Networking advice
Leonard Isham
leonard.isham at gmail.com
Fri Jan 21 05:08:20 UTC 2005
On Thu, 20 Jan 2005 15:58:07 -0800, Nifty Hat Mitch
<mitch48 at sbcglobal.net> wrote:
> On Thu, Jan 20, 2005 at 09:52:33AM -0500, Leonard Isham wrote:
> > On Thu, 20 Jan 2005 09:48:05 -0500, Kanwar Ranbir Sandhu
> > > On Wed, 2005-19-01 at 17:23 -0500, Leonard Isham wrote:
> > > > Internet
> > > > |
> > > > DSL Modem or Internet Router
> > > > |
> > > > Firewall----Tenant-2
> > > > |
> > > > Tenant-1
> > > >
> > > > Firewall each tenant from the other tenants. Give each tenant a
> > > > different RFC 1918 address range. Use a Switch capable of trunking,
> > > > and a Ethernet card capable of trunking in the firewall to allow
> > > > multiple VLANs on one physical connection.
> > >
> > > I actually considered something like this, but what about those tenants
> > > that require a public IP? Wouldn't a separate NIC be required on the
> > > firewall to bridge the connection for each tenant? In that case, PCI
> > > slots would eventually run out (or there may be IRQ conflicts).
> > >
> >
> > On my previous post:
> >
> > "Use a Switch capable of trunking, and a Ethernet card capable of
> > trunking in the firewall to allow multiple VLANs on one physical
> > connection."
> >
> > Thrunking puts multiple VLANs on the same physical Ethernet cable.
> > Each VLAN is a seperate subnet.
> >
>
> What about...
>
> Internet
> |
> Cable-DSL Modem
> |
> Network-N-port-HUB
> | | | |
> | | | \
> | | | \
> | | | CustomerFixedIP
> | | |
> | | \
> | | \
> | | \
> | | \
> | | FixedIP4
> | | YourRouterFirewall-NAT
> | | |
> | | N-port-HUB
> | | YourDHCPclients
> | | \ \ \
> | | Ten1 Ten2 Ten3...
> | \
> | \
> | YourServiceBox
>
> What you place behind the modem depends on the service
> you purchase in front. There is little need to firewall the
> tenants from each other as long as they are connected
> to a switch so packet snooping is hobbled.
>
Snooping is hobbled, but quite doable.
My concern would be the unprotected, most likely unpatched, systems
getting infestations and creating problems for al the tennants. I
just recently say an unpatched windows system with a public IP hooked
to a T-1 at a trade show. 15 minutes later it was infected, and
pegged the T-1. Six hours later, after the troubleshooting the
problem, removing the worm, patching they system, installing
anti-virus and anti-spyware software that where back on-line.
In short if something like this happens to your tennants you will be blamed.
--
Leonard Isham, CISSP
Ostendo non ostento.
More information about the fedora-list
mailing list