Solved

Two companies, one network. Best practices.

Posted on 2013-05-23
15
270 Views
Last Modified: 2013-05-29
Networking is not my strong suite.

We have a network with a domain. The DC is a Windows Server 2003.

We have decided to rent the upper floor of the building to three individuals operating a law practice.

Obviously, we don't want them on our domain or to have access to our resources (files, printers, etc.). But sharing our internet connection would be fine.

Do I insist they have a separate domain on the same DC so domain security policy can be applied? What are the security risks of letting them just plug in and not be joined to the domain? Is there a way to create a different subnet that could still use the same switch and hardware firewall?
0
Comment
Question by:Tom Beck
  • 6
  • 5
  • 2
  • +2
15 Comments
 
LVL 6

Assisted Solution

by:Robert Saylor
Robert Saylor earned 50 total points
Comment Utility
Networking is not my strong point but looks like a VLAN might be the solution. You would configure them to use VLAN 1 then pass that traffic out and put your internal network in as VLAN 0. More can prob lead you to the right direction but that might be the starting area for your solution.
0
 
LVL 14

Assisted Solution

by:Ben Hart
Ben Hart earned 50 total points
Comment Utility
Vlan separate broadcast traffic.. you;d have to get into your switch(es) and add/remove the VLANs from individual ports but then adding a vlan would require a router or other layer 3 device to route their data to the internet.


For example, you have a managed 12 port switch that's a layer 3 switch.  Give them VLAN10, then remove VLAN10 from all ports except one.  That would be their uplink, forcing them to provide their own switch if they require more than 1 port.  Then adding a route intside your switch for VLAN10 directly and only out to your external interface.
0
 
LVL 15

Assisted Solution

by:Skyler Kincaid
Skyler Kincaid earned 50 total points
Comment Utility
The cheapest and easiest way to do this would be to have them get there own Internet and switch.

If you were a network nerd and had some cash you could safely separate them but from a business stand point it would be much safer to get them their own Internet and a small switch.
0
 
LVL 14

Expert Comment

by:Ben Hart
Comment Utility
Agreed, you're renting space, you should not be providing a domain infrastructure and internet access unless that's part of the contract.  If it is then you're complexity is going to make a nice leap upwards.
0
 
LVL 38

Author Comment

by:Tom Beck
Comment Utility
Let's say we don't provide a domain infrastructure but we do include internet access as part of their rental agrement. The digs they are coming from did exactly that. We already have a friendly business relationship with these folks, I don't want to make them pay to duplicate equipment we already have and are willing to share. So far it's only a one year lease agreement. We are trying to keep it simple and cheap.

Is there a way to share internet access while keeping them on a different network? They can take care of their own security. The two networks never cross paths. That would be ideal.

About VLANs. I'm familiar with them, my switch has that feature. I'm confused about how it would all work though.

Not sure if this information helps but our WatchGuard Firebox x500 has a trusted interface set up, 10.0.0.254/24. It also has an Optional Interface that we are using for VPN services, 172.16.1.1/24.

I also see a tab in the configuration called "Secondary Networks" which says "If you have additional networks on any of the Firebox interfaces, enter an unused IP address from each network in the list. The Firebox will use these addresses to route traffic to the correct network."

I'm using a Cisco SG200 48 port switch that can be managed through a web interface. I have a spare unused DELL PowerConnect 3448 that they can use if need be although it's only a 10/100 switch.

How can I create a second intranet, say 192.168.1.0, and patch them into the Comcast modem? The Firebox has to be involved somehow. I'm thinking that Comcast would never allow two different intranets to operate on one account.

What @ubadmin is saying kinda makes sense to me but I'm not quite clear on what to do.
0
 
LVL 14

Expert Comment

by:Ben Hart
Comment Utility
I am not fluent enough for step by step instructions.. however what Im thinking is going the VLAN route.. create a secondary vlan, assign that vlan to a single port on your Cisco.. uplink the powerconnect to that port.  Create a static route on your Cisco pointing the new vlan subnet to the Comcast modem and you might just be good to go.
0
 
LVL 9

Accepted Solution

by:
VirastaR earned 350 total points
Comment Utility
Hi,

If you are too confused with too many ideas.

