Sub-lease to include non-Domain members

pts.
Tags:
Bandwidth
DataCenter
Firewalls
Forensics
Hardware
Incident response
Intrusion management
Network monitoring
Network security
Networking
Project management
Routers
Security
VPN
Wireless
The CEO of my company has asked me to look into some options for accomodating a request by a Non-profit to rent some of our unused office space. For the sake of this question, we have a single floor office and all cubes and offices are wired for voice and data and punched down in a server room on that floor where I have control. Here are some scenarios that could unfold at present, but am certain that someone out there may have a better suggestion. Scenario 1: I allow said sub-leasing group to connect their computers to our LAN and access the internet via our T1. I also set them up with phones using our phone system/PBX and give them an access code to use for all calls. *I understand that there are many security issues with this scenario, but the sub-lease tenants have agreed to give me control over their machine security. Still..I don't feel absolutely comfortable with this. So..Scenario 2: We pull in a dedicated T1 or DSL line (their choice) for them. I simply use a hub or switch to connect their data lines to their own dedicated internet connection. Also, I have them pull in their own PBX and phone system to use. This makes me more comfortable all around, only I am dealing with budget constraints on the side of the potential tenant and potential pressure to "MacGyver" the situation for the lowest cost to the tenant without compromising our security. I feel a bit stuck between a rock and a hard place on this one. If I propose #1, I risk major security issues and support problems (depending on their hardware/software). If I propose #2, it may push the potential tenant away from what seemed like a good sub-lease. Any advice is appreciated.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Seems to me that this is another case of managers substituting expert opinion for formal business analysis, and later blame experts on poor judgement. How can this be a technical/IT dilemma?

In my opinion your job is to collect data, present results, not make the final call, or even speculate on better choice between the scenarios – because that is what you will end updoing in the end, nothing more than speculate.

The choice could/should be seen from the cost/benefit and risk analysis figures of two scenarios. I don’t know what your environment is, but the smaller the shop, the more often I see this happen.

And another thing – you correctly pointed out the risks involved in scenario #1, but don’t forget physical security risks present in both of them!

Discuss This Question: 21  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • INSANEIT
    There is actaully a very simple solution if they only need internet access. Create a VLAN that only has internet access and they will not have access to your production LAN. We do this all the time for visitors.
    0 pointsBadges:
    report
  • TylerG
    To Dubravko: You have good insight and have made an accurate assessment. We are a smaller firm, physical security is definitely still a factor (I am working with an architect on that in conjunction), and the line is always blurred between expert advice and business analysis. The concerns happen to lay in a place that is percieved as esoteric, and therefore I am in the unfortunate position of expert by consultantcy and analyst by default. The bonus is that I have their respect and the responsibility to make these decisions. To INSANEIT: The VLAN is an enticing proposition. I am going to bone up on VLAN implementation strategy after I write this, but perhaps you have some insight for implementation in a standard Microsoft shop that is up to date? Best practices types of info? Clearly the physical security and phone issues remain as have been pointed out. This may well have been the 'other option' that I could use to complete this challenge. All help thus far is appreciated and other advice is welcomed.
    0 pointsBadges:
    report
  • Wizard33
    I agree with INSANEIT. The VLAN is the best solution given the restraints involved. We segment many parts of our building using this method. It keeps Accounting out of Cadd files and vice-versa. Good call INSANEIT.
    0 pointsBadges:
    report
  • FlyNavy
    Don't know what your infrastructure looks like, but if you have a switch or router capable of VLANs, you can secure these folks through a VLAN. As long as the bandwidth isn't a problem outbound, this can provide plenty of security for your business LAN. If done correctly, you can set the network up so that you use the existing cable plant but neither VLAN can access any assets on the other and both can get to the internet. The PBX doesn't usually have the same security risk as the LAN. If you have some room left on the system, you can usually set up a separate voice system and phone tree for the new tenants. Depends on the capability of the switch. If you take this approach, the only additional costs are for engineering the VLAN and PBX solutions and the additional maintenance of the new tenants (which I assume your CEO has accepted).
    0 pointsBadges:
    report
  • TylerG
    I am using Cisco 2950 switches internally, which by doing some research, sound like they are capable. I have about 10 of them running (not sure about clustering status), so I think I need to get some hard setup and maintenance information ie. Do I need to modify all switches (I would guess yes, but don't know. Sounds like I need not 1, but 2 VLANs setup. 1 for my domain users, 1 for the 'guests'), does this need to happen off-hours ie. do the switches need to reboot, how scalable is the solution ie. can I add more VLANs if necessary, etc. I will be doing my own research, but any resources are appreciated as I am not the strongest CISCO admin.
