On Thu, 20 Jan 2005 15:58:07 -0800, Nifty Hat Mitch <mitch48@xxxxxxxxxxxxx> wrote: > On Thu, Jan 20, 2005 at 09:52:33AM -0500, Leonard Isham wrote: > > On Thu, 20 Jan 2005 09:48:05 -0500, Kanwar Ranbir Sandhu > > > On Wed, 2005-19-01 at 17:23 -0500, Leonard Isham wrote: > > > > Internet > > > > | > > > > DSL Modem or Internet Router > > > > | > > > > Firewall----Tenant-2 > > > > | > > > > Tenant-1 > > > > > > > > Firewall each tenant from the other tenants. Give each tenant a > > > > different RFC 1918 address range. Use a Switch capable of trunking, > > > > and a Ethernet card capable of trunking in the firewall to allow > > > > multiple VLANs on one physical connection. > > > > > > I actually considered something like this, but what about those tenants > > > that require a public IP? Wouldn't a separate NIC be required on the > > > firewall to bridge the connection for each tenant? In that case, PCI > > > slots would eventually run out (or there may be IRQ conflicts). > > > > > > > On my previous post: > > > > "Use a Switch capable of trunking, and a Ethernet card capable of > > trunking in the firewall to allow multiple VLANs on one physical > > connection." > > > > Thrunking puts multiple VLANs on the same physical Ethernet cable. > > Each VLAN is a seperate subnet. > > > > What about... > > Internet > | > Cable-DSL Modem > | > Network-N-port-HUB > | | | | > | | | \ > | | | \ > | | | CustomerFixedIP > | | | > | | \ > | | \ > | | \ > | | \ > | | FixedIP4 > | | YourRouterFirewall-NAT > | | | > | | N-port-HUB > | | YourDHCPclients > | | \ \ \ > | | Ten1 Ten2 Ten3... > | \ > | \ > | YourServiceBox > > What you place behind the modem depends on the service > you purchase in front. There is little need to firewall the > tenants from each other as long as they are connected > to a switch so packet snooping is hobbled. > Snooping is hobbled, but quite doable. My concern would be the unprotected, most likely unpatched, systems getting infestations and creating problems for al the tennants. I just recently say an unpatched windows system with a public IP hooked to a T-1 at a trade show. 15 minutes later it was infected, and pegged the T-1. Six hours later, after the troubleshooting the problem, removing the worm, patching they system, installing anti-virus and anti-spyware software that where back on-line. In short if something like this happens to your tennants you will be blamed. -- Leonard Isham, CISSP Ostendo non ostento.