Let me suggest you some thing...

Most of the Desktops/laptops nowadays are Wifi built-in.

 - Get a Wireless (Wifi Router) with N Standard from Cisco\Linksys\Belkin etc.

In router by default ICS (Internet Connection Sharing )is enabled.

Instuctions will be provided within the router itself,about how to configure a Wifi Network.

With this not only 3 you can share upto 50 connections (min) with sharing in the Total bandwidth of your Internet connection.

You can secure it with a Security key (share it with your pals)

They can only use it for internet connection nothing else (by default)

Think about it and if that makes sense and fits your bill give it a shot.

Hope that helps :)
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 14

Expert Comment

by:Ben Hart
Comment Utility
Setting up the Lawyers to use wireless is a valid idea.. however you neglected the part of OP's problem where he needs to segregate the traffic.  Nothing about using ISC, or a residential routers wifi config does anything for that.

If your Comcast modem supports it, or if the wireless is already in use by your folks then does it support multiple SSIDs?
0
 
LVL 38

Author Comment

by:Tom Beck
Comment Utility
Wouldn't using a router (wireless or not) segregate the traffic? Isn't that the purpose of a router?

If I plug a router into my 10.0.0.0 switch, it will obtain a 10.0.0.something IP address which becomes the gateway address for the router. The router has it's own DHCP server and creates a network in the 192.168.1.0 range. The three computers are either plugged in directly to that router or pick it up wirelessly. They will be on a different network then ours, correct. That sounds like what I want.

I was busy trying to find a way to have them use our existing infrastructure of wires and switches. Sounds like the simple, cheap answer is to hook them up to a router. Am I missing something?
0
 
LVL 14

Expert Comment

by:Ben Hart
Comment Utility
Hmmm.. maybe.  If your end is not using the Comcast router as a DHCP server thereby freeing that up for the lawyers, and the whole single or multiple SSID thing.. that might work.  Not sure why that was missed earlier.. it's so simple it's stupid.  Providing the lawyers have laptops already.
0
 
LVL 38

Author Comment

by:Tom Beck
Comment Utility
One laptop, two desktops as I understand now. Wireless routers generally come with four ethernet ports. I can just run long patch cords directly from the router to the desktops. I doubt they have wireless adapters built in. Our Domain Controller is the DHCP server for our network. It can provide the router with a gateway. The router itself will be the DHCP server for the lawyer's network. Sounds like a plan.
0
 
LVL 14

Expert Comment

by:Ben Hart
Comment Utility
Provided you can secure the two lawyer interfaces from the one uplinking back to your DC..  I mean I highly doubt you'd need to worry about hacking attempts from some lawyers but.. if they are under scrutiny from SOX, HIPA or anything like that then they'd have to be 100% secured from you and your network for intrusion attempts.
0
 
LVL 38

Author Comment

by:Tom Beck
Comment Utility
Now your talking over my head again. "two layer interfaces". What two? Would hacking from the network created by the router into our network be any easier than hacking in from the outside? Why?
0
 
LVL 9

Expert Comment

by:VirastaR
Comment Utility
Hi

I don't understand why you guys make it so complicated for a simple ICS Configuration.

@ tommyBoy

That's why I suggested Wi-Fi router as an option because you can secure the Wi-Fi Network with a passphrase its very strong security (WPA/Enterprise) DON'T have to worry about hacking and all.

Whether you like to go to wired or Wi-Fi option, my idea is to highlight you the use of router as a solution to this issue.

Hope that helps :)
0
 
LVL 38

Author Closing Comment

by:Tom Beck
Comment Utility
The router is the way to go.

Thanks everyone for replying.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now