2 Completely separate companies using same server room

We are about to move into a 75 user building. 1 company has ~50 users and
company #2 has about ~25 users. These two companies have NO relations to
each other except sharing the same server room. I have been managing AD
2003 / Exchange 2003 for the 75 user office, but I must now make sure I
accomodate the other company into our network.

Since they already have their AD / we have ours and we have different
network ids (192.168.50.x for us and they are 10.0.4.x) - what or how do I
ensure that when we plug up in the server room we share, that we are truly
isolated from one another? What additional equipment should I get?

We have our own switches (not managed) and they have their own switch. Our
switch will connect to a T3 line and theirs will connect to a separate T1
line.

Can someone please recommend a solution / equipment to ensure the physical /
logical separation between the two company's networks?

Sorry so long, thank you.

"KTSmith" wrote:

> Since they already have their AD / we have ours and we have different
> network ids (192.168.50.x for us and they are 10.0.4.x) - what or how do I
> ensure that when we plug up in the server room we share, that we are truly
> isolated from one another? What additional equipment should I get?

I would get 2 secured server racks (one for each company) and mount all
servers and switches in there.

> We have our own switches (not managed) and they have their own switch. Our
> switch will connect to a T3 line and theirs will connect to a separate T1
> line.

This maybe a good time to buy yourself a managed switch (VNET support would
be great)

> Can someone please recommend a solution / equipment to ensure the physical /
> logical separation between the two company's networks?

the logical seperation can be handled by firewall, routers or switches...
the physical seperation is a bit more difficult.

you will have to make sure that every network mount in each office is listed
and connected to the serverroom. Best would be to connect them straight to
your own rack. As long as the networks cables are not connected with each
other you won't have a problem.

I agree largely with Mirco. I would seperate the two networks out on seperate
racks, preferably with doors on them that can be locked. The logical
seperation is technically accomodated by the fact that you are on different
subnets, albeit not very securely. If you are sharing an internet connection
then I would try and split them out at the first firewall on the network and
block any network traffic from passing between the two networks.

"KTSmith" wrote:

> We are about to move into a 75 user building. 1 company has ~50 users and
> company #2 has about ~25 users. These two companies have NO relations to
> each other except sharing the same server room. I have been managing AD
> 2003 / Exchange 2003 for the 75 user office, but I must now make sure I
> accomodate the other company into our network.
>
> Since they already have their AD / we have ours and we have different
> network ids (192.168.50.x for us and they are 10.0.4.x) - what or how do I
> ensure that when we plug up in the server room we share, that we are truly
> isolated from one another? What additional equipment should I get?
>
> We have our own switches (not managed) and they have their own switch. Our
> switch will connect to a T3 line and theirs will connect to a separate T1
> line.
>
> Can someone please recommend a solution / equipment to ensure the physical /
> logical separation between the two company's networks?
>
> Sorry so long, thank you.
>
>
>
>

Hello,
"BSweeney" <(E-Mail Removed)> schrieb im Newsbeitrag
news:76023F3A-60BA-400B-ABD1-(E-Mail Removed)...
>I agree largely with Mirco. I would seperate the two networks out on
>seperate
> racks, preferably with doors on them that can be locked.
if that is possible may depend from the temperature and cooling. We have a
system here, which reacts strange anf faulty, if the door of the rack gets
closed, so the circulation is disturbed.
Best greetings from Germany
Olaf

It is all about cabling. You just don't run the two networks over the same
"wire". It is no different than if you had two IP Segments in your own
network,...each segment would be on its own "wire" and they would never
"touch" unless their was a Layer3 router placed between them for that
purpose. It doens't matter if they are in the same rack or not,...what if
there was no rack?,...they could be on the same table, same shelf, same
floor,..it's irrelevant,...what matters is how they are cabled.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"KTSmith" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> We are about to move into a 75 user building. 1 company has ~50 users and
> company #2 has about ~25 users. These two companies have NO relations to
> each other except sharing the same server room. I have been managing AD
> 2003 / Exchange 2003 for the 75 user office, but I must now make sure I
> accomodate the other company into our network.
>
> Since they already have their AD / we have ours and we have different
> network ids (192.168.50.x for us and they are 10.0.4.x) - what or how do I
> ensure that when we plug up in the server room we share, that we are truly
> isolated from one another? What additional equipment should I get?
>
> We have our own switches (not managed) and they have their own switch.
> Our
> switch will connect to a T3 line and theirs will connect to a separate T1
> line.
>
> Can someone please recommend a solution / equipment to ensure the physical
> /
> logical separation between the two company's networks?
>
> Sorry so long, thank you.
>
>
>

