Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 718
  • Last Modified:

Isolate Network users in a shared Office Environment

I know this is a topic that's been discussed many times in various ways, but each and every case is so different that I couldn't find a solid answer...

I'm (re)networking an office where about 50-60 individual users share the internet. The users have no relation to each other (sort of like at an airport, except each user is wired). Currently the office is setup with unmanaged switches and a RV042G gateway/router (which does failover on the WAN). This setup is causing issues with reliability, bandwidth, security, malware, management, and overall legal reasons.

The goal is to isolate each user/switch-port from each other, while still allowing a single DHCP server to serve them all. Many of the users have laptops so static IP's are not an option.

I'm thinking of installing switches such as Dlink DGS-1210 and giving each port an untagged VLAN. Then setting one port on each switch tagged and that port connects to the router.

However, I DON'T want to have to setup an individual subnet and DHCP range for each vlan. Furthermore, I can't see anywhere that the DGS-1210 's have an iphelper of any sort.

How can I make this work with a limited budget?
0
JohnnyIT
Asked:
JohnnyIT
  • 8
  • 3
  • 3
2 Solutions
 
Andrej PirmanCommented:
Maybe the cheapest solution would be to install WiFi cards into each PC and setup Wireless LAN access for all. No wires.
It is just a checkbox "Isolate users" in some roboust wireless access point, like Ruckus 7363 or better (you get it for 500 EUR and it covers 2-3 times more than other brands!)
http://www.ruckuswireless.com/products/zoneflex-indoor/7363

All other solutions add complexity or are pricy:
VLAN would need a subnet on DHCP for each port and trunking ports to router. Cisco managed switches would do that, but your router would not support so many VLANs and so many DHCP subnets.
You could also virtualize a bunch of routers on one or two hosts, filled with 4-port LAN adapters, but this is an exotic solution. I setup once such a solution for 4 subnets, just for fun. Installed one virtual Linux firewall (don't remember which one, Vyatta or Sonicwall...don't know), set it to get WAN via DHCP, setup one subnet 10.10.1.1. then I copied it over 3 times, changed LAN settings to 10.10.2.1, 10.10.3.1 and 10.10.4.1, linked them to separate HW LAN adapter each...and voila, I had 4 totaly separated LAN connectors :)
0
 
JohnnyITAuthor Commented:
You're correct that what I'm after is similar to "AP isolation" which many wireless routers/AP's offer.  Even inexpensive consumer-grade ones for that matter.    However, installing wireless cards in computers we don't own is not feasible because we don't own them, performance would be terrible, and we'd have to build out a robust set of AP's in the large office.

Nonetheless, thank you for your suggestions.

I'm hoping someone knows whether or not the DGS-1210's or some other switches in that price range have some sort of iphelper or not.   The DGS-1210's have an impressive spec sheet for the price, so that's what drew me to them.  They have features that will help in our case like DHCP snooping/screening, but there's no mention of iphelper or similar feature.  I then also have the issue of passing only DHCP to all the ports.
0
 
carlmdCommented:
Consider using a Sonicwall UTM device running Guest services on the LAN. This will isolate all users, and only permit internet access. You don't mention if there are any other local resources that need to be accessed, but if so they could be configure. The Sonicwall will also perform the DHCP function while handling all the security issues.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
JohnnyITAuthor Commented:
That makes sense, but how would the sonicwall prevent the switches from passing or broadcasting traffic amongst each other?  It seems to me that this is something that must be accomplished at the switch level.
0
 
carlmdCommented:
One way would be to run each switch to a port on the Sonicwall (assigned a zone) and define the rules for what is and is not permitted between them. This would control traffic between users connected to different switches, but not the same one.

Also, since the Sonicwall would be the default gateway, I believe having a single LAN and setting Guest Services for it, would prevent a user from going back to another on the same LAN.
0
 
JohnnyITAuthor Commented:
There's 50-60 users, none of which should see each other.  If the switch doesn't isolate them somehow (VLAN or otherwise) then they will still be able to see each other.  Your idea would work excellent for a small number of users, and I will keep that in mind, thanks.
0
 
carlmdCommented:
Can you be more specific about what you mean by "see each other"?

How man switches are there?

Area all 50-60 users on the same lan (no vlans)?
0
 
JohnnyITAuthor Commented:
It sounds like what I'm after is the "Protected Ports" feature as described here: https://supportforums.cisco.com/thread/161986

Any ideas the least expensive switch that supports that feature or equivalent?
0
 
JohnnyITAuthor Commented:
Currently, there are five(5) 24-port switches (some users have multiple computers/ports).  Currently no VLANS.  

It really looks like "PVLANS" and/or the "Protected Ports" feature from either Cisco or HP is what I'm after.  Now I'm just trying to find the most cost-effective switch that does it.
0
 
Andrej PirmanCommented:
Well, sorry for my late reply.
D-link's DES-1100-16 for example (and other d-link's Smart series) will let you do port isolation by setting each port to be a member only of itself and group with port 1, for example. So each port is on its own and also member of VLAN group with port 1.
Then connect port 1 to router, if you have4 switches, connect them to 4 router's LAN ports, and voila, off you go with members isolated.

Computers will be able to ping/access router, but will not ping/access each others.

Beside that, router will be able to deliver DHCP to port 1 of all switches, so all computers will get IP settings from router.
0
 
JohnnyITAuthor Commented:
Thanks Labsy.  Do you mean those switches have a special settings for some type of "port isolation" or just that I could accomplish my goal with VLAN's ?
0
 
JohnnyITAuthor Commented:
Your comment made me go look into Dlink again in case I had missed something, and sure enough... I did!!

Dlink has a feature they call "Traffic Segmentation".  I read about it here:  ftp://ftp.dlink.es/FAQs/TS_AV.pdf

It's essentially the same as "Protected Ports" in Cisco and HP ProCruve Switches, except that it's offered on switches as cheap as DES-1100.  However, I also need some extra security features such as DHCP Screening (to prevent rogue dhcp servers), so the cheapest switch which offers Traffic Segmentation AND DHCP screening is the D-Link DGS-1210, which coincidentally was my hope.

Now why "Traffic Segmentation" isn't better documented, who knows.  A user could save thousands in switch cost, or hours of configuration with that simple feature.  Thanks Dlink!
0
 
Andrej PirmanCommented:
Excellent discovery!
I admit I also learned a bit about that feature, which might help me in the future.
0
 
JohnnyITAuthor Commented:
Labsy was helpful in making me explore Dlink a little further, but in the end I found the exact feature I was looking for by researching.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 8
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now