Two companies, one network. Best practices.
Networking is not my strong suite.
We have a network with a domain. The DC is a Windows Server 2003.
We have decided to rent the upper floor of the building to three individuals operating a law practice.
Obviously, we don't want them on our domain or to have access to our resources (files, printers, etc.). But sharing our internet connection would be fine.
Do I insist they have a separate domain on the same DC so domain security policy can be applied? What are the security risks of letting them just plug in and not be joined to the domain? Is there a way to create a different subnet that could still use the same switch and hardware firewall?
We have a network with a domain. The DC is a Windows Server 2003.
We have decided to rent the upper floor of the building to three individuals operating a law practice.
Obviously, we don't want them on our domain or to have access to our resources (files, printers, etc.). But sharing our internet connection would be fine.
Do I insist they have a separate domain on the same DC so domain security policy can be applied? What are the security risks of letting them just plug in and not be joined to the domain? Is there a way to create a different subnet that could still use the same switch and hardware firewall?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Ben Hart
Agreed, you're renting space, you should not be providing a domain infrastructure and internet access unless that's part of the contract. If it is then you're complexity is going to make a nice leap upwards.
ASKER
Let's say we don't provide a domain infrastructure but we do include internet access as part of their rental agrement. The digs they are coming from did exactly that. We already have a friendly business relationship with these folks, I don't want to make them pay to duplicate equipment we already have and are willing to share. So far it's only a one year lease agreement. We are trying to keep it simple and cheap.
Is there a way to share internet access while keeping them on a different network? They can take care of their own security. The two networks never cross paths. That would be ideal.
About VLANs. I'm familiar with them, my switch has that feature. I'm confused about how it would all work though.
Not sure if this information helps but our WatchGuard Firebox x500 has a trusted interface set up, 10.0.0.254/24. It also has an Optional Interface that we are using for VPN services, 172.16.1.1/24.
I also see a tab in the configuration called "Secondary Networks" which says "If you have additional networks on any of the Firebox interfaces, enter an unused IP address from each network in the list. The Firebox will use these addresses to route traffic to the correct network."
I'm using a Cisco SG200 48 port switch that can be managed through a web interface. I have a spare unused DELL PowerConnect 3448 that they can use if need be although it's only a 10/100 switch.
How can I create a second intranet, say 192.168.1.0, and patch them into the Comcast modem? The Firebox has to be involved somehow. I'm thinking that Comcast would never allow two different intranets to operate on one account.
What @ubadmin is saying kinda makes sense to me but I'm not quite clear on what to do.
Is there a way to share internet access while keeping them on a different network? They can take care of their own security. The two networks never cross paths. That would be ideal.
About VLANs. I'm familiar with them, my switch has that feature. I'm confused about how it would all work though.
Not sure if this information helps but our WatchGuard Firebox x500 has a trusted interface set up, 10.0.0.254/24. It also has an Optional Interface that we are using for VPN services, 172.16.1.1/24.
I also see a tab in the configuration called "Secondary Networks" which says "If you have additional networks on any of the Firebox interfaces, enter an unused IP address from each network in the list. The Firebox will use these addresses to route traffic to the correct network."
I'm using a Cisco SG200 48 port switch that can be managed through a web interface. I have a spare unused DELL PowerConnect 3448 that they can use if need be although it's only a 10/100 switch.
How can I create a second intranet, say 192.168.1.0, and patch them into the Comcast modem? The Firebox has to be involved somehow. I'm thinking that Comcast would never allow two different intranets to operate on one account.
What @ubadmin is saying kinda makes sense to me but I'm not quite clear on what to do.
I am not fluent enough for step by step instructions.. however what Im thinking is going the VLAN route.. create a secondary vlan, assign that vlan to a single port on your Cisco.. uplink the powerconnect to that port. Create a static route on your Cisco pointing the new vlan subnet to the Comcast modem and you might just be good to go.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Setting up the Lawyers to use wireless is a valid idea.. however you neglected the part of OP's problem where he needs to segregate the traffic. Nothing about using ISC, or a residential routers wifi config does anything for that.
If your Comcast modem supports it, or if the wireless is already in use by your folks then does it support multiple SSIDs?
If your Comcast modem supports it, or if the wireless is already in use by your folks then does it support multiple SSIDs?
ASKER
Wouldn't using a router (wireless or not) segregate the traffic? Isn't that the purpose of a router?
If I plug a router into my 10.0.0.0 switch, it will obtain a 10.0.0.something IP address which becomes the gateway address for the router. The router has it's own DHCP server and creates a network in the 192.168.1.0 range. The three computers are either plugged in directly to that router or pick it up wirelessly. They will be on a different network then ours, correct. That sounds like what I want.
I was busy trying to find a way to have them use our existing infrastructure of wires and switches. Sounds like the simple, cheap answer is to hook them up to a router. Am I missing something?
If I plug a router into my 10.0.0.0 switch, it will obtain a 10.0.0.something IP address which becomes the gateway address for the router. The router has it's own DHCP server and creates a network in the 192.168.1.0 range. The three computers are either plugged in directly to that router or pick it up wirelessly. They will be on a different network then ours, correct. That sounds like what I want.
I was busy trying to find a way to have them use our existing infrastructure of wires and switches. Sounds like the simple, cheap answer is to hook them up to a router. Am I missing something?
Hmmm.. maybe. If your end is not using the Comcast router as a DHCP server thereby freeing that up for the lawyers, and the whole single or multiple SSID thing.. that might work. Not sure why that was missed earlier.. it's so simple it's stupid. Providing the lawyers have laptops already.
ASKER
One laptop, two desktops as I understand now. Wireless routers generally come with four ethernet ports. I can just run long patch cords directly from the router to the desktops. I doubt they have wireless adapters built in. Our Domain Controller is the DHCP server for our network. It can provide the router with a gateway. The router itself will be the DHCP server for the lawyer's network. Sounds like a plan.
Provided you can secure the two lawyer interfaces from the one uplinking back to your DC.. I mean I highly doubt you'd need to worry about hacking attempts from some lawyers but.. if they are under scrutiny from SOX, HIPA or anything like that then they'd have to be 100% secured from you and your network for intrusion attempts.
ASKER
Now your talking over my head again. "two layer interfaces". What two? Would hacking from the network created by the router into our network be any easier than hacking in from the outside? Why?
Hi
I don't understand why you guys make it so complicated for a simple ICS Configuration.
@ tommyBoy
That's why I suggested Wi-Fi router as an option because you can secure the Wi-Fi Network with a passphrase its very strong security (WPA/Enterprise) DON'T have to worry about hacking and all.
Whether you like to go to wired or Wi-Fi option, my idea is to highlight you the use of router as a solution to this issue.
Hope that helps :)
I don't understand why you guys make it so complicated for a simple ICS Configuration.
@ tommyBoy
That's why I suggested Wi-Fi router as an option because you can secure the Wi-Fi Network with a passphrase its very strong security (WPA/Enterprise) DON'T have to worry about hacking and all.
Whether you like to go to wired or Wi-Fi option, my idea is to highlight you the use of router as a solution to this issue.
Hope that helps :)
ASKER
The router is the way to go.
Thanks everyone for replying.
Thanks everyone for replying.