KTSmith <(E-Mail Removed)> wrote:
> We are about to move into a 75 user building. 1 company has ~50
> users and company #2 has about ~25 users. These two companies have
> NO relations to each other except sharing the same server room. I
> have been managing AD 2003 / Exchange 2003 for the 75 user office,
> but I must now make sure I accomodate the other company into our
> network.
> Since they already have their AD / we have ours and we have different
> network ids (192.168.50.x for us and they are 10.0.4.x) - what or how
> do I ensure that when we plug up in the server room we share, that we
> are truly isolated from one another? What additional equipment
> should I get?
> We have our own switches (not managed) and they have their own
> switch. Our switch will connect to a T3 line and theirs will connect
> to a separate T1 line.
>
> Can someone please recommend a solution / equipment to ensure the
> physical / logical separation between the two company's networks?
>
> Sorry so long, thank you.

Other than suggesting locked cabinets, and other physical security measures,
there's not much else I could suggest. As long as you're not sharing
Ethernet switches, you're not going to see their network & they're not going
to see yours. With the description above, you should be fine.

With all due respect Phillip, I couldn't disagree with you more. We aren't
talking about a home office, or a converted coat closet, but an actual server
room shared by two different companies. While cabling is absolutely important
for the sake of keeping things organized and manageable, it provides no
actual security by itself, which is ultimately the concern of the orriginal
post. The seperate racks with lockable doors provide a reasonable level of
physical security in a room where two IT teams will be working on connected
networks. At the packet level, cables by themselves provide no security
without propper subnetting, routing configuration, and firewall rules. I'm
not really sure what you were driving at here, but while I believe that
cabling is important, I personally think that there is a lot more to be
considdered here than just the cabling in a well designed network
environment.

"Phillip Windell" wrote:

> It is all about cabling. You just don't run the two networks over the same
> "wire". It is no different than if you had two IP Segments in your own
> network,...each segment would be on its own "wire" and they would never
> "touch" unless their was a Layer3 router placed between them for that
> purpose. It doens't matter if they are in the same rack or not,...what if
> there was no rack?,...they could be on the same table, same shelf, same
> floor,..it's irrelevant,...what matters is how they are cabled.
>
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
> "KTSmith" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > We are about to move into a 75 user building. 1 company has ~50 users and
> > company #2 has about ~25 users. These two companies have NO relations to
> > each other except sharing the same server room. I have been managing AD
> > 2003 / Exchange 2003 for the 75 user office, but I must now make sure I
> > accomodate the other company into our network.
> >
> > Since they already have their AD / we have ours and we have different
> > network ids (192.168.50.x for us and they are 10.0.4.x) - what or how do I
> > ensure that when we plug up in the server room we share, that we are truly
> > isolated from one another? What additional equipment should I get?
> >
> > We have our own switches (not managed) and they have their own switch.
> > Our
> > switch will connect to a T3 line and theirs will connect to a separate T1
> > line.
> >
> > Can someone please recommend a solution / equipment to ensure the physical
> > /
> > logical separation between the two company's networks?
> >
> > Sorry so long, thank you.
> >
> >
> >
>
>
>

"BSweeney" <(E-Mail Removed)> wrote in message
news:5A5BB290-E3EA-41E4-8694-(E-Mail Removed)...
> With all due respect Phillip, I couldn't disagree with you more. We
> aren't
> talking about a home office, or a converted coat closet, but an actual
> server
> room shared by two different companies.

And that is exactly what I am talking about as well.

> While cabling is absolutely important
> for the sake of keeping things organized and manageable, it provides no
> actual security by itself,

Of course it provides security. If two networks are not on the same
cabling, then there is no physical connection between the two systems then
there is no way possible for them to communicate,...you can't get any more
secure than that.

> post. The seperate racks with lockable doors provide a reasonable level of
> physical security in a room where two IT teams will be working on
> connected
> networks.

