Distribute Internet to Multiple Tenants
I need to provide internet connectivity for multiple tenants (about 70) of a building that will be sharing one large internet connection. Every tenant needs to have their own public IP address, which we will assign from the block given by the ISP. The ISP is providing a copper layer 2 handoff.
Due to wiring constraints (distance, cost), we have to use coax cable to each unit. The coax goes to an endpoint device in each unit, which then converts back to CAT5 ethernet. The coax cables get aggregated back to master units, which would then go to an ethernet switch (haven't purchased one yet).
I am trying to figure out how to isolate the tenants from each other. I don't see what prevents a tenant from misconfiguring their router, possibly using the IP address given to a different tenant. Even worse, I don't see what stops someone from connecting a laptop and ARP spoofing the gateway and sniffing everyone's traffic. In reality, this probably won't happen, but the fact that it could gives me pause.
What can I do to prevent this possibility? I was thinking of a layer 3 switch and VLANS, but I'm not entirely sure how I would apply it. The coax endpoint units (in the tenants offices) can supposedly handle VLANS.
Any suggestions regarding either design or equipment? Thanks.
Due to wiring constraints (distance, cost), we have to use coax cable to each unit. The coax goes to an endpoint device in each unit, which then converts back to CAT5 ethernet. The coax cables get aggregated back to master units, which would then go to an ethernet switch (haven't purchased one yet).
I am trying to figure out how to isolate the tenants from each other. I don't see what prevents a tenant from misconfiguring their router, possibly using the IP address given to a different tenant. Even worse, I don't see what stops someone from connecting a laptop and ARP spoofing the gateway and sniffing everyone's traffic. In reality, this probably won't happen, but the fact that it could gives me pause.
What can I do to prevent this possibility? I was thinking of a layer 3 switch and VLANS, but I'm not entirely sure how I would apply it. The coax endpoint units (in the tenants offices) can supposedly handle VLANS.
Any suggestions regarding either design or equipment? Thanks.
A Great white paper.
Suggestions for lockdowns begin on 14:
http://www.sans.org/reading_room/whitepapers/networkdevs/packet-sniffing-switched-environment_244
Suggestions for lockdowns begin on 14:
http://www.sans.org/reading_room/whitepapers/networkdevs/packet-sniffing-switched-environment_244
ASKER
What I mean is that all of the tenants would be sharing the same layer 2 broacast domain in the switch.
For instance, if the public IP block given by the ISP was 10.10.10.0/25, I would have 126 usable IP addresses, minus one for the gateway. If the gateway was 10.10.10.1 and I started giving out the addresses as follows:
Tenant 1: 10.10.10.10
Tenant 2: 10.10.10.11
Tenant 3: 10.10.10.12
Tenant 4: 10.10.10.13
etc....
The potential problem that I see is that I cannot prevent one Tenant 1 from configuring their router with Tenant 4's IP address. This could cause problems. While it isn't guaranteed to happen, it could.
The other problem is that Tenant 4 could connect a laptop and would then be directly connected to the broadcast domain. He could then ARP spoof the gateway, redirecting everyone's traffic through him. Again, while this probably won't happen, it could.
How can I limit certain endpoints to only be able use public IPs assigned to them? Also, how can I eliminate the possibility of ARP spoofing and/or other shenanigans?
I'm curious how other people would handle this type of deployment. Am I just being paranoid?
For instance, if the public IP block given by the ISP was 10.10.10.0/25, I would have 126 usable IP addresses, minus one for the gateway. If the gateway was 10.10.10.1 and I started giving out the addresses as follows:
Tenant 1: 10.10.10.10
Tenant 2: 10.10.10.11
Tenant 3: 10.10.10.12
Tenant 4: 10.10.10.13
etc....
The potential problem that I see is that I cannot prevent one Tenant 1 from configuring their router with Tenant 4's IP address. This could cause problems. While it isn't guaranteed to happen, it could.
The other problem is that Tenant 4 could connect a laptop and would then be directly connected to the broadcast domain. He could then ARP spoof the gateway, redirecting everyone's traffic through him. Again, while this probably won't happen, it could.
How can I limit certain endpoints to only be able use public IPs assigned to them? Also, how can I eliminate the possibility of ARP spoofing and/or other shenanigans?
I'm curious how other people would handle this type of deployment. Am I just being paranoid?
Those addresses are private addresses. So there is no public address waste and likely no cost involved beyond the pipe.
It's a little odd but not unheard of for the ISP to provide you with a private subnet.
It's more common for the ISP's *modem* or *router* on your site to do that.
Since they are all private addresses you may be able to deal with the situation like shown in the paper. That will require 70 routers plus one.
So, you have 10.10.10.0/25
I will assume you have a router with address 10.10.0.1
So, at each tenant site set up a router with NAT using:
10.0.0.0/24 on the LAN side.
So there's no confusion and so that you can implement communication between tenants when needed, use different subnets on the LANs:
10.0.1.0/24
10.0.2.0/24
.....
10.0.69.0/24
Multiple-Subnets.pdf
It's a little odd but not unheard of for the ISP to provide you with a private subnet.
It's more common for the ISP's *modem* or *router* on your site to do that.
Since they are all private addresses you may be able to deal with the situation like shown in the paper. That will require 70 routers plus one.
