[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 280
  • Last Modified:

Two companies, one network. Best practices.

Networking is not my strong suite.

We have a network with a domain. The DC is a Windows Server 2003.

We have decided to rent the upper floor of the building to three individuals operating a law practice.

Obviously, we don't want them on our domain or to have access to our resources (files, printers, etc.). But sharing our internet connection would be fine.

Do I insist they have a separate domain on the same DC so domain security policy can be applied? What are the security risks of letting them just plug in and not be joined to the domain? Is there a way to create a different subnet that could still use the same switch and hardware firewall?
0
Tom Beck
Asked:
Tom Beck
  • 6
  • 5
  • 2
  • +2
4 Solutions
 
Robert SaylorSenior DeveloperCommented:
Networking is not my strong point but looks like a VLAN might be the solution. You would configure them to use VLAN 1 then pass that traffic out and put your internal network in as VLAN 0. More can prob lead you to the right direction but that might be the starting area for your solution.
0
 
Ben HartCommented:
Vlan separate broadcast traffic.. you;d have to get into your switch(es) and add/remove the VLANs from individual ports but then adding a vlan would require a router or other layer 3 device to route their data to the internet.


For example, you have a managed 12 port switch that's a layer 3 switch.  Give them VLAN10, then remove VLAN10 from all ports except one.  That would be their uplink, forcing them to provide their own switch if they require more than 1 port.  Then adding a route intside your switch for VLAN10 directly and only out to your external interface.
0
 
Skyler KincaidNetwork/Systems EngineerCommented:
The cheapest and easiest way to do this would be to have them get there own Internet and switch.

If you were a network nerd and had some cash you could safely separate them but from a business stand point it would be much safer to get them their own Internet and a small switch.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
Ben HartCommented:
Agreed, you're renting space, you should not be providing a domain infrastructure and internet access unless that's part of the contract.  If it is then you're complexity is going to make a nice leap upwards.
0
 
Tom BeckAuthor Commented:
Let's say we don't provide a domain infrastructure but we do include internet access as part of their rental agrement. The digs they are coming from did exactly that. We already have a friendly business relationship with these folks, I don't want to make them pay to duplicate equipment we already have and are willing to share. So far it's only a one year lease agreement. We are trying to keep it simple and cheap.

Is there a way to share internet access while keeping them on a different network? They can take care of their own security. The two networks never cross paths. That would be ideal.

About VLANs. I'm familiar with them, my switch has that feature. I'm confused about how it would all work though.

Not sure if this information helps but our WatchGuard Firebox x500 has a trusted interface set up, 10.0.0.254/24. It also has an Optional Interface that we are using for VPN services, 172.16.1.1/24.

I also see a tab in the configuration called "Secondary Networks" which says "If you have additional networks on any of the Firebox interfaces, enter an unused IP address from each network in the list. The Firebox will use these addresses to route traffic to the correct network."

I'm using a Cisco SG200 48 port switch that can be managed through a web interface. I have a spare unused DELL PowerConnect 3448 that they can use if need be although it's only a 10/100 switch.

How can I create a second intranet, say 192.168.1.0, and patch them into the Comcast modem? The Firebox has to be involved somehow. I'm thinking that Comcast would never allow two different intranets to operate on one account.

What @ubadmin is saying kinda makes sense to me but I'm not quite clear on what to do.
0
 
Ben HartCommented:
I am not fluent enough for step by step instructions.. however what Im thinking is going the VLAN route.. create a secondary vlan, assign that vlan to a single port on your Cisco.. uplink the powerconnect to that port.  Create a static route on your Cisco pointing the new vlan subnet to the Comcast modem and you might just be good to go.
0
 
VirastaRUC Tech Consultant Commented:
Hi,

If you are too confused with too many ideas.

Let me suggest you some thing...

Most of the Desktops/laptops nowadays are Wifi built-in.

 - Get a Wireless (Wifi Router) with N Standard from Cisco\Linksys\Belkin etc.

In router by default ICS (Internet Connection Sharing )is enabled.

Instuctions will be provided within the router itself,about how to configure a Wifi Network.

With this not only 3 you can share upto 50 connections (min) with sharing in the Total bandwidth of your Internet connection.

You can secure it with a Security key (share it with your pals)

They can only use it for internet connection nothing else (by default)

Think about it and if that makes sense and fits your bill give it a shot.

Hope that helps :)
0
 
Ben HartCommented:
Setting up the Lawyers to use wireless is a valid idea.. however you neglected the part of OP's problem where he needs to segregate the traffic.  Nothing about using ISC, or a residential routers wifi config does anything for that.

If your Comcast modem supports it, or if the wireless is already in use by your folks then does it support multiple SSIDs?
0
 
Tom BeckAuthor Commented:
Wouldn't using a router (wireless or not) segregate the traffic? Isn't that the purpose of a router?

If I plug a router into my 10.0.0.0 switch, it will obtain a 10.0.0.something IP address which becomes the gateway address for the router. The router has it's own DHCP server and creates a network in the 192.168.1.0 range. The three computers are either plugged in directly to that router or pick it up wirelessly. They will be on a different network then ours, correct. That sounds like what I want.

I was busy trying to find a way to have them use our existing infrastructure of wires and switches. Sounds like the simple, cheap answer is to hook them up to a router. Am I missing something?
0
 
Ben HartCommented:
Hmmm.. maybe.  If your end is not using the Comcast router as a DHCP server thereby freeing that up for the lawyers, and the whole single or multiple SSID thing.. that might work.  Not sure why that was missed earlier.. it's so simple it's stupid.  Providing the lawyers have laptops already.
0
 
Tom BeckAuthor Commented:
One laptop, two desktops as I understand now. Wireless routers generally come with four ethernet ports. I can just run long patch cords directly from the router to the desktops. I doubt they have wireless adapters built in. Our Domain Controller is the DHCP server for our network. It can provide the router with a gateway. The router itself will be the DHCP server for the lawyer's network. Sounds like a plan.
0
 
Ben HartCommented:
Provided you can secure the two lawyer interfaces from the one uplinking back to your DC..  I mean I highly doubt you'd need to worry about hacking attempts from some lawyers but.. if they are under scrutiny from SOX, HIPA or anything like that then they'd have to be 100% secured from you and your network for intrusion attempts.
0
 
Tom BeckAuthor Commented:
Now your talking over my head again. "two layer interfaces". What two? Would hacking from the network created by the router into our network be any easier than hacking in from the outside? Why?
0
 
VirastaRUC Tech Consultant Commented:
Hi

I don't understand why you guys make it so complicated for a simple ICS Configuration.

@ tommyBoy

That's why I suggested Wi-Fi router as an option because you can secure the Wi-Fi Network with a passphrase its very strong security (WPA/Enterprise) DON'T have to worry about hacking and all.

Whether you like to go to wired or Wi-Fi option, my idea is to highlight you the use of router as a solution to this issue.

Hope that helps :)
0
 
Tom BeckAuthor Commented:
The router is the way to go.

Thanks everyone for replying.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 6
  • 5
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now