Segregating networks VLANs or Subnets

Discussion in 'Server Networking' started by Tonton, Dec 7, 2005.

  1. Tonton

    Tonton Guest

    Hi there,

    I want to segregate 2 networks. Let me give a little background. We are an
    office facility company (We provide phone, internet and other office services
    to a number of other small businesses within the same business centre). At
    present there isa single Win2003 server with a single Fast Ethernet card and
    number of voice and data switches (24 Ports Unmanaged D-Link). The only
    routers are the Draytek ADSL Modem/Routers which I believe are not capable of
    VLANing.

    Our company has about 4 PCs. But we are providing Internet access to a
    number of other companies with their PCs. At present everyone can see
    everyone else's files/folders which is not a good security practise. I want
    to make sure that nobody can see anybody else's files/folders.

    What would I need in terms of devices, technolgies and etc?

    Any suggestions, recommendations.

    Thanks
     
    Tonton, Dec 7, 2005
    #1
    1. Advertisements

  2. Tonton

    Neteng Guest

    A firewall with multiple interfaces would be best. You could also have a
    router (or layer 3 switch) and configure access-lists. A Cisco PIX515 with 6
    interfaces would work just fine or you could save a couple of bucks and get
    two interfaces. You would then need to setup VLAN's on the PIX and the
    switch it connects too. It would probably be easier to just get the 6
    interfaces though.
     
    Neteng, Dec 7, 2005
    #2
    1. Advertisements

  3. You use NTFS permissions. That is what they are for. That is the first area
    of security. You can't allow filesystem access to the "Everyone Group" and
    complain that everyone can see all the files. So that is the first thing you
    do.

    Do *not* consider the fact the something shows in Network Places as having
    "access". Just because is appears on the Browse List (Network Places) does
    not make it accessable.

    Running ACLs on a LAN Router would work for only Layer3&4 traffic.
    Tradditional firewalls do NAT which is not appropriate. You want to control
    traffic access, not "translate" it. That is why LAN Routers have had ACLs
    long before anyone invented NAT Firewalls. But LAN Routers only restrict
    between Network Segments for the most part,...they are not for creating
    detailed Access Schemes,...that is what the NTFS Permissions are for.

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Microsoft Internet Security & Acceleration Server: Guidance
    http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
    http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp

    Deployment Guidelines for ISA Server 2004 Enterprise Edition
    http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
    -----------------------------------------------------
     
    Phillip Windell, Dec 7, 2005
    #3
  4. Tonton

    Neteng Guest

    If you prevent users from a specific subnet from even accessing your
    network, you can leave NTFS permissions alone. 99% of admins out their don't
    configure groups correctly. I doubt most could also get NTFS permissions
    right. If you prevent the clients in the building access to each others
    networks, you don't have to change any permissions. There is no need to NAT,
    the firewall can route just as well. NAT is a feature of a firewall, not a
    firewall in itself.


     
    Neteng, Dec 7, 2005
    #4
  5. Yes, if that kind of restriction is acceptable. But what often happens is
    they suddenly realize how much "does not work" between the LANs because of
    it and soon want to know how to get this, that, and 15 other things to
    "work",..before long you end up wishing you had an Admin smart enough to
    handle NTFS permissions properly. I don't have much mercy for Admins who
    can deal with NTFS permissions,...it's like a truck driver that doesn't know
    how to back-up.

    If each "company" on that LAN has different Domains,..and there is no trust
    between the Domains, then the NTFS permissions already have them block out
    of each others "stuff" because the "Everyone Group" only encompasses
    authenticated users in its own Domain.

    But yes,..I'm not disagreeing with your point above,...if that kind of
    restriction is acceptable.
    We will have to differ there. I don't even consider "firewall" to be any
    more than a generic "slang" term made popular by marketers. There are
    routers, NAT devices, and proxys,...all can be used as a "firewall". The
    proxy is obvious, but the difference between a router and a NAT device is
    that the NAT device does not have to ability to "not" do NAT,...where a
    router can enable or disable it. The Watchgaurd box we have for example, as
    far as I know, is always doing NAT and cannot "not" do NAT and work as a
    regular router.

    Phil
     
    Phillip Windell, Dec 7, 2005
    #5
  6. I meant "can *not* deal with NTFS permissions,..."
    But you probably knew that anyway.

    Well, you get the honor of being the last post of the day...I'm outta here..
    Catch you guys tomorrow

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Microsoft Internet Security & Acceleration Server: Guidance
    http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
    http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp

    Deployment Guidelines for ISA Server 2004 Enterprise Edition
    http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
    -----------------------------------------------------
     
    Phillip Windell, Dec 7, 2005
    #6
  7. Tonton

    Neteng Guest

    I agree with you and we were both assuming on the setup. I assumed each
    company/domain is different and they do not want to share a thing??? I'm
    sorry about the Watchguard (I personally despise them :) and just to start
    some flaming.....their almost as bad as a Checkpoint!

    Good analogy of the truck driver.

     
    Neteng, Dec 8, 2005
    #7
  8. start

    I'm not all that excited about them either. Our corp HQ pushed them out to
    all the Sites (somewhere between 30-40, ..can't keep track) to be use for
    the "Corp VPN" that links us all to the HQ. They probably assumed we would
    all use them for Internet access too, but we don't. I only use it for
    internet access for my main servers and other "utility" machines that don't
    have "humans" to go with them. The "humans" all have to go out the ISA
    Server. So the Watchgaurd does what they mainly sent it sent it here for, so
    that's good enough for me I suppose, I stay away from it beyond that.

    WG has some problems with the design of the Remote Access VPN. It won't let
    you use a separate DHCP Server for grant addresses. You have to give the WG
    box a list of addresses to "use". It also won't let you have certain VPN
    users be "static",..they are *forced* to use the automatic addressing which
    can only be provided by the WG box. That is unless I am missing something
    there, like I said, I stay away from the thing most of the time.

    Phil
     
    Phillip Windell, Dec 8, 2005
    #8
  9. I used to be one for 10 years, that's why it came to mind,...probably where
    the bull-headedness comes from sometimes too. I got out of a truck on Friday
    and started here the following Weds, been here ever since. Being able to
    make such a drastic switch is a long story.
    I could backup of course ;-),...but was hit in the docks on occasion by some
    where that ability was questioned.

    Phil
     
    Phillip Windell, Dec 8, 2005
    #9
  10. Tonton

    Neteng Guest

    The first time I had to backup a deuce and half (2 1/2 ton military truck)
    with a "water buffalo" on the back was hilarious. The guy next to me was
    laughing so hard he made me laugh.
     
    Neteng, Dec 8, 2005
    #10
  11. Tonton

    Tonton Guest

    Steve,

    Thanks for the reply. We have just had a new baby boy so I have not been
    able to reply to the postings so far. Configuring the router with VLANs was
    my firts thought but I do not believe this particular model has VLANing
    capability. It is Draytek Vigor 2600 Annex A with Firmware Version 2.2.5

    Any other idea where I would not necessarily need to change/add anything
    major to the existing env? The cost and simplicity are importand factors with
    this environment.

    Thanks
    Kind regards
     
    Tonton, Dec 10, 2005
    #11
  12. Tonton

    Tonton Guest

    Phillip amd Neteng,

    We had just have a baby boy so I could not answer to any of the posting so
    far.I am back now.

    Let me just point out a few things with respect to this infrastrucutre;

    I would want to avoid any change/addition to this IT environment if
    possible. i.e Adding a PIX firewall would be expensive and complicated. The
    cost and simplicity are the most importand two elements for me and the
    clients.

    Philip, yes each each of the "company" on that LAN has different Domains in
    fact some of them do not have any domain at all (they just have a few PC as a
    workgroup PCs). ,..and there is no trust
    between the Domains, then the NTFS permissions already have them block out
    of each others "stuff" because the "Everyone Group" only encompasses
    authenticated users in its own Domain.

    So let me get this straight if I just use NTFS permissions to block the
    access to our domain server (A single Win2003 server acting as DNS, PDS and
    file server) and a few PCs then I will be sorted. That is all I need, right?

    Your help, advice and recommendations are greatly appreciated.

    Many Thanks


     
    Tonton, Dec 10, 2005
    #12
  13. right?

    It is already that way to begin with,...there is nothing to "do". Without
    Domains & Trusts between them you couldn't give them permission to things if
    your life depended on it. You have to create new accounts for them on your
    Domain and they would have to use those,...since you haven't done that (and
    don't want to), they do not have any such permissions to begin with.

    However with that said,...it is never just that simple. With certain
    services like Web Servers, FTP, SQL, custom vendor supplied
    Applications,...these things may allow permsission without the user even
    having accounts on the Domain. So it is possible with a LAN Router to setup
    ACLs that limit the type of traffic (Traffic Profile) that is allowed. This
    is not the traditional meaning of a term "firewall",...we aren't talking
    "firewalls" in the traditional sense,...there is no NAT,..there is no
    "proxying",...just regular ACLs on a regular LAN Router.

    So it may be a combination of what both I and Neteng were saying. You are
    the only one that can really determine was is correct for the situation.

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Microsoft Internet Security & Acceleration Server: Guidance
    http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
    http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp

    Deployment Guidelines for ISA Server 2004 Enterprise Edition
    http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
    -----------------------------------------------------
     
    Phillip Windell, Dec 14, 2005
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.