Secure LAN within existing office LAN

12

2

First things first, I was gonna post this on Server Fault but honestly, I'm no network admin, I'm a CS student who has been called upon to sort something out for a very small family business who have just moved into a small office space and don't really have the cash on hand to hire someone in to sort it so I'm having to learn what is needed to complete the job. I'm also aware that this question 'LAN within a LAN' has been asked before so feel free to mark this as a duplicate though none of the existing questions really answered the questions I have.

Thus, the issue. The office we've moved into is being converted from a large building previously used by a single business into a 'business centre' with individual rooms being rented out. Each room is wired up with several ethernet ports leading back to a network room with a cabinet full of switches to tie everything together although none of that is in use as far as I can tell. The guy who managed the network was made redundant and it's now mostly a shrine to his lack of cable management.

The current businesses that are occupying the rooms are all relying on a wifi network provided by a 'BT HomeHub' ISP provided home router/modem combo. As we're Government regulated, I don't like the idea of sharing a network and I doubt the regulators would either.

So, what are the options here? I can't really do anything about the home router/modem as there are multiple other businesses sharing this for wireless access. I'd ideally like to access the internet via this modem but need to ensure that the network we're running on is completely inaccessible by the other devices on the network that aren't part of our business. I've been browsing some of the small business router offerings by Cisco along with wireless access points (wireless access being the immediate priority) but I'm not sure if I can achieve the above with one and want to be certain before I order any hardware.

I'm sure the best option would be to simply run another line into the building but that adds an extra monthly cost plus a service contract so I'm keen to avoid that for the moment.

Any thoughts on the best option in this situation and how I might go about it?

Hexodus

Posted 2016-07-17T12:09:31.707

Reputation: 123

3First questions to ask yourself: How badly do we need Internet access? Will the firm die it BT's home router dies. If it is essential then rent your own non-home-consumer line. Preferably from a different ISP then then one already in the office so you can use that as emergency backup.

Second consideration: Who has access to the cabinet full of switches? What model/capabilities are they (nice to know befoire you start to work on a solution). Are they managed switched? Firmware up to date?

Third is probably time to figure out which cables are wired to your rooms. – Hennes – 2016-07-17T12:16:19.947

When you got those answers, read up on VLANs (for wired). Also consider not allowing internet access to anything but a mail server and proxy all other devices behind it. (That is a server as firewall, logically behind that a mail server and logically behind that a proxy) and fileserver). And think about backups. One of the worst starts would be if poeple stored information on their laptops instead of on a network drive. – Hennes – 2016-07-17T12:17:28.820

What access do you have to the equipment? Do you have permission to log into the "home router/modem combo"? What is the source of the site's Internet access? (I'm guessing DSL from BT. Just a guess. The answer is not Wi-Fi.) If you want to "protect" your network from other networks on site, the typical device to "protect" a network is a firewall. That said, many routers provide internal "firewall"-type capabilities (presumably less specialized/designed for the task than a dedicated firewall device). Some of Cisco's pro equipment can have a high learning curve. – TOOGAM – 2016-07-17T12:20:16.167

Officially I have no access, though I'm certain that could be negotiated so I'll see to that tomorrow. Just looking for some ideas as to what might be possible with the equipment that is in place already. The source appears to be a regular business DSL line, which I'm aware is not 'WiFi' (I'm no networks veteran but I'm not that inept, don't worry). VLANs look interesting, I'll look into them further certainly. I'm just struggling to put together some of the networking concepts with the real world setup. – Hexodus – 2016-07-17T12:47:00.897

@TOOGAM I wouldn't expect the average computer user to understand some of the things in my Cisco small business "router" without guidance. Let alone be able to configure Cisco's IOS-based network equipment. Agree with you thus far. But I really don't think that's unique to Cisco; specialist equipment often does have a steep learning curve. Heck, you could set the average computer user in front of the average oscilloscope and proceed to watch the fireworks. I'm not sure how many above average computer users would know how to use an oscilloscope, even. – a CVn – 2016-07-17T18:26:34.507

Answers

16

First off: If you are under legal obligations to provide traffic separation, always get someone with the authority to do so to sign off on any plan as within the legal requirements before you begin implementing it. Depending on the specific legal requirements, it just might be that you will have to provide physically separate networks with no common trust point.

That said, I think you basically have three options: 802.1Q VLANs (better) and multiple layers of NAT (worse) and physically separate networks (most secure, but also complicated and likely most expensive due to physical rewiring).

I'm assuming here that everything that is already wired up is Ethernet. One part of the overall Ethernet standard is what is known as IEEE 802.1Q, which describes how to establish distinct link-layer LANs on the same physical link. This is known as VLANs or virtual LANs (note: WLAN is completely unrelated and in this context normally stands for Wireless LAN and very often refers to one of the IEEE 802.11 variants). You can then use a higher-end switch (the cheap stuff that you can buy for home use generally doesn't have this feature; you want to look for a managed switch, ideally one that specifically advertises 802.1Q support, though be prepared to pay a premium for the feature) configured to segregate each VLAN to a set of (possibly just one) port(s). On each VLAN, then, common consumer switches (or NAT gateways with an Ethernet uplink port, if desired) can be used to further distribute traffic within the office unit.

The upside of VLANs, compared to multiple layers of NAT, is that it's completely independent of the type of traffic on the wires. With NAT, you are stuck with IPv4 and maybe IPv6 if you are lucky, and also have to contend with all the traditional headaches of NAT because NAT breaks end-to-end connectivity (the simple fact that you can get a directory listing from a FTP server through NAT is a testimony to the ingenuity of some of the people who work with that stuff, but even those workarounds usually assume that there is only one NAT along the connection route); with VLANs, because it uses an addition to the Ethernet frame, literally anything that can be transferred over Ethernet can be transferred over VLAN Ethernet and end-to-end connectivity is preserved, so as far as IP is concerned, nothing has changed except the set of nodes that are reachable on the local network segment. The standard allows for up to 4,094 (2^12 - 2) VLANs on a single physical link, but specific equipment may have lower limits.

Hence my suggestion:

  • Check to see if the master equipment (what's in that big rack of switches in the network room) supports 802.1Q. If it does, then find out how to configure it, and set it up correctly. I would recommend starting out by doing a factory reset, but make sure you don't lose any important configuration by doing so. Be certain to properly advice anyone who relies on that connectivity that there are going to be service disruptions while you do this.
  • If the master equipment doesn't support 802.1Q, find some that does and meets your needs in terms of number of VLANs, number of ports, and so on, and buy it. Then find out how to configure it, and set it up correctly. This does have the bonus that you could keep it separate while setting things up, reducing downtime for any existing users (you would set it up first, then remove the old equipment and hook up the new, so the downtime would be limited to basically how long you need to unplug and re-plug everything).
  • Have each office unit use a switch, or a home or small business "router" (NAT gateway) with an Ethernet uplink port, to further distribute network connectivity among their own systems.

When you configure the switches, absolutely do make sure to limit each VLAN to its own set of ports, and make sure all of those ports go only to a single office unit. Otherwise, the VLANs will be little more than courtesy "do not disturb" signs.

Because the only traffic that reaches each unit's Ethernet outlets would be their own (thanks to your configuring separate, segregated VLANs), this should provide adequate separation without requiring you to rewire everything as truly physically separate networks.

Also, especially if you implement VLANs or end up rewiring everything, do take the opportunity to correctly tag all cables with unit and port numbers! It will take some extra time, but will be more than worth it going forward especially if there is any kind of network problem in the future. Check out I've inherited a rat's nest of cabling. What now? on Server Fault for some helpful hints.

a CVn

Posted 2016-07-17T12:09:31.707

Reputation: 26 553

2Thanks for this Michael, extremely useful information and your suggestion seems like a sensible one (I've upvoted but lack the 15 rep for the moment). I'll do some further investigation tomorrow as to what the existing hardware supports and talk to the building owners as to whether it could be reused in this way. Certainly VLANs sound more like what I was looking to achieve with completely separated traffic so I'll do some reading on that. That Server Fault question you linked made me laugh, thankfully it's not quite as bad as that. I'll take your advice on sorting it out though. Cheers! – Hexodus – 2016-07-17T13:13:41.007

2Also, there's another option. In the company I'm working at, we got ourselves a 4G router, with a separated contract. This puts less load on that existing wireless network and you can be sure that you will have the same service, anywhere you go, completelly detached from everybody else. This doesn't add that much complexity and isn't that expencive. – Ismael Miguel – 2016-07-17T18:14:53.593

Asked: 2016-07-17T12:09:31.707

Viewed: 1 206 times

Active: 2016-07-17T17:07:52.623