See below... *********************** Charlie Kaiser charl...@golden-eagle.org Kingman, AZ ***********************
-----Original Message----- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Thursday, January 31, 2013 10:18 AM To: NT System Admin Issues Subject: Re: Multi-tenant campus security You'll want to put the tenant-facing switch ports into a separate VLAN. --> Yep. Each tenant will have their own VLAN. Configure the switch to only forward frames from tenant ports to the uplink port (to your router). I believe Cisco calls this a "private VLAN". Enterasys uses the term "MDU" ("multi-dwelling unit"). --> Yep. Done. Limit switch ports to one MAC address. --> Yep. Done. Look for switch features to prevent MAC spoofing. For example, a MAC address unexpectedly moving from one port to another. --> Will look into this... Harden your tenant-facing router ports as if they were Internet-facing (because they are). --> Not sure what you mean by harden... Put the phones on a separate VLAN and separate switch ports. If possible, implement link-layer authentication between the phones and the switch (802.1X, etc.). --> Part 1 done, will look at part 2. The plurality of home PCs have some kind of malware on them, which means that the plurality of your tenants will appear to be "the internal hacker". Chasing that may rob you of any profit and/or piss off your tenants. A lot of ISPs settle for just making sure what one customer doesn't hurt the ISP network. Tenants are on their own. --> Concerned that tenant A might hold management responsible for not catching malware coming from tenant B... Might be all about the contract, though... IDS/IPS might be a good idea on the phone and management VLANs, though. --> Good thought. Still interested in recommendations for that type of system... The big Internet companies (Comcast, Time-Warner, Verizon, etc.) tried to enforce that. Even with all their billions, they lost the fight. Suggest you not also try to bail out the ocean. --> Good to know... If you really want to make sure customers don't get more than they pay for, suggest metering the bandwidth and charging for usage. Tiered usage bands seem to be the way the industry is headed. --> Yes; that's the plan; carve them out a piece of pipe and charge per bandwidth. Thanks!!! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin