Segregating networks VLANs or Subnets

Hi there,

I want to segregate 2 networks. Let me give a little background. We are an
office facility company (We provide phone, internet and other office services
to a number of other small businesses within the same business centre). At
present there isa single Win2003 server with a single Fast Ethernet card and
number of voice and data switches (24 Ports Unmanaged D-Link). The only
routers are the Draytek ADSL Modem/Routers which I believe are not capable of
VLANing.

Our company has about 4 PCs. But we are providing Internet access to a
number of other companies with their PCs. At present everyone can see
everyone else's files/folders which is not a good security practise. I want
to make sure that nobody can see anybody else's files/folders.

What would I need in terms of devices, technolgies and etc?

Any suggestions, recommendations.

Thanks

A firewall with multiple interfaces would be best. You could also have a
router (or layer 3 switch) and configure access-lists. A Cisco PIX515 with 6
interfaces would work just fine or you could save a couple of bucks and get
two interfaces. You would then need to setup VLAN's on the PIX and the
switch it connects too. It would probably be easier to just get the 6
interfaces though.


"Tonton" <(E-Mail Removed)> wrote in message
news:0F25BDB6-0613-439A-BE85-(E-Mail Removed)...
> Hi there,
>
> I want to segregate 2 networks. Let me give a little background. We are an
> office facility company (We provide phone, internet and other office
services
> to a number of other small businesses within the same business centre). At
> present there isa single Win2003 server with a single Fast Ethernet card
and
> number of voice and data switches (24 Ports Unmanaged D-Link). The only
> routers are the Draytek ADSL Modem/Routers which I believe are not capable
of
> VLANing.
>
> Our company has about 4 PCs. But we are providing Internet access to a
> number of other companies with their PCs. At present everyone can see
> everyone else's files/folders which is not a good security practise. I
want
> to make sure that nobody can see anybody else's files/folders.
>
> What would I need in terms of devices, technolgies and etc?
>
> Any suggestions, recommendations.
>
> Thanks

"Tonton" <(E-Mail Removed)> wrote in message
news:0F25BDB6-0613-439A-BE85-(E-Mail Removed)...
> Our company has about 4 PCs. But we are providing Internet access to a
> number of other companies with their PCs. At present everyone can see
> everyone else's files/folders which is not a good security practise. I
want
> to make sure that nobody can see anybody else's files/folders.

You use NTFS permissions. That is what they are for. That is the first area
of security. You can't allow filesystem access to the "Everyone Group" and
complain that everyone can see all the files. So that is the first thing you
do.

Do *not* consider the fact the something shows in Network Places as having
"access". Just because is appears on the Browse List (Network Places) does
not make it accessable.

Running ACLs on a LAN Router would work for only Layer3&4 traffic.
Tradditional firewalls do NAT which is not appropriate. You want to control
traffic access, not "translate" it. That is why LAN Routers have had ACLs
long before anyone invented NAT Firewalls. But LAN Routers only restrict
between Network Segments for the most part,...they are not for creating
detailed Access Schemes,...that is what the NTFS Permissions are for.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------

If you prevent users from a specific subnet from even accessing your
network, you can leave NTFS permissions alone. 99% of admins out their don't
configure groups correctly. I doubt most could also get NTFS permissions
right. If you prevent the clients in the building access to each others
networks, you don't have to change any permissions. There is no need to NAT,
the firewall can route just as well. NAT is a feature of a firewall, not a
firewall in itself.


