What's new
What's new
By:
Advanced search…

OT:Blocking internet to networked machine computers?

C

Cuda

Hot Rolled
Joined
May 21, 2005
Location
Alabama
Our shop is going to install computers on all the CNC machines to allow programing at the machine instead of running back and forth to the main computer room we have now, we want to have the machines networked and be able to send and receive e-mail but don't want the operators playing on the internet, any simple suggestions on how to do this?
 
you need to get a firewall and router. how you configure it depending on you network map.

more robust models will allow you to define allowable services by machine number or even address range.

do you have a network consultant? i think you money is best spent retaining professional help to design the network and the services.

could you learn it- sure, but is it worth your time to learn it all or can you make more money making parts to pay someone.

sinneD
 
Install a firewall (such as the free version of Zone Alarm) on each computer and set it not to allow access to the internet. The firewall is easy to configure.... Not rocket science.

Definately, if you are not computer networking savvy, hire a consultant to set up your network.

alg4884
 
the problem with machine installed software is that they can be defeated by the operator. physical control of the machine means the operator can hack it.

op said that he want email access only- meaning that he needs some connectivity. is your mail server in-house or out of house?

basically on the firewall, you would create a rule to deny all traffic from those machines, and then write 2 rules, one that would allow unrestricted traffic to the local network, and one that would allow outbound traffic on internet destined pop and smtp ports.
 
Why not just uninstall Internet Explorer? You can use whatever program for email but can't use the internet without a web browser.
 
Configure the firewall to allow your e-mail program (be it Outlook, Thunderbird, or whatever) incoming and outgoing access. At the same time, set the configuration to deny your browser (MS-IE, Firefox, Opera, etc.) the same access.

As I mentioned earlier, use a firewall program from a second vender. Zone Alarm (even the free version) is a good one, but you will not be able to legally use the free version in business or commercial use. The firewall that comes with Windows is pretty much a joke.

alg4884
 
Well, it's going to take some knowhow.

The main problem I can see is if the mail server is on the internet, you'll need to have an internet connection anyways. Your router could block traffic from the standard internet port to the selected group of machines, and just allow traffic on the e-mail ports. There are a NUMBER of ways to do this, and the right one depends on how the network is setup, and how smart the people that program the CNCs are. I'd imagine those guys are pretty smart, so you'd have to lock it down pretty tight. Porbably have it so only certain MAC addresses are allowed to get IPs in the range that's allowed to have port 80 internet traffic. Then assign all the CNC puters to another range by MAC address with rules to block everything else from the net, except what's needed. This would still allow you to have e-mail, and some other things that need internet connections work. If the mail server is in house, you could just block ALL the traffic from the net to those machines, and it's completely fool proof. If your CNC guys are smart, they COULD still gain net access with a couple tricks. You might have to setup their logon with a security script to deny access to the network properties, or anywhere else they could change the MAC address if they're really persistant. Any software solution is EASILY defeated, and totally worthless to block anybody with any computer smarts. If I lived closer, I'd set it up, for a reasonable fee.
 
RH68 said:
Why not just uninstall Internet Explorer? You can use whatever program for email but can't use the internet without a web browser.
Click to expand...

Unfortunately, some programs require Internet Explorer to be installed to get internet access for upgrades or support. Windows being one of them.

alg4884
 
Thanks for the reply's, looks like it my be tougher than I thought, the e-mail server is off site so internet access is required, I was hoping I could just change some obscure setting somewhere to block IE from working, and the guys that use the machines are not very computer savy so I doubt they could change it.
 
this works

Firstly, the machines don't need e-mail, they just need the CNC program files. Put this where every machine can see it on the network, then they can all get it off the network.

Start a well defined and reasonable internet usage policy and make sure everybody knows about it and signs off on the program.

Then immediately fire the first sumbitch that didn't listen and browsed the web when he should have been working. The rest of the guys will get the message.
 
You can add a logon script to block IE.