    0 pointsBadges:
    report
  • J88tru
    This is really two questions, sharing your network and sharing your phone system. You would be well advised to never share your physical network with an outside party, although a VLAN can provide a good measure of protection if, and only if, you have the switches/routers to properly support it. If you have any hubs ... forget it. You could, however, easily set up a separate network and router and give that router only a static route to your WAN gateway. The new router should have a static IP address on its WAN port that is in the same subnet as the gateway, but is high enough not to be used by the gateway router's DHCP server (such as nnn.nnn.nnn.140). The new router can use any NAT subnet and DHCP on it's network port, but for sanity sake, you should probably use a totally different NAT subnet from your own network. Assuming that the data cabling to the tennant's offices/cubes is home-run to the data closet, you just connect those offices to the separate network's switch/router. No VLAN, no special subnets, no muss, no fuss. If your WAN gateway is also your firewall, you may be able to use some of those features, too, but unless it is a "heavy" router, you will still need the small router and static route for the tennant's connection. Next, on the phone system, if you have a conventional APBX, rather than a "key system", it should be possible to set up "multiple company" or "tennant" features. You can do this with all the recent voice switches, including Avaya, NEC, Notel, etc. The tennant gets their own central office (CO) lines, you connect them to available ports on your voice switch, set up call routing and line-appearance rules for those CO lines and the tennant's phones (instruments) -- so they cannot access your CO lines, and it's just like they have their very own PBX. If you want to give them free access to your CO lines, you can use outgoing access codes, but how do you handle incoming calls? The multiple company feature is a lot simpler, and they have their own phone numbers, long-distance, etc. If you have a VoIP switch, you should consider very carefully how multi-company would work with your particular brand of switch. VoIP presents some increased security issues.
    0 pointsBadges:
    report
  • Larrythethird
    j88tru said most of it. Can you trust EVERY single person that walks in or out if this leased area? Will you even know who is in that area? Are all of their computers up to date? Patched? Their servers? Lots of questions to answer before you become "their" IT department, as well as your own. NEVER, NEVER, NEVER allow an unknown entity on your corporate network. VLANs route. You would have to make sure each VLAN is firewalled from the other VLANS. We have a simular situation. We are using contractors for some work in-house. It took about two week's time for three of us to make this VLAN secure enough to allow it in the building. And only because WE own and maintain the computers they are using can we trust what is on the network
    0 pointsBadges:
    report
  • Astronomer
    I agree with Larry on this one. My first inclination would be to add another leg to the firewall and give them a network completely separate from your own. This way you can use the firewall rules to prevent any of their traffic from bleeding into yours. rt
    15 pointsBadges:
    report
  • Marcola
    Great job INSANEIT and DV ... They are right on the money. You did not mention what type of equipment you were running for your routers and firewalls so I will make a suggestion. If you are not already please look into the new line of security appliances from Cisco being the ASA 55xx series. This is a firewall appliance that also allows "Virtual Firewalls" that can be configured per VLAN. You can also get the IDS card from TrenMicro that does all of your anti-virus/anti-spam/anti-spyware/anti-phishing at the perimeter making you a bit safer in release some of your bandwidth to a lessor. No I do not work for Cisco or sell Cisco but I do use a 5520 and the throughput on the firewall and VPN is amazing. The Trend card updates itself automatically and has a very low false positive rate. Food for thought...
    0 pointsBadges:
    report
  • Mortree
    Some good points from other answers and some that may need clarifying. #1 Cabling is expensive. Ask your accounting about whether that is going to be written off as a tax deduction. A few years ago $100 per connection was a typical rate. So the totally different cable plant may not be feasible. Beside what keeps them from patching into your LAN? #2 Firewalls & Internet connections -- really depends on what their needs are compared to your normal free bandwidth. You might only need an extra public IP for separating Internet identities (DNS, spam reports, etc). You may want to set up ways to throttle their maximum bandwidth if you are worried about abuse. If you get a second connection from another ISP you might want to configure it for failover/load balancing instead of separate usage unless you can write it off as charitable deduction. Keep in mind your info "mixes" on the Internet anyway. #3 You could reserve IPs on a separate subnet for the smaller NonProfit group using DHCP reservations (input their MAC addresses). Doesn't keep the knowledgeable from releasing and adding in IP info for your subnet though. But the idea combines nicely with VLANs to add obscurity and easy administration diagnostics at say the firewall log. Heck you might even be able to use having two subnets in access lists for traffic shaping (or in this case throttling non-profit or priority of you business traffic) if you use one firewall and Internet connection. #4 If you want security with VLANs you will need to configure MAC address security on switch ports. Otherwise you have the easy physical security breach where people might just swap their patch cord to connect to an outlet on your VLAN network. This idea will occur to even marginally computer literate people on occasion. MAC address security is tedious to configure (one switch port at a time). You need to do it on all your ports that are within reach of the other guys patch cords and still within 100 meter total limit. But you can skip their ports. #5 VLANs are far simpler to configure than routers. Just a few simple commands involved. But tedious to add every single port to the required VLAN. Save work and leave your company on the default VLAN. #6 VLANs cannot talk to each other UNLESS routed. Some switches may provide that capability internally but the cheap Cisco's don't as far as I know. But this means you will need to a router or firewall port to connect these guys to the Internet. #7 I wouldn't worry too much about their being able to monitor or mix data with your Internet traffic if all devices are functioning. Both the VLAN routing to the gateway and the principles of switches will conspire to keep them from eavesdropping. If on the other hand you are worried about them hacking yor firewall from the inside to get your stuff or otherwise wreck havoc -- I suggest running IDS on the internal interface of your firewall as well as the external. If you need a "free" second firewall with IDS capability for this NonProfit group, IPCOP isn't too bad though it won't give you fancy usage reports without a commercial add-on like WebTrends. Of course theere are free log analyzers that might go halfway.
    0 pointsBadges:
    report
  • Mortree
    Your case #1 and #2 #1 Actually If you are running a tightly locked down client using domain policies -- just adding these folk to your current network as their own domain should not be a major security risk. This should also be the lowest adminstrative pain. I mean after all the assumption is that you are able to control your won users by group policy. This approach should mean just a few more groups and policies in a new domain - most of which you can copy from what you have set up now. No new skills or port by port switch configurations or MAC addresses in DCHP or port security. #2 However if your current company network is not quite so tightly controlled (we trust ALL our employees a fair bit) and automated -- Well track any adminstrative involvement you get into. You should at least need to throw these guys a NAT firewall on their nice shiny new Internet connection. An old desktop (any Pentium II upwards) with IPCop (IPCop.org) will do and is fairly easy to setup. It even has SNORT IDS and VPN.
    0 pointsBadges:
    report
  • Mortree
    One last idea. Basically J88tru's but with note on minimizing costs. Can you patch all these non-profit users onto one or two switches dedicated to the nonprofit's use? If these switches are not connected to your company switches, then you have the same idea as a VLAN without learning VLAN. Might be faster and easier to maintain. Certainly easier to document and observe. Still doesn't keep them from patching into ports you setup for your company though. Still need a way to route the nonprofit guys to the Internet firewall. If the firewall itself has an extra port you only need to configure it.
    0 pointsBadges:
    report
  • Mortree
    One last note on minimizing costs. It is probably cheaper in administrative time to patch all these non-profit users onto one or two switches/hub dedicated to the nonprofit's use. Certainly cheaper than pulling new network lines. If these hubs/switches are not connected to your company switches, then you have the same idea as a VLAN without learning VLAN. Might be faster to setup and easier to maintain. Certainly easier to document and observe. VLANs tend to be administratively expensive to setup and maintian compared to straight forward patching to spearate switches -- because you got to lookup the correct port/VLAN assignments at minimum. Still need full walls to keep outisders from patching into ports you setup for your company though. Still need a way to route the nonprofit guys to the Internet firewall. If the firewall itself has an extra port you only need to configure it.
    0 pointsBadges:
    report
  • TylerG
    Thanks to everyone who added their comments/suggestions on this. All your help is much appreciated.
    0 pointsBadges:
    report
  • Alpenglow
    Security of your wireless access points should also be reviewed.