So, you have 10.10.10.0/25
I will assume you have a router with address 10.10.0.1
So, at each tenant site set up a router with NAT using:
10.0.0.0/24 on the LAN side.
So there's no confusion and so that you can implement communication between tenants when needed, use different subnets on the LANs:
10.0.1.0/24
10.0.2.0/24
.....
10.0.69.0/24
Multiple-Subnets.pdf
And, of course, you'll need 80 switch ports or so at the central connection point to distribute to the tenants.
You could put the 70 routers right there also.
That will depend on who will be responsible for them.
If it's you then I'd put them in one room.
If it's them then I'd have them provide or maintain and certainly house them.
You could put the 70 routers right there also.
That will depend on who will be responsible for them.
If it's you then I'd put them in one room.
If it's them then I'd have them provide or maintain and certainly house them.
ASKER
Fmarshall,
The 10.10.10.0 network I used in my earlier comment was just for illustration purposes as an example. Assume that it is a public IP range.
Sorry for the confusion.
The 10.10.10.0 network I used in my earlier comment was just for illustration purposes as an example. Assume that it is a public IP range.
Sorry for the confusion.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yup, looks like you'll need firewalls/router for each tenant.
Private VLANs is what you are looking for. I think this is similar to what ISPs use.
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml
Private VLANs is what you are looking for. I think this is similar to what ISPs use.
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml
ASKER
@fmarshall: Every tenant would have their own router, that's a given. The issue I am trying to resolve is how to make sure that a tenant is only able to use the public IP address that is given to them. Otherwise someone could accidentally misconfigure their router and end up using another tenant's IP address. This would create connection issues for both tenants.
@rigan123: We haven't purchased any equipment yet, this is still in the planning phase. I am thinking about a separate vlan for each user. If I do that, does that mean that I have to chop up the the address space into /30 subnets? If so, that seems like it would be a huge waste of IPs.
@agonza07: Thanks for the link. I'm going to read through that now.
@rigan123: We haven't purchased any equipment yet, this is still in the planning phase. I am thinking about a separate vlan for each user. If I do that, does that mean that I have to chop up the the address space into /30 subnets? If so, that seems like it would be a huge waste of IPs.
@agonza07: Thanks for the link. I'm going to read through that now.
Ds1010,
That's why I asked you the question.
The way I mentioned(blocking ICMP into gateway) could protect you from ARP Spoofing.
Might be there are some managable switches (Like:Cisco,HP Procurve,3Com etc)has Port Isolation option which could isolate users within same address range.That also could help you to resolve the issue.Just find out the suitable one.
For buying a router I could suggest you to buy Mikrotik (RouterBoard OS).It's cheap and have a wonderful performance too.
http://routerboard.com/
That's why I asked you the question.
The way I mentioned(blocking ICMP into gateway) could protect you from ARP Spoofing.
Might be there are some managable switches (Like:Cisco,HP Procurve,3Com etc)has Port Isolation option which could isolate users within same address range.That also could help you to resolve the issue.Just find out the suitable one.
For buying a router I could suggest you to buy Mikrotik (RouterBoard OS).It's cheap and have a wonderful performance too.
http://routerboard.com/
Maybe the routers should be centrally located and managed then..... ??
Or maybe the routers should be set up for DHCP and fed by MAC address reserved IP addresses. That will take care of any "mistakes". You just need to have a master router that will do DHCP with public addresses. Some commodity routers won't. And you will want to make sure that the reserved pool can be large enough to meet your needs. Likely that won't be an issue but I can imagine such pools being of size "32" or "64" just because.
Or maybe the routers should be set up for DHCP and fed by MAC address reserved IP addresses. That will take care of any "mistakes". You just need to have a master router that will do DHCP with public addresses. Some commodity routers won't. And you will want to make sure that the reserved pool can be large enough to meet your needs. Likely that won't be an issue but I can imagine such pools being of size "32" or "64" just because.
Fmarshall,
Author wants security of his clients.Might be the most important thing is: each client should be separated than others so that none can ping each other.Otherwise, anyone could attempt to access others computer or spoofing.For that case, it needs Switchport Isolation or VLAN.But VLAN needs more IP and it'd take time time completely configure for all clients.
Author wants security of his clients.Might be the most important thing is: each client should be separated than others so that none can ping each other.Otherwise, anyone could attempt to access others computer or spoofing.For that case, it needs Switchport Isolation or VLAN.But VLAN needs more IP and it'd take time time completely configure for all clients.
If a device is accessible on the internet then it's accessible. I don't see the difference between having a public address on the same switch as having a public address in Bangla Desh. They are all interconnected by design.
Security of the clients depends on the individual firewalls and that's all there is to it. So, reserved public IP addresses by DHCP seems a good way to go. How do you prevent someone in Bangla Desh from using one of your public IP addresses? Usually by virtue of ISP subnets but that's all isn't it?
Security of the clients depends on the individual firewalls and that's all there is to it. So, reserved public IP addresses by DHCP seems a good way to go. How do you prevent someone in Bangla Desh from using one of your public IP addresses? Usually by virtue of ISP subnets but that's all isn't it?
That means they can reach each other just as well as Yahoo!
Is there something I don't understand about this?