First off, I'm assuming you have windows XP or 2000. I dunno if you have a domain or whatever there. If you have a domain, you could make sure the CNC operators user accounts have a logon script assigned to them so that IE is blocked on their machines. If it's just a bunch of independant machines, you'll have to assign the logon script per machine. Type "gpedit.msc" in the run box, you'll need to be logged on as an admin. Go to computer configuration/windows settings/security settings/software restriction policies/additional rules. Right click the additional rules folder and select "new internet zone rule". Under internet zone, select internet, set the security level to disallowed, and apply. NO MORE INTERNET!!! If it's domain, you can block it under user configuration, but it's more difficult, but this will also work in a domain. I doubt your guys will figure that out if they're not computer savvy.
 
Cuda said:
I was hoping I could just change some obscure setting somewhere to block IE from working, and the guys that use the machines are not very computer savy so I doubt they could change it.
Click to expand...


Don't bet on it. It took our network dorks(very large corporation) a couple years to completely block out internet access to our shop floor networked computers. There's a hundred ways to get to the internet, and somebody eventually found them all.
It took them even longer to block out explorer access to all the shared folders and drives on the network, made for some VERY embarrassing episodes when a Mexican outsourcing plan got forwarded to the local news media.
The IT geeks had management convinced there was a professional computer hacker in their midst, when in reality everyone on the shop floor had extremely open access to the information by the way of some office dude that was backing up his personal computer onto the network daily.

Do what you can, and then set up an internet useage policy with some teeth to it. Make it painfully clear that abuse will not be tolerated. Even allowing email is tough, people hand out email addresses just like cell phone numbers and can spend an incredible amount of time playing with email.
More than 50% of my company email is garbage distributed on the internal system. Everyone that ever knew me there forwards all the crap to me.


The next thing you need is a cell phone jammer............
 
Cant uninstall IE. It is integrated into windows. It is the windowing system.

Use a good router with access privileges and filter out all http and https services. You should be able to exempt windows updates. I recommend getting a linksys router and install dd-wrt on it. It is a free firmware that adds all sorts of goodies only found in high end multi-hundred dollar routers.

Tdkkart, cell phone jammers are illegal. Get caught using one and BIG FCC fine. Then also imagine there is an emergency and someone cant call 911. Bad idea all around.
 
Seriously, all you need to do is not put in a default route in the internet configuration. This will prevent people from getting on the "greater internet" and prevent people from connecting to the computers from the outside (it acts as a blackhole).

2 ways, you either manually configure each computer with an IP address, but leave the default route empty, or 0.0.0.0. Or you setup a DHCP server (wireless router gizmo) with the default route set to 0.0.0.0.

The second option will allow you to still get onto the internet from the router, but the computer must have the default route set to the proper address for the router. You can make the address secret (don't tell anyone) and the casual user will be thwarted in their attempts to "get on the interweb" by being tricky.

Then there's the tried an true method of putting the shop computers on a physically separate network, using private IP space, with no gateway to the outside world. Now, you say the office computer needs access? Just put a second network card or wireless card in it and use that as the Internet connection, meanwhile the shop floor is on a physically separate network, with no amount of clever trickery can they gain Interweb access.
 
Cuda said:
Our shop is going to install computers on all the CNC machines to allow programing at the machine instead of running back and forth to the main computer room we have now, we want to have the machines networked and be able to send and receive e-mail but don't want the operators playing on the internet, any simple suggestions on how to do this?
Click to expand...

Simplest way is to hire a network security consultant. There is no "click this button" to properly engineer a secure network.

Cleaning up from one good dose of malware would have paid for the consultant to come in and engineer the network.

Find an engineer that has had experience dealing with highly secure environments like a large financial institution for example and have him apply the same policies to your environment.

You will be glad you did.
 
Perry Harrington said:
Seriously, all you need to do is not put in a default route in the internet configuration. This will prevent people from getting on the "greater internet" and prevent people from connecting to the computers from the outside (it acts as a blackhole).

2 ways, you either manually configure each computer with an IP address, but leave the default route empty, or 0.0.0.0. Or you setup a DHCP server (wireless router gizmo) with the default route set to 0.0.0.0.

The second option will allow you to still get onto the internet from the router, but the computer must have the default route set to the proper address for the router. You can make the address secret (don't tell anyone) and the casual user will be thwarted in their attempts to "get on the interweb" by being tricky.

