On Thu, Jan 31, 2013 at 11:37 AM, Charlie Kaiser
<charl...@golden-eagle.org> wrote:
> Building management will be providing networking as a service, with
> Avaya phones, IP, and internet for clients.
It's been a long time since I worked in this space, but I can offer
some vague suggestions.
> It's trivial for a tenant on
> the inside to set up bad guy stuff and start pounding on the internal
> network.
You'll want to put the tenant-facing switch ports into a separate VLAN.
Configure the switch to only forward frames from tenant ports to the
uplink port (to your router). I believe Cisco calls this a "private
VLAN". Enterasys uses the term "MDU" ("multi-dwelling unit").
Limit switch ports to one MAC address.
Look for switch features to prevent MAC spoofing. For example, a
MAC address unexpectedly moving from one port to another.
Harden your tenant-facing router ports as if they were
Internet-facing (because they are).
> My AOO will include providing DHCP for the VoIP phone system and all the
> data VLANs.
Put the phones on a separate VLAN and separate switch ports. If
possible, implement link-layer authentication between the phones and
the switch (802.1X, etc.).
> I'm also thinking we
> should have some sort of IDS/IPS on the internal network to stop or at least
> flag the internal hacker. Any recommendations along those lines?
The plurality of home PCs have some kind of malware on them, which
means that the plurality of your tenants will appear to be "the
internal hacker". Chasing that may rob you of any profit and/or piss
off your tenants. A lot of ISPs settle for just making sure what one
customer doesn't hurt the ISP network. Tenants are on their own.
IDS/IPS might be a good idea on the phone and management VLANs, though.
> One more thing if that's not enough... As management is selling per-port
> networking services, is there any way to identify or prevent someone from
> plugging in router inside their subnet and adding ports?
Not reliably.
The big Internet companies (Comcast, Time-Warner, Verizon, etc.)
tried to enforce that. Even with all their billions, they lost the
fight. Suggest you not also try to bail out the ocean.
If you really want to make sure customers don't get more than they
pay for, suggest metering the bandwidth and charging for usage.
Tiered usage bands seem to be the way the industry is headed.
-- Ben
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