    0 pointsBadges:
    report
  • TheVyrys
    I just went through this last year...but had no choice. My CEO told me we were bringing them in, and they were using our LAN and our T1 for internet, and our phones. Everone was logical enough to agree that I would be in control of their computers and security. You specified they are willing to give you complete control of the security of their machines, so with that in mind, ask yourself what would be the difference in security risks other than a few extra computers that are as secure as your own? If you decide to put them on your LAN you could create a group in AD and deny them permissions to any of your company folders/shares. You could also put them in an OU and lock down through Group Policy even farther if need be. What I did with the phones: They purchased their own telephones, that I spec'd to them. I hooked them to our system and they use a long distance card for any long distance calls they make. This may not be the 'optimal' setup....but it has built a great relationship with these companies and we can charge a little more rent since we are providing these services, which makes me more valuable and makes our company more money.
    0 pointsBadges:
    report
  • Astronomer
    Tyler: If this was my project here is what I would do. This assumes each group needs just one subnet. First verify if there are any knowledgable network people in the group that you can't trust. If so, I would keep everything physically separate from the firewall back. This means separate switches and separate links. Since the drops are already wired into a room you control, this would mean just adding more hardware. If there is no one with the knowledge and inclination to break your VLANs then I would use three VLANs. Remember VLAN 1 is used by cisco for management and they recommend not putting users on this VLAN. Set up VLAN 2 for your business users and run this VLAN to your normal firewall port. Set up VLAN 3 and assign it to all ports used by the non-profit. Also run it to a third port on your firewall. The non-profit VLAN will have a different address range and their firewall port will be their default gateway. As I said, you can allow limited communication between the nets with the firewall if you wish. VLAN 1 should have the IPs of the switches and be reachable only by your management systems. For all of the switch interconnections, run what cisco calls a trunk. This trunk line will send all VLANs to the other switches on the same wire. A technique called tagging allows the switches to keep track of which packets go to which VLAN. We had an arrangement similar to this in an intel lab I worked in and it functioned well for us. I know next to nothing about PBXs so I can't help you with that. rt
    15 pointsBadges:
    report
  • TylerG
    As for last comments on having no choice, it could come down to that and I have thought about that. I would ask you to speculate on how you did your security audit and how/why you chose to join them to your domain. Thanks for the post.
    0 pointsBadges:
    report
  • TheVyrys
    Joining them to our domain was easiest/cheapest/fastest, had the lowest administrative overhead, and it gave me pretty much the exact same control/security as our extisting users/computers. Prior to doing so: They agreed to upgrade to XP Pro SP2,(as they needed to anyway). We pro-rated and charged them for annual antivirus user license. I set them up in our WSUS server through group policy for automatic updates. Gave them email boxes with some restrictions. Trained them on password/security policies and email/internet usage policies. Set them up a share and folders for their files on one of our servers. (you can limit this also if you feel the need) I wanted them all-in or all-out, and when the CEO said "we need to do this", I said ok, they're all-in, and rolled out the red carpet for them. They pay for any work I do on their equipment during business hours, and I make the call of whether or not to do it. If I don't have time to get to them during regular business hours, I do it after hours and charge them personally. Neither of the companies has a problem with that. One CEO even pays me to work on their Fax machines, do research, etc., after hours. Sometimes his home computers too. The common goals of security, cost efficiency, and low maintenance were more easily achieved by working together. Sort of a 'united we stand' approach. This may all seem a little philosophical, but it has been a great decision. We have built a good relationship with these companies, made new friends, created income from extra office space, and many other things. As far as auditing, you can determine what you think is best. I naturally review our security logs, and at times will check their machines for different areas of interest. It hasn't been or isn't expected to be a large concern with them. If it was, they wouldn't be here in the first place. Your situation may not be the same, so you will have to weigh all factors. There were many good suggestions in the previous posts if you decide otherwise. good luck!
    0 pointsBadges:
    report
  • TylerG
    Thanks for the post. I certainly hear what you are saying about all-in or all-out. Sounds like a pretty good gig for you personally as well. Thanks to all for the advice, it is much appreciated.
    0 pointsBadges:
    report
  • Sandman328
    In their sub lease greement were they promised use of your lines or can it be up to them to get their own service? I would not want to share my lines and my company's security with a separate company. Look at it from a "secure our company's assets and our client's personal information at all costs" approach and explain to the bosses what a security breach might mean if it were to happen due to the sub leasers. Then suggest that they use their own equipment. If you must share then do everything possible to protect your company. Let the bosses know what additional hardware and software you will need to protect yourselves from the sub leasers. good luck
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following