Then there's the tried an true method of putting the shop computers on a physically separate network, using private IP space, with no gateway to the outside world. Now, you say the office computer needs access? Just put a second network card or wireless card in it and use that as the Internet connection, meanwhile the shop floor is on a physically separate network, with no amount of clever trickery can they gain Interweb access.
Click to expand...

+1 , no default route, put them all on a closed ip range (192.168.x.x or 10.x.x.x) and theyll be able to talk to all the other computers on the subnet but not route out of it.
I'd personally go with a static setup rather than trusting dhcp for this, and just have a excel spreadsheet detailing what ip belongs to which machine (and add a column for the mac too).
For the few computers that do need internet access, put the router ip as their default route in , and get it to NAT the closed private ip range onto a public ip.
If you make the router ip non default (stick it on say .220 instead of .1 or .254 like they tend to default to), someone will have had to go searching for it first. If your router has it in its functions, they have config that you can say only allow machine xyz and efg onto the public internet too.
Get your sa to check the logs (or whoever gets the sa role) and if any of the private ip's that shouldnt, access the router, you should have date/time information to identify who changed their setup to let them do that. Then its a matter of enforcing policy, and you have a person who has demonstratedly altered their machine to bypass that.

If you go the closed seperate network route, make sure somebody doesnt enable bridging on any of the multi interfaced computers (its a single click) or you'll be back at square one if anyone twigs and routes via it...

For the mail server, run a local one and allow it access to the outside world (and either collect all your company email via ETRN from your isp and have them as your smarthost (I much prefer this) or allow port 25 into it for smtp (more risky in case it gets hacked) then theres no need for any of the boxes to have to go out your network to go fetch mail. Then it can be set up to virus inspect, filter for spam and other mail functions beforehand...
 
Last edited:
The default route would kill e-mail.

Te e-mail server is out on the net somewhere, so they NEED to have LIMITED internet access. Basically he wants to kil the ablity to browse the net, which needs to be done at the router or there will ALWAYS be ways through. Even then, smart ones can still get access, it's just harder.
 
JunkyardJ said:
Te e-mail server is out on the net somewhere, so they NEED to have LIMITED internet access. Basically he wants to kil the ablity to browse the net, which needs to be done at the router or there will ALWAYS be ways through. Even then, smart ones can still get access, it's just harder.
Click to expand...

Sorry I added the email server bit as you posted, but if theres a local machine acting as the local mail server, they dont need access at all.

Its also better to do it with the default route, AND the router if the router has this facility too (as in my original post), then the config has to be altered in two places to make it work, handy for the day someone just misconfigures the router to test something out...
 
jonfritch said:
Firstly, the machines don't need e-mail, they just need the CNC program files. Put this where every machine can see it on the network, then they can all get it off the network.
Click to expand...

They do need e-mail, when they have trouble with programming a part they can e-mail the software company and get a answer quickly that way.
 
You must log in or register to reply here.

Similar threads

Z
Okuma P200 control on lathe networking in windows XP ?
Replies
16
Views
386
zschary
Z
S
*Help* Connecting Tosnuc 888 to NCnet Lite or Similar
Replies
0
Views
535
sethj97
S
O
Fanuc O-M will not send or receive programs from new computer?
2
Replies
23
Views
1K
VTM
V
J
DMG Mori MAPPSV Network Setup
Replies
0
Views
149
Jram
J
S
OT -Trying to connect a pair of Okuma MC-4VAE to a network through a Moxa box
Replies
15
Views
971
Subsonic
S








 

ABOUT PRACTICAL MACHINIST

With more than 10.6 million unique visitors over the last year, Practical Machinist is the most visited site for metalworking professionals. Practical Machinist is the easiest way to learn new techniques, get answers quickly and discuss common challenges with your peers. Register for the world’s largest manufacturing technology forum for free today to stay in the know.

Learn more about us.

STAY CONNECTED

Facebook Instagram YouTube LinkedIn Pinterest Twitter Tiktok

Register Become a forum member. Register today.

Sign Up Sign up for our e-newsletter.

© 2024 Copyright Practicalmachinist.com. All Rights reserved.

Back
Top