Racks such as that for physical security are perfectly fine,...I didn't tell
him to *not* use them,...but I was dealing with the actual networking. If
the two networks are on the same physical cabling then it isn't going to
matter how many lockable racks they are in because the door would not even
need to be opened to get to the machines.

> At the packet level, cables by themselves provide no security
> without propper subnetting, routing configuration, and firewall rules.

With two separate physical cabling systems there is no subnetting, routing
configuration, and firewall rules. At least not in the context of the two
networks working together because they simply never touch each other. I'm
looking at the bigger picture which includes the entire building, not just a
rack or two.

> I'm not really sure what you were driving at here,

Appearantly, that's true.

I'm sorry, but it sounds like you just made a knee-jerk reaction to what I
said because you thought I was trying to stomp on your post and didn't
really think about what I said. I wasn't stomping on your post, I was
dealing with the context and direction that the thread was moving in.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/e...epartners.mspx
-----------------------------------------------------

Ok, I''ve re-read the orriginal post and your post, and I stand corrected to
a certain degree.

In the orriginal post, I completely missed that the two compaines would be
connecting to different trunks out to the internet. My statements were made
on the incorrect assumption that they were sharing a single trunk, which is
why I didn't see where you were going with the whole seperate cabling thing.
If that is the case, then you are correct in saying that the cabling will
provide physical and logical speration of the two networks. They will be
oblivious to one another, and all my stuff about routing and subnetting etc.
can go out the window.

Given that, however, you have to agree that in a shared server room, on a
single rack, with no rack doors, the cabling by itself doesn't provide any
actual security, since one company can easily go in and manipulate or connect
to the other companie's equipment. I think seperate racks with lockable doors
are pretty important for physical security in this particular scenario.





"Phillip Windell" wrote:

> "BSweeney" <(E-Mail Removed)> wrote in message
> news:5A5BB290-E3EA-41E4-8694-(E-Mail Removed)...
> > With all due respect Phillip, I couldn't disagree with you more. We
> > aren't
> > talking about a home office, or a converted coat closet, but an actual
> > server
> > room shared by two different companies.
>
> And that is exactly what I am talking about as well.
>
> > While cabling is absolutely important
> > for the sake of keeping things organized and manageable, it provides no
> > actual security by itself,
>
> Of course it provides security. If two networks are not on the same
> cabling, then there is no physical connection between the two systems then
> there is no way possible for them to communicate,...you can't get any more
> secure than that.
>
> > post. The seperate racks with lockable doors provide a reasonable level of
> > physical security in a room where two IT teams will be working on
> > connected
> > networks.
>
> Racks such as that for physical security are perfectly fine,...I didn't tell
> him to *not* use them,...but I was dealing with the actual networking. If
> the two networks are on the same physical cabling then it isn't going to
> matter how many lockable racks they are in because the door would not even
> need to be opened to get to the machines.
>
> > At the packet level, cables by themselves provide no security
> > without propper subnetting, routing configuration, and firewall rules.
>
> With two separate physical cabling systems there is no subnetting, routing
> configuration, and firewall rules. At least not in the context of the two
> networks working together because they simply never touch each other. I'm
> looking at the bigger picture which includes the entire building, not just a
> rack or two.
>
> > I'm not really sure what you were driving at here,
>
> Appearantly, that's true.
>
> I'm sorry, but it sounds like you just made a knee-jerk reaction to what I
> said because you thought I was trying to stomp on your post and didn't
> really think about what I said. I wasn't stomping on your post, I was
> dealing with the context and direction that the thread was moving in.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Troubleshooting Client Authentication on Access Rules in ISA Server 2004
> http://download.microsoft.com/downlo...7/ts_rules.doc
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
>
> Microsoft ISA Server Partners: Partner Hardware Solutions
> http://www.microsoft.com/forefront/e...epartners.mspx
> -----------------------------------------------------
>
>
>

"BSweeney" <(E-Mail Removed)> wrote in message
news3FA931B-7948-4F0B-9339-(E-Mail Removed)...
> Given that, however, you have to agree that in a shared server room, on a
> single rack, with no rack doors, the cabling by itself doesn't provide any
> actual security, since one company can easily go in and manipulate or
> connect
> to the other companie's equipment. I think seperate racks with lockable
> doors
> are pretty important for physical security in this particular scenario.

Yes, I do agree with that completely.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------