Networking help required
13 June 2003, 11:43 AM
#1
Scooby Regular
Thread Starter
Join Date: Jan 2001
Location: Warwickshire
Posts: 2,028
Likes: 0
Received 0 Likes
on
0 Posts
Let me explain the situation first...
I work in an office building with lots of little companies in it. We have an ADSL internet connection that we want to 'sub-let' out to the other companies in the building and I can't think of how to do it with security in mind.
If we cable up the building and plug everyone into a switch that in-turn is plugged into an ADSL router everyone has the potential to see everyone else on the network.
I guess what I'm asking is is there a piece of hardware out there like a switch that I can block everyone from seeing everyone but allow them access to the internet?
Mike
I work in an office building with lots of little companies in it. We have an ADSL internet connection that we want to 'sub-let' out to the other companies in the building and I can't think of how to do it with security in mind.
If we cable up the building and plug everyone into a switch that in-turn is plugged into an ADSL router everyone has the potential to see everyone else on the network.
I guess what I'm asking is is there a piece of hardware out there like a switch that I can block everyone from seeing everyone but allow them access to the internet?
Mike
13 June 2003, 12:23 PM
#3
Scooby Regular
Join Date: May 1999
Posts: 7,901
Likes: 0
Received 0 Likes
on
0 Posts
You need a router. Probably a fairly hefty one as you'll need an Ethernet port per customer -- one of the little ones with a WAN port and one or more LAN ports is no good, as the LAN ports are just on a hub.
Could be even more complex, actually, as the customers may well have overlapping address space. In which case you'll need a router per customer, NAT the addresses into some sort of infrastructure address range, and then you'll need another router between those and the ISP.
Or use some sort of VPNs.
[Edited by carl - 6/13/2003 12:26:08 PM]
Could be even more complex, actually, as the customers may well have overlapping address space. In which case you'll need a router per customer, NAT the addresses into some sort of infrastructure address range, and then you'll need another router between those and the ISP.
Or use some sort of VPNs.
[Edited by carl - 6/13/2003 12:26:08 PM]
13 June 2003, 12:38 PM
#4
Scooby Regular
It would all come down to money in the end.
If money is relatively no object then you would supply a firewall to each customer which they would/could administer...this would be the most secure solution.
The 'cheap' option would be to have a core switch which was capable of VLANs and routing. This would be managed by you. Not completely secure solution but it would work for 99.9% of customers.
If money is relatively no object then you would supply a firewall to each customer which they would/could administer...this would be the most secure solution.
The 'cheap' option would be to have a core switch which was capable of VLANs and routing. This would be managed by you. Not completely secure solution but it would work for 99.9% of customers.
13 June 2003, 01:07 PM
#5
Scooby Regular
Join Date: May 1999
Posts: 7,901
Likes: 0
Received 0 Likes
on
0 Posts
I did think of the VLANs thing -- the trouble is that your ISP connexion has to appear on all VLANs. I guess a fairly big switch with some sort of router blade would do the job, but you're talking serious money there. For up to, say, half a dozen customers you may as well have a pokey little router per customer.
13 June 2003, 01:33 PM
#6
Scooby Regular
Thread Starter
Join Date: Jan 2001
Location: Warwickshire
Posts: 2,028
Likes: 0
Received 0 Likes
on
0 Posts
Cheers guys,
Boss is going to be a right skin flint on this one and he's going to suggest that everyone gets Norton Internet Security and allow IP's in a certain range through, then plug their hubs into our hub and our hub into an ADSL router.
Not a business solution if you ask me
Boss is going to be a right skin flint on this one and he's going to suggest that everyone gets Norton Internet Security and allow IP's in a certain range through, then plug their hubs into our hub and our hub into an ADSL router.
Not a business solution if you ask me
Trending Topics
13 June 2003, 01:53 PM
#8
Scooby Regular
Thread Starter
Join Date: Jan 2001
Location: Warwickshire
Posts: 2,028
Likes: 0
Received 0 Likes
on
0 Posts
He's going to allocate them address ranges and change the workgroups. It's a hackers paradise and I can't seem to change his mind. You wait, something will happen with one of the other companies data and we'll get the blame 
13 June 2003, 02:02 PM
#10
Scooby Regular
Thread Starter
Join Date: Jan 2001
Location: Warwickshire
Posts: 2,028
Likes: 0
Received 0 Likes
on
0 Posts
yup, madness I tell you pure madness!
I thankyou again for your kind words of wisdom which I did pass on to the boss and who kindly ignored them all!
I thankyou again for your kind words of wisdom which I did pass on to the boss and who kindly ignored them all!
13 June 2003, 03:01 PM
#11
Scooby Regular
Is there no way of giving each company a different subnet address?
As you cannot browse across subnets, does this not fix your problem?
Just have the ADSL router as the Gateway?
....or would the router gateway pass on the browse packets...hmmmm
Talking myself out of it here...LOL
As you cannot browse across subnets, does this not fix your problem?
Just have the ADSL router as the Gateway?
....or would the router gateway pass on the browse packets...hmmmm
Talking myself out of it here...LOL
13 June 2003, 03:29 PM
#12
Scooby Regular
Join Date: Jan 2001
Posts: 442
Likes: 0
Received 0 Likes
on
0 Posts
why don't all the companies get ADSL, it will be more secure and will solve any arguments due to people using it to much. Alternatively it will be easier to use a switch with a trunk into a router which is running a firewall as well. The router can then firewall all the networks. Use DHCP to assign addresses to each group of companies and then perform NAT on everybody. You could then do a bit of queuing to prevent apps such as http and ftp hogging the line.
Si
Si
13 June 2003, 05:11 PM
#13
Scooby Regular
Join Date: May 2000
Location: MY00,MY01,RX-8, Alfa 147 & Focus ST :-)
Posts: 10,371
Likes: 0
Received 0 Likes
on
0 Posts
Mickle
Try the Data Protection Act angle. If your company holds private information on your customers (or your own staff), then you have a duty to protect this information. You have to take 'reasonable steps' to protect the info - now this is open to interpretation but I don't think what your boss is suggesting would be viewed as a sensible thing to do.
Perhaps also mention that he could be held liable, big fines etc etc
Chris
Try the Data Protection Act angle. If your company holds private information on your customers (or your own staff), then you have a duty to protect this information. You have to take 'reasonable steps' to protect the info - now this is open to interpretation but I don't think what your boss is suggesting would be viewed as a sensible thing to do.
Perhaps also mention that he could be held liable, big fines etc etc
Chris
13 June 2003, 10:30 PM
#14
Scooby Regular
Join Date: Jan 2003
Posts: 64
Likes: 0
Received 0 Likes
on
0 Posts
You could do what SiCotty suggests with OPenBSD 3.3 and IPFilter. So all you have to buy is the switch and the machine to run it on...oh and the skills to build it if not available in house......
bad idea if not done correctly. make sure you have email etc suggesting the right way to do this it if you are responsible for the security/network. then you boss takes the blame if any issues.
PS, this is how the large managed office companies do it - just not with OPenBSD.
bad idea if not done correctly. make sure you have email etc suggesting the right way to do this it if you are responsible for the security/network. then you boss takes the blame if any issues.
PS, this is how the large managed office companies do it - just not with OPenBSD.
Thread
Thread Starter
Forum
Replies
Last Post
gazzawrx
Non Car Related Items For sale
13
17 October 2015 06:51 PM