+ Post New Thread
Results 1 to 11 of 11
Wireless Networks Thread, Protect a single room from a large network in Technical; Here's the scenario: A 3 story building is divided into several rooms and individiual businesses can hire the rooms for ...
  1. #1

    Join Date
    May 2009
    Location
    UK
    Posts
    294
    Thank Post
    64
    Thanked 21 Times in 20 Posts
    Rep Power
    15

    Protect a single room from a large network

    Here's the scenario:

    A 3 story building is divided into several rooms and individiual businesses can hire the rooms for a variable period (weeks - years). The building has a full time IT manager and the network configured so that all rooms have multiple RJ45 sockets with DHCP providing addresses in the range 10.14.100.0/22. There is no segmentation of the network by room nor are there any VLANs. This means that there's a potential for the computers of Business A in Room 14 having access to the computers of Business B in Room 51. Individual businesses are responsible for their own computers and workgroup.

    Question:

    If I want to protect the computers of Business A against a potential attack from other businesses in the building, I guess I'd need a router providing IP addresses to Business A (maybe 172.19.0.0/26) and a port on the router attached to the building network with an address in the 10.14.100.0/22 range. What's the cheapest way of going about this? Obviously, a full blown Cisco router would be overkill for such a small simple network. What would experts here recommend? I'd hasten to add that I have no influence over the configuration of the network provided by the building owner's IT manager.

    Thanks in advance.

  2. #2

    Join Date
    Aug 2008
    Location
    Northwest
    Posts
    79
    Thank Post
    1
    Thanked 10 Times in 10 Posts
    Rep Power
    14
    Is there a need for any traffic at all to be shared, an internet feed or a central print room for example?

  3. #3

    Join Date
    May 2009
    Location
    UK
    Posts
    294
    Thank Post
    64
    Thanked 21 Times in 20 Posts
    Rep Power
    15
    Each business looks after itself. For instance, there may be shared folders or a shared printer, but that is ONLY for Business A in room 14.

    Sorry, I should have made it clear, all rooms need access to the internet but that's the only bit (as far as I can see) which *should* be in common.

  4. #4


    Join Date
    Oct 2006
    Posts
    3,412
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    149
    The way i see it is you have 2 options;
    Secure all your clients so that they will only talk with each other and with the buildings core services; dhcp, dns, gateway. This would mean either using dhcp reservations or mac based rules.

    Plug a router into a single network socket and run your own physical network from that, not using any other network ports provided by the building. This will obviously mean running your own network cables...

    As you have rightly said there is no other way to segment a network other than vlans or physical separation.

    I know you've said you can't but i can't see any other way around it but to investigate the possibility of getting your room VLANed off from the main network, or depending how the network is designed you could put your router in the buildings cab, providing your own switch on the backend thus using the buildings cables and network points.
    Obviously, without physical access to the cab yourself, you would need to trust the NM to not fiddle with your router or inadvertently plug another rooms network points into your switch.
    Last edited by j17sparky; 15th July 2010 at 08:16 PM.

  5. Thanks to j17sparky from:

    Ignatius (15th July 2010)

  6. #5

    Join Date
    Aug 2008
    Location
    Northwest
    Posts
    79
    Thank Post
    1
    Thanked 10 Times in 10 Posts
    Rep Power
    14
    I’d be tempted to just vlan it up with a core router handling internet bound traffic and block inter-vlan routing.

    If you want to do it completely on the cheep you could physically separate the rooms (individual switch per room type setup – the switches could be very cheep because they would need no management facilities – just dumb switches). To each room you also provide one RJ45 socket which is connected to your internet feed using whatever technology you currently employ. The occupiers then provide their own DHCP servers etc and operate their own NAT through the one socket you provide them with that links to your internet feed.
    That was badly described but I’m sure you get the gist.

  7. #6

    Join Date
    Aug 2008
    Location
    Northwest
    Posts
    79
    Thank Post
    1
    Thanked 10 Times in 10 Posts
    Rep Power
    14
    Just to clarify, are you occupying a room and trying to protect yourself from other rooms/businesses? or are you trying to provide a whole building service which isolates each room?

