• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Security on a Switched Network

D

DigitlDrug

Member
Hey all,

I've been away for a while since AOL users are banned from posting. (Very Unfair! Can't we all just get along).
Anyway, I'm setting up a network in an apartment building, and for the sake of security, I would like to keep everyone from seeing each other. (Keep virii from proliferating, hacking into other user's machines, etc) The building's backbone will consist of a bunch of 10bT switches, and a central router will supply IP address. (If anyone can suggest a router, I'm interested in opinions for that too - no NAT, at least 500 users - 140 apts in the building, but we may connect with the building next door to cover the isp costs.))

Can anyone suggest how to set this up so no one can see one another, but can grab internet access from the dhcp/router? I've looked at vlans, but I can't afford managed switches that can accomodate that many people.

Can this even be a function of the router itself?

If all else fails, whats the easiest way to segment a bunch of unmanaged switches attached to a network via a central switch. (think, 24 port nodes that can't see one another.)

Also keep in mind, we want to go with a hardware router, not a linux box - my friend and I aren't linux guru's and may already be over our head.

As it stands I'm already looking at blowing past my budget with all of the equipment and wiring, and there is no other way to get internet access to the building due to 40 year old phone lines, no cable access (internal television via direct tv), and the only isp that has enough bandwidth for the whole building (satellite would be saturated to easily) is a local wireless internet company.


Thanks for all of your help.

- DigitlDrug
 
The way i see it, you have two ways to deal with it:

1. VLANS on a managed cisco switch? Whenever you are battered down with issues of this nature, vlan and everyone gets a DHCP static address
2. Go for a Cisco router and just the whole resident?s side on its own lan. It would be more of a peer to peer, not too secure, but that is how many apts do it

You can manage everything from the Cisco firewall through the router, and then you wouldn?t need maintenance once it was running properly. Call up Cisco and run it by them. They should be able to give you a good solution. For what you want to do, Cisco is the only way unless you want to leave hook ups to cable/dsl by apartment and forget the whole internet idea. I have seen a lot of routers: smc, linksys, watchguard, and netscreen (netscreen being the most advanced), but nothing compares to the features that Cisco makes.


~ Nessiah
 
I'm sure if AOL users were banned, there was probably a good reason.
rolleye.gif
 
i dont think you should have everyone blocked. what if some people want to share things over the internal lan. you should offer the choice atleast.

now are you going to need 500 ports or 140? ill look into this more for you and see what i can come up with.

JB
 
without VLANs or some equivilent tech, the switching only buys you speed. Don't confuse security with obscurity. Just because you can't actively see someone doesn't mean you can't easily get to them.
 
Hey Everyone,
Thanks for your responses. I'll try to cover them in order.

1) GunRunner - AOL users are banned because should a user from AOL spam the channels or what have you, Anandtech has no way of keeping them from creating a new name. Where as other isp's might be willing to work with the forum to track down an offending user and block them, aol makes it very difficult to do so.

Keep in mind this is a half-assed answer that I only vaguely remember as a mod explained this to me a couple of years ago.


2) JonnyB: As for ports on the router, less of an issue compared to how many people it can accommodate. More than likely there will be three or 4 tiers on the network:

router -> Wireless connection to building (assume multiple buildings) -> main switch in building -> secondary switches that will connect up to 140 apts, and many may even have more than one pc = a hub/switch in the apartment itself.

Though right now we are only talking one building, there are actually 4x7story buildings in the community, all of whom may want to do the same thing, in which case we would simply connect them to our building to save on isp costs etc. So we are talking a lot of traffic! And maybe even a lot of ports!

2) JohnyB and buley: Everyone wont be completely blocked, yes file sharing will be limited to AIM (trillian, etc) or ftp servers the users can setup, etc.
It all depends on their ability. At the same time, I'm not saying that I'm looking to block ports or anything. Should they want to play online games, they would simply go out to the router, and than back in.

And Buley, you are absolutely right, obscurity is not security. My real concern for separating users is that should a virus get in that hits file sharing, or just spams across the network, it can bring the whole system down. I used to work for a hospital that went through this on a monthly basis for a while before they got it under control.

My goal is to limit the amount of damage at any one time, before I become aware of the excess traffic, and can track down the machine and clean out the machine.

Again, thank you everyone for taking the time to respond.

- DigitlDrug


PS: Wow, it is definitely time to update my rig info. I gave that box to the parents over a year ago
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top