How can I divide a network in two segments?

0 pts.
Tags:
Firewalls
Forensics
Incident response
Intrusion management
Network security
Networking
Performance management
VPN
Wireless
Two companies are sharing a DSL connection, and for security reasons, the network has to be split up. They still have to share the DSL, but should not see each other. It is posible to split up physically, but how do they share the DSL? Can anyone point me to a solution or a guide? Regards and thanks.
ASKED: March 27, 2006  10:51 AM
UPDATED: April 14, 2014  5:30 AM

Answer Wiki

Thanks. We'll let you know when a new response is added.

www.learntosubnet.com will help you with that.

Discuss This Question: 23  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Layer9
    This simplest way to do this is purchase a Cisco PIX 515, or any other Business class Firewall that hosts a DMZ Card (Service Leg DMZ). Using a 4 port DMZ card, simply hang one clients network off one DMZ Port, and the Other clients network off of another port on the DMZ card. Do not allow the two seperate DMZ subnets to communicate with each other and you are done. Thats the easiest way, (and the smart way) to do it. You can also use a router between to the two subnets but the ACL's will not perform as well as a Service Leg DMZ. Chris Weber Layer9corp.com
    0 pointsBadges:
    report
  • Sonyfreek
    A cheaper solution would be to consider one of the Sonciwalls. The Sonciwall PRO 2040 gives you three interfaces to use, and you can upgrade to 4 interfaces with the enhanced firmware upgrade. Two or three of these interfaces (depending on if you use the enhanced firmware) can be configured with their own ruleset to do the same thing that the Pix can do. The price for the Sonicwall PRO 2040 is $2000 plus $600 for the upgrade. Depending on what you want the PIX 515E to do, you can get it for $2500 - >$5000. You could also purchase an ASA 5510 for about the same price range (recommended over the PIX). Either way, however, you're only going to get three interfaces for the lower end price and will have to buy a restricted bundle (max of 3 interfaces and 56bit encryption). However, I'm not an expert with the PIX's, so you'll have to talk to a Cisco rep to get more details about it. SF
    0 pointsBadges:
    report
  • Layer9
    A Sonicwall is just another Firewall. While they may be less than a new PIX with a 4 Port DMZ card, you can certainly get a refurbished PIX from one of the resellers for around $2000, give or take. I was not trying to quote you prices or costs, merely point you in the right direction, which I did with steering you towards a "Service Leg DMZ", which REGARDLESS of the model Firewall you choose, is still the solution you will be implementing. Good luck Chris Weber Layer9corp.com
    0 pointsBadges:
    report
  • Layer9
    BTW, I should also have pointed out that if money is an issue you can get by with a 1 port DMZ on the PIX and simply use the inside interface. Chances are each firm will want DMZ's for their servers so a 4 port is optimal. Chris Weber Layer9corp.com
    0 pointsBadges:
    report
  • Bermuda
    Are we getting over-sophisticated here? You say share DSL but do you have dynamic or fixed IP address and if fixed, do you have more than one IP address?
    0 pointsBadges:
    report
  • Nikjdk
    Thanks a lot for the replies. Costs around $2000 is more than budgettet, so I will have to find a cheaper solution. There is some software FW on the net, ie. SmoothWall, IPCob and M0n0Wall, I will look into them. Regards,
    0 pointsBadges:
    report
  • AndyPaul
    If you want a REALLY cheap solution, try this.... (1) Define a seperate but simple IP scheme for divison/company. (2) Buy 2 Linksys Routers and a Linksys Switch ($100-150 total) (3) Plug DSL into SWITCH. This becomes a virtual DMZ. (4) Configure each Router for the seperate IP networks, then plug the WAN port of each router into the Switch. Now you have 2 routers for 2 networks going to a common DMZ using a common uplink (DSL). Simple, crude, but it works! :)
    0 pointsBadges:
    report
  • Nikjdk
    I did try with a Dell Powerconnect 2708 into the DSL modem and a Linksys router into the PowerConnect, but there was no connection. Maybe I should try once more? My impression was that the Powerconnect could not handle direct connection to the Internet, but I can be wrong on that point. Has anyone tried this? Regards,
    0 pointsBadges:
    report
  • Tmac24
    We had a similiar request a few months ago. 2 companies in the same building. One cable modem going out for internet. We used an hp procurve switch to create 2 vlans so we could seperate the 2 networks.
    0 pointsBadges:
    report
  • Layer9
    Sorry. I had not considered that $2000 would be too large an investment for 2 separate companies. Most actual businesses have some sort of an IT budget. If you are indeed working with basically no funds, then 1 Linksys SOHO router would work, as it provides a single DMZ Configurable port. Of course you have to know how to route it which it sounds like you don't, so, it may be a good idea to open another ticket in here for that. Chris Weber Layer9corp.com (P.S Make sure you're putting the DSL RJ45 into the WAN port on the Linksys, NOT into the POWERCONNECT, which is a Switch. You can't route LAYER 3 at LAYER2, at least not that way)
    0 pointsBadges:
    report
  • Nikjdk
    The Dell PowerConnect is VLAN capable (layer 2), so if it is setup correctly, that could be a solution? It would be the modem, connected to the router, connected to the switch which will be setup with VLAN. Btw, what's the difference between layer 2 and 3? Regards,
    0 pointsBadges:
    report
  • Bigshybear
    1st question - how many people in each company? 2nd question - do you have a single fixed (or static) ip address on the DSL line, or do you have a pool? 3rd question - what switches, routers, firewalls and servers do you currently have? 4th question - do any of these switches, routers, firewalls and servers need to go to one company only. 5th question - is there any need for traffic from one company to the other company LAN? Meaning will they host their own mail servers, or their own web servers? (etc.) Easiest way to split the LANs is to physically separate the 2 companies on two switches feeding two separate firewalls, then out to the DSL modem. Once we start trying to work with one firewall with a DMZ port, then out to the DSL modem we add the question of what is going to provide DHCP on the second network. If you already have a switch that will do VLAN's we can use this instead of the 2 separate switches, but from experience I would suggest that if you have to buy a new VLAN switch - don't. It's MUCH cheaper to buy a second 10/100 switch, and MUCH easier to make sure the computers in the offices for the 2 separate companies are jacked into the correct network. (all you have to do is look - and btw buy your patch cords in two separate colors, and use one for one company and the other color for the other company so that you have IMMEDIATE visual identification of what network a computer is on.) If your ISP is providing a range of Static IP addresses, then you are set. Just configure each firewall with one of the static IP address (each gets a SEPARATE address of course) and jack it into the DSL modem. If you go with either the single VLAN switch, or the firewall with a DMZ we need to start looking at what will provide DHCP and DNS on each network. This can be done, but we need to do more planning, which means we need the info on my 5 questions.
    0 pointsBadges:
    report
  • Nikjdk
    1. Five clients/persons in each company. 2. One fixed ip address. 3. Linksys BEFSX41 router/FW, 3 unmanaged switches, one Dell PowerConnect 2708 layer 2 managed switch (currently not in use) and a MS Small Business Server 2003 Standard edition. 4. The SBS only has to go to one company. 5. The companys need to host their own mail and webservers. Need more info? Is the DMZ like an open hole through the router/FW? Can a second router be connected to the DMZ? Then maybe the SBS can be connected to the DMZ and work as a FW (NAT)? I'd like to use the Dell PowerConnect, but have no experience with VLANS. Regards,
    0 pointsBadges:
    report
  • Layer9
    In answer to your question about the difference between Layer 2 and Layer 3, thats really a book. If you want a good one I'd recommend INTERCONNECTIONS by Radia Perlman, but its a little heady. In a very simplistic explanation, Layer 2 is your local connections, LAN connections that is. Now this is not true for Telco services like ATM and Frame, but for your purposes think of it as MAC's talking. Layer 3 is your Routable Layer. Thats where your IP's come in, what you need to get out to the WWW. Your switch can't tell you how to get there. Only the router can. As for the VLAN's, your really getting out of your realm here, since you don't have a working knowledge of Layer 2 or 3, but suffice it to say you need to route your VLAN's. You can't get out of your VLANS without a Layer 3 interface sitting on them. On all of them, in your case thats two. So you need to have 2 Linksys routers, or you MIGHT be able to route the DMZ interface on the Linksys router for one of the VLANS, although I can honestly say I've never had to try that. Best case scenario for your budget is 2 Linksys routers, route the subnets at layer 3, buy a another cheap switch if you need it or use the 4 ports on the back of the Linksys if thats all the hosts you have, and just route the subnets at Layer 3. In other words, forget routing VLAN's, as thats more complicated than you need. If you need to buy another cheep switch at CompUSA. Chris Weber Layer9corp.com
    0 pointsBadges:
    report
  • Sonyfreek
    Nikdjk: Equipment aside, as you've had a lot of good advice on what to purchase, what type of DSL line is it; ADSL or SDSL? What are your up/down speeds if it's ADSL? You mentioned hosting a website and email servers on the connection. The email server should be fine unless you're getting a ton of email in, but the webserver could run slow if you have a slow up speed on ADSL. Considering the sizes of these companies, it's probably not going to be a problem right now, but if they have considerable growth, an ADSL with 7.1MBps down/768Kbps up won't cut it if that's what you have. Just food for thought. Wayne
    0 pointsBadges:
    report
  • Nikjdk
    It's ADSL 2 Mbps/512 Kbps. Static webpages. Yes, I'm no network expert, but I have to improve - or know my limits. Thanks to all of you for all the advice, I'm truely gratefull.
    0 pointsBadges:
    report
  • Bigshybear
    We've got a problem here. With only 1 IP address, you can have only 1 mail server and 1 web server visible from the internet. So, with 2 companies, one of them can have their mail server local, the other will have to have their mail hosted elsewhere, and only one can have their webserver local, the other has to have someone else host their web site. Mail needs to come in via 'SMTP', at the firewall you would configure port forwarding for any traffic coming to the firewall on port 25 to be sent to the mail server. To do a second email server, you need a second IP address. Same with web traffic, you would port forward port 80 to the web server. Both of those servers could be the Small Business Server. According to the documentation at Linksys the BEFSX41 has one jack that can be configured to be a DMZ port. I don't know how restricted they are on traffic through that port to the internet, and to the other network. port.
    0 pointsBadges:
    report
  • Layer9
    Just by note on the Mail Server if you map your MX records for both companies to the same mail server, then you can both share the mail server. Exchange is perfectly capable of handling multiple mail domains. Another option would be to use an SMTP mail gateway with 2 mail servers,(a good idea anyway). The gateway would act as a single entry point to your network for SMTP traffic. The gateway will hand off mail to both your mail servers.You'd need a server (can install server on an old PC if you want) for the gateway and you need some SMTP gateway software. Symantec makes a good product for small companies. A company your size could purchase the software for around 200 dollars. Chris Weber Layer9corp.com
    0 pointsBadges:
    report
  • Sonyfreek
    And as far as the webserver goes, you would simply use host headers. You could have one web server serving out both sites, but when it comes to www.domaina.com for example, it would serve out domaina's website. When it asked for www.domainb.com, it would serve out domainb's website. I don't know if the Linksys is smart enough to handle the host headers to send it to different webservers, although I doubt it is. Here's a link to help you out on IIS6.0.: http://technet2.microsoft.com/WindowsServer/en/Library/b5999267-fc46-4430-a6af-e0b483886c8a1033.mspx Here's the apache link: http://httpd.apache.org/docs/2.0/vhosts/examples.html You could probably also host them on different servers, but you need intelligent hardware to route the requests to the proper server, such as a load balancer. Wayne
    0 pointsBadges:
    report
  • Mortree
    One problem is the Linksys brand. They used to be OK but since they got acquired by various companies.... Well I have your specific router with updated firmare and features still don't work as advertised after 2.5 years. I suggest that would complicate debugging and configuring. Netgear brand is still cheap but also reliable. And yes whoever you hang off the DMZ will have decreased protection. That is what DMZ generally means and the low end firewalls tend to take that to heart. But a second firewall would fix that. Yes I've hooked the WAN port of one cheap firewall to another. No problems IF you careful track port forwarding and NAT effect forwards and backwards. Bookkeeping and flow diagrams are everything. I'd tend to avoid exposing the SBS server to the Internet as a normal port 80 HTTP webserver myself. All the important business stuff is likely on the SBS and all the worse breaches tend to involve webservers. Forwarded SMTP ports are fairly safe with good AV and SPAM software for Exchange. Unfortuantely that means you don't get webmail off Exchange if its web port isn't exposed. Of course I've also seen port forwarding, offbeat HTTP ports and mandatory HTTPS used to advantage there as well. So if you have separate webserver(s) I'd put it on the first firewall DMZ in case it gets infected. That does mean you'd need a switch or hub to connect the second firewall as well to that DMZ port. Those webserver can also be a hunk of junk workstation if it doesn't get many hits and doesn't pass out big files. Also depends some on how critical the webserver going down is (hardware reliability). That was good advice on the gateway SMTP box to forward mail. There is lots of fair quality freeware as well. You can run AV or SPAM protection on it if it has enougn spare horse. But maybe as importantly you can run a simple web page to redirect webserver traffic. You could even page redirect HTTP requests to offbeat webserver ports like 81 instead of 80 on two other webservers. But you risk some clients having company proxies that don't allow offbeat ports. Or that webserver could pull pages from the two companies webservers -- but I suggest that is too complex. Offsite hosting still sounds best for one company. If it doesn't have many pages and doesn't get too many hits offsite hosting might even be free for a while. Ask your ISP and search the Internet. There are plenty of places wanting to train you to like their hosting while your company grows. They hope eventually you will grow until you must and can pay.
    0 pointsBadges:
    report
  • Nikjdk
    OK, so two networks are possible with two routers. Router two is connected to the DMZ port on the router connected to the WAN? I understand that DMZ means less or no protection, but does that mean no NAT and no port filtering? Regards,
    0 pointsBadges:
    report
  • Layer9
    No a DMZ does not mean little or no protection. A DMZ is a halfway point between a trusted and untrusted interface. A DMZ uses all the same security features as the inside trusted network. Traffic from the DMZ to the inside is blocked by default, and only traffic you allow through will be permitted. A DMZ uses NAT, PAT and ACL's, just like your external interface. BTW, I have to disagree with the previous comments on Linksys. Linksys makes really good SOHO equipment for the cost. And they are only owned by one company. That company is Cisco Systems. Chris Weber Layer9corp.com
    0 pointsBadges:
    report
  • yuadithya
    how to install network server? i am using windows OS.i need split the bandwidth to my office users so can any one tell me the architecture.....

    10 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following