  8. #7

    Join Date
    May 2009
    Location
    UK
    Posts
    294
    Thank Post
    64
    Thanked 21 Times in 20 Posts
    Rep Power
    15
    @j17sparky - that's as I figured it and I'm happy to do the cabling. What kit would you recommend to plug into one of the room network ports? As I said, I think a Cisco all-singing, all-dancing router would be overkill for a small workgroup of upto 10 clients.

    @Kipling - I'd just look after one room and protect the network from all others. The businesses in the other rooms would be responsible for sorting out their own security. The full time IT Manager of the building is resonsible for the DNS, DG, internet access etc. I agress that one VLAN per business would be the way to go.

  9. #8

    Join Date
    Aug 2008
    Location
    Northwest
    Posts
    79
    Thank Post
    1
    Thanked 10 Times in 10 Posts
    Rep Power
    14
    Quote Originally Posted by Ignatius View Post
    @Kipling - I'd just look after one room and protect the network from all others...
    IC, to protect just your room you could isolate yourself by not use their sockets, put your own cabling to your own PCs and switch(es), run your own DHCP and then NAT out to their network for the internet. You could do a similar thing by wirelessing your own machines and again NATing out to their network for the internet.

  10. #9

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,816
    Thank Post
    272
    Thanked 1,138 Times in 1,034 Posts
    Rep Power
    350
    you could ask the it managers for the building, stick the router you have purchased into the patch cuboard with a single uplink, sort the vlans etc out from there, that removes the need for recabling etc.

  11. #10


    Join Date
    Oct 2006
    Posts
    3,412
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    149
    How many users? What sort of traffic? What is the speed out of the building?

    If its only for a few users, or under say 20 light use users, a consumer class cable router might be worth a go. £40-50. Really depends what you want to do with it.
    The buildings DHCP will provide the WAN interface with the relevant info. DHCP enabled on the LAN side, away you go.
    These are quite good consumer class routers, plenty of options on them. iirc filtering, QOS, .
    Linksys by Cisco WRT54GL Wireless-G Linux Router | Ebuyer.com

    I do stress though that it really does depend on how heavily you will use it, but if its just to provide internet access to a handful of users i can't see it being a problem, not to get you going anyway.

    You could also look at using a PC with a linux based router distro on it such as Smoothwall, Endian firewall, or IPcop. You can then scale to your demands by upgrading as and when.

    You will need to check with the NM mind as he may have rules on his router which detect lots of traffic coming from a single IP address ie your router.
    Last edited by j17sparky; 15th July 2010 at 09:39 PM.

  12. Thanks to j17sparky from:

    Ignatius (16th July 2010)

  13. #11

    Join Date
    May 2009
    Location
    UK
    Posts
    294
    Thank Post
    64
    Thanked 21 Times in 20 Posts
    Rep Power
    15
    @glennda - I guess I could speak to him nicely and hope that neither he nor anyone else plays around with the cables going into or out of the router.

    @j17sparky - the network is a workgroup of up to 10 clients. They surf the internet and access e-mail but nothing intense. I don't know the speed of the building's connection.

    I appreciate the comment about the WRT54GL and will look into it. I'll have to liaise with the IT manager, particularly if I want to go with glennda's suggestion. I'm not sure if any of the other businesses in the building have investigated this aspect of their network security and don't know if I should keep my thoughts to myself. For instance, if I start talking about network security in common areas (kitchen, bathroom etc.), the IT manager might be inundated with requests such as mine and I doubt he could support all businesses having their own router and bespoke cabling in the cupboard. On the other hand though, it might just stimulate him to configure VLANs by room, which would be a good thing!

SHARE:
+ Post New Thread

Similar Threads

  1. password protect a single file
    By rocknrollstar in forum Windows
    Replies: 15
    Last Post: 30th July 2009, 09:21 AM
  2. [Ghost] Ghost is unable to see parts of the network unless its in that room
    By The_Traveller in forum O/S Deployment
    Replies: 13
    Last Post: 24th July 2009, 12:04 PM
  3. WDS within a large room
    By ahuxham in forum Wireless Networks
    Replies: 9
    Last Post: 25th June 2009, 11:33 AM
  4. Password Protect Network
    By FN-GM in forum Internet Related/Filtering/Firewall
    Replies: 1
    Last Post: 15th June 2009, 05:27 PM
  5. Copying large video files over a network connection
    By randle in forum Wireless Networks
    Replies: 2
    Last Post: 24th March 2009, 11:27 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •