Let me explain the situation first...

I work in an office building with lots of little companies in it. We have an ADSL internet connection that we want to 'sub-let' out to the other companies in the building and I can't think of how to do it with security in mind.

If we cable up the building and plug everyone into a switch that in-turn is plugged into an ADSL router everyone has the potential to see everyone else on the network.

I guess what I'm asking is is there a piece of hardware out there like a switch that I can block everyone from seeing everyone but allow them access to the internet?

Mike

Could you not use a router?

You need a router. Probably a fairly hefty one as you'll need an Ethernet port per customer -- one of the little ones with a WAN port and one or more LAN ports is no good, as the LAN ports are just on a hub.

Could be even more complex, actually, as the customers may well have overlapping address space. In which case you'll need a router per customer, NAT the addresses into some sort of infrastructure address range, and then you'll need another router between those and the ISP.

Or use some sort of VPNs.


[Edited by carl - 6/13/2003 12:26:08 PM]

It would all come down to money in the end.

If money is relatively no object then you would supply a firewall to each customer which they would/could administer...this would be the most secure solution.

The 'cheap' option would be to have a core switch which was capable of VLANs and routing. This would be managed by you. Not completely secure solution but it would work for 99.9% of customers.

I did think of the VLANs thing -- the trouble is that your ISP connexion has to appear on all VLANs. I guess a fairly big switch with some sort of router blade would do the job, but you're talking serious money there. For up to, say, half a dozen customers you may as well have a pokey little router per customer.

Cheers guys,

Boss is going to be a right skin flint on this one and he's going to suggest that everyone gets Norton Internet Security and allow IP's in a certain range through, then plug their hubs into our hub and our hub into an ADSL router.

Not a business solution if you ask me :rolleyes:

So what happens if they've got overlapping IP address space? I reckon it's pretty likely they're all using 192.168.x.x or 10.x.x.x.

He's going to allocate them address ranges and change the workgroups. It's a hackers paradise and I can't seem to change his mind. You wait, something will happen with one of the other companies data and we'll get the blame :(

So each of the companies has to re-address their entire network? :o

yup, madness I tell you pure madness!

I thankyou again for your kind words of wisdom which I did pass on to the boss and who kindly ignored them all!

Is there no way of giving each company a different subnet address?

As you cannot browse across subnets, does this not fix your problem?

Just have the ADSL router as the Gateway?

....or would the router gateway pass on the browse packets...hmmmm

Talking myself out of it here...LOL

why don't all the companies get ADSL, it will be more secure and will solve any arguments due to people using it to much. Alternatively it will be easier to use a switch with a trunk into a router which is running a firewall as well. The router can then firewall all the networks. Use DHCP to assign addresses to each group of companies and then perform NAT on everybody. You could then do a bit of queuing to prevent apps such as http and ftp hogging the line.

Si

Mickle

Try the Data Protection Act angle. If your company holds private information on your customers (or your own staff), then you have a duty to protect this information. You have to take 'reasonable steps' to protect the info - now this is open to interpretation but I don't think what your boss is suggesting would be viewed as a sensible thing to do.

Perhaps also mention that he could be held liable, big fines etc etc

Chris

You could do what SiCotty suggests with OPenBSD 3.3 and IPFilter. So all you have to buy is the switch and the machine to run it on...oh and the skills to build it if not available in house......
bad idea if not done correctly. make sure you have email etc suggesting the right way to do this it if you are responsible for the security/network. then you boss takes the blame if any issues.

PS, this is how the large managed office companies do it - just not with OPenBSD.