"Phillip Windell" <@.> wrote in message
news:eE7iUX3%(E-Mail Removed)...
> "Tonton" <(E-Mail Removed)> wrote in message
> news:0F25BDB6-0613-439A-BE85-(E-Mail Removed)...
> > Our company has about 4 PCs. But we are providing Internet access to a
> > number of other companies with their PCs. At present everyone can see
> > everyone else's files/folders which is not a good security practise. I
> want
> > to make sure that nobody can see anybody else's files/folders.
>
> You use NTFS permissions. That is what they are for. That is the first
area
> of security. You can't allow filesystem access to the "Everyone Group" and
> complain that everyone can see all the files. So that is the first thing
you
> do.
>
> Do *not* consider the fact the something shows in Network Places as having
> "access". Just because is appears on the Browse List (Network Places) does
> not make it accessable.
>
> Running ACLs on a LAN Router would work for only Layer3&4 traffic.
> Tradditional firewalls do NAT which is not appropriate. You want to
control
> traffic access, not "translate" it. That is why LAN Routers have had ACLs
> long before anyone invented NAT Firewalls. But LAN Routers only restrict
> between Network Segments for the most part,...they are not for creating
> detailed Access Schemes,...that is what the NTFS Permissions are for.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/t...dance/2004.asp
> http://www.microsoft.com/isaserver/t...dance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
>
> Deployment Guidelines for ISA Server 2004 Enterprise Edition
>
http://www.microsoft.com/technet/pro...isaserver.mspx
> -----------------------------------------------------
>
>
>

Which model/firmware are you using? You might want to check for a
firmware upgrade. Most DrayTek models have VLAN/Rate Control option.
All you need to do is assign each port (P1, P2, P3, P4) to a separate
VLAN (VLAN0, VLAN1, VLAN2, VLAN3) by checking the box where they
intersect. You have now isolated broadcast traffic from each port from
all the others.
Steve
guideband.com

"Neteng" <(E-Mail Removed)> wrote in message
news:OpUDip3%(E-Mail Removed)...
> If you prevent users from a specific subnet from even accessing your
> network, you can leave NTFS permissions alone. 99% of admins out their
don't
> configure groups correctly. I doubt most could also get NTFS permissions
> right. If you prevent the clients in the building access to each others
> networks, you don't have to change any permissions.

Yes, if that kind of restriction is acceptable. But what often happens is
they suddenly realize how much "does not work" between the LANs because of
it and soon want to know how to get this, that, and 15 other things to
"work",..before long you end up wishing you had an Admin smart enough to
handle NTFS permissions properly. I don't have much mercy for Admins who
can deal with NTFS permissions,...it's like a truck driver that doesn't know
how to back-up.

If each "company" on that LAN has different Domains,..and there is no trust
between the Domains, then the NTFS permissions already have them block out
of each others "stuff" because the "Everyone Group" only encompasses
authenticated users in its own Domain.

But yes,..I'm not disagreeing with your point above,...if that kind of
restriction is acceptable.

> There is no need to NAT,
> the firewall can route just as well. NAT is a feature of a firewall, not a
> firewall in itself.

We will have to differ there. I don't even consider "firewall" to be any
more than a generic "slang" term made popular by marketers. There are
routers, NAT devices, and proxys,...all can be used as a "firewall". The
proxy is obvious, but the difference between a router and a NAT device is
that the NAT device does not have to ability to "not" do NAT,...where a
router can enable or disable it. The Watchgaurd box we have for example, as
far as I know, is always doing NAT and cannot "not" do NAT and work as a
regular router.

Phil

> "Phillip Windell" <@.> wrote in message
> news:eE7iUX3%(E-Mail Removed)...
> > "Tonton" <(E-Mail Removed)> wrote in message
> > news:0F25BDB6-0613-439A-BE85-(E-Mail Removed)...
> > > Our company has about 4 PCs. But we are providing Internet access to a
> > > number of other companies with their PCs. At present everyone can see
> > > everyone else's files/folders which is not a good security practise. I
> > want
> > > to make sure that nobody can see anybody else's files/folders.
> >
> > You use NTFS permissions. That is what they are for. That is the first
> area
> > of security. You can't allow filesystem access to the "Everyone Group"
and
> > complain that everyone can see all the files. So that is the first thing
> you
> > do.
> >
> > Do *not* consider the fact the something shows in Network Places as
having
> > "access". Just because is appears on the Browse List (Network Places)
does
> > not make it accessable.
> >
> > Running ACLs on a LAN Router would work for only Layer3&4 traffic.
> > Tradditional firewalls do NAT which is not appropriate. You want to
> control
> > traffic access, not "translate" it. That is why LAN Routers have had
ACLs
> > long before anyone invented NAT Firewalls. But LAN Routers only
restrict
> > between Network Segments for the most part,...they are not for creating
> > detailed Access Schemes,...that is what the NTFS Permissions are for.
> >
> > --
> > Phillip Windell [MCP, MVP, CCNA]
> > www.wandtv.com
> > -----------------------------------------------------
> > Understanding the ISA 2004 Access Rule Processing
> > http://www.isaserver.org/articles/IS...cessRules.html
> >
> > Microsoft Internet Security & Acceleration Server: Guidance
> > http://www.microsoft.com/isaserver/t...dance/2004.asp
> > http://www.microsoft.com/isaserver/t...dance/2000.asp
> >
> > Microsoft Internet Security & Acceleration Server: Partners
> > http://www.microsoft.com/isaserver/partners/default.asp
> >
> > Deployment Guidelines for ISA Server 2004 Enterprise Edition
> >
>
http://www.microsoft.com/technet/pro...isaserver.mspx
> > -----------------------------------------------------
> >
> >
> >
>
>

"Phillip Windell" <@.> wrote in message
news:%23ehKa$3%(E-Mail Removed)...

> handle NTFS permissions properly. I don't have much mercy for Admins who
> can deal with NTFS permissions,...it's like a truck driver that doesn't
know
> how to back-up.

I meant "can *not* deal with NTFS permissions,..."
But you probably knew that anyway.

Well, you get the honor of being the last post of the day...I'm outta here..
Catch you guys tomorrow

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------

I agree with you and we were both assuming on the setup. I assumed each
company/domain is different and they do not want to share a thing??? I'm
sorry about the Watchguard (I personally despise them :-) and just to start
some flaming.....their almost as bad as a Checkpoint!

Good analogy of the truck driver.

"Phillip Windell" <@.> wrote in message
news:%23d9NdD4%(E-Mail Removed)...
>
> "Phillip Windell" <@.> wrote in message
> news:%23ehKa$3%(E-Mail Removed)...
>
> > handle NTFS permissions properly. I don't have much mercy for Admins
who
> > can deal with NTFS permissions,...it's like a truck driver that doesn't
> know
> > how to back-up.
>
> I meant "can *not* deal with NTFS permissions,..."
> But you probably knew that anyway.
>
> Well, you get the honor of being the last post of the day...I'm outta
here..
> Catch you guys tomorrow
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/t...dance/2004.asp
> http://www.microsoft.com/isaserver/t...dance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
>
> Deployment Guidelines for ISA Server 2004 Enterprise Edition
>
http://www.microsoft.com/technet/pro...isaserver.mspx
> -----------------------------------------------------
>
>
>

"Neteng" <(E-Mail Removed)> wrote in message
news:%23mbV5cA$(E-Mail Removed)...
> sorry about the Watchguard (I personally despise them :-) and just to
start

I'm not all that excited about them either. Our corp HQ pushed them out to
all the Sites (somewhere between 30-40, ..can't keep track) to be use for
the "Corp VPN" that links us all to the HQ. They probably assumed we would
all use them for Internet access too, but we don't. I only use it for
internet access for my main servers and other "utility" machines that don't
have "humans" to go with them. The "humans" all have to go out the ISA
Server. So the Watchgaurd does what they mainly sent it sent it here for, so
that's good enough for me I suppose, I stay away from it beyond that.

WG has some problems with the design of the Remote Access VPN. It won't let
you use a separate DHCP Server for grant addresses. You have to give the WG
box a list of addresses to "use". It also won't let you have certain VPN
users be "static",..they are *forced* to use the automatic addressing which
can only be provided by the WG box. That is unless I am missing something
there, like I said, I stay away from the thing most of the time.

Phil

"Neteng" <(E-Mail Removed)> wrote in message
news:%23mbV5cA$(E-Mail Removed)...
> Good analogy of the truck driver.

I used to be one for 10 years, that's why it came to mind,...probably where
the bull-headedness comes from sometimes too. I got out of a truck on Friday
and started here the following Weds, been here ever since. Being able to
make such a drastic switch is a long story.
I could backup of course ;-),...but was hit in the docks on occasion by some
where that ability was questioned.

Phil