specialist or IT professional to determine the best solution for your specific needs and budget.​
Answer 2:

If you want to monitor and control the network traffic on your network, one option is to use a network-based intrusion detection and prevention system (IDPS). This type of system can monitor network traffic in real-time and alert you to any suspicious activity, such as large data transfers or connections to known malicious hosts. It can also block traffic from specific hosts or devices based on their IP address or MAC address.​
Another option is to use a network firewall, which can also monitor and control network traffic. A firewall can be configured to block specific types of traffic, such as traffic from known malicious hosts, and can also be used to block specific applications from accessing the internet.​
Both of these solutions can be difficult to set up and maintain, so if you are not familiar with networking and security, you may want to consider hiring a professional to help you implement and manage these solutions. Additionally, keep in mind that while these solutions can help to secure your network, they will not prevent students from bringing illegal software into your office, so you may want to consider other measures to address that issue​

Answer 3:

It sounds like you're looking for a network monitoring and management solution for your office. There are a few options available that can help you accomplish the tasks you've described.​
One option is to use a network monitoring and management tool such as Microsoft System Center or SolarWinds Network Performance Monitor. These tools can help you monitor local network traffic, see which devices are connected to your network, and block specific hosts or devices. They can also help you monitor internet usage and block specific applications from accessing the internet.​
Another option is to use a network security appliance, such as a firewall or a VPN, to monitor and control access to your network. A firewall can help you block specific devices or hosts from accessing your network, and a VPN can help you encrypt your internet traffic and restrict access to specific applications.​
It's also worth mentioning that you can use the hosts file on each individual machine to block specific hosts or domains from being accessed. This can be a useful way to block access to certain websites or services on a per-machine basis.​
In terms of blocking illegal software, it's worth noting that this is a difficult task and may not be possible to accomplish completely. However, using a network monitoring and management tool or a security appliance can help you prevent unauthorized software from accessing the internet, which can help reduce the risk of illegal activity on your network.​
Overall, the best solution for your needs will depend on the specific requirements of your office and the resources available to you. It's worth taking the time to research and compare different options to find the solution that best fits your needs.​
 
I'd like to monitor local transfers, in case somebody copies huge data from a PC on a hard drive
This can be done by a local application installed on computers. I'm sure you can google and find many ways.
I'd also like to see and block devices using my Wifi by their name or Mac address on the go.
As said earlier you can use MAC address filtering for this and since you will only be allowing whitelisted IPs to use the AP you need not worry about other non-whitelisted clients at all. Besides most decent APs do have some kind of DHCP based logging.
Otherwise you could go for pfSense/OpnSense for a more detailed network monitoring and control but mind you this is FreeBSD based OS which is very picky with the NICs so it's advised to use Intel network cards only. For this you can find plenty tutorials over youtube.
I'd like to block all their apps connecting to the internet but chrome. Any solution for this?
Web application firewall software is what you're looking for. Something like Forticlient which is used in many organizations. I'm sure this could also be easily searched for.
 
Back
Top