Home
Join

28 Replies

  • Only Internet or share network ?? Coz one port means what ??

    Coz if share Internet, all you need is to plug their network into your firewall DMZ port which gives then Internet only.

    But again.....how does this concern IT as the sub-lease T&C should had already been settled by management ? 

    Spice (4) flagReport
    2 found this helpful thumb_up thumb_down
  • Can't vote, because I have no idea, how you handle all the other offices.

    If you are providing connectivity for all other tenants, than I wouldn't complicate.

    If you don't provide for anyone, but have a 'fat enough' pipe... and some spare ports... than why not... if the customer pays for it.

    Would be pretty much like providing 'guest network'.

    However if they want to be reachable from outside and need a public IP, than things get slowly in the direction, where it possibly might make sense for them to get a connection of their own. But all that just for one day per week? Doesn't really make much sense for a new dedicated line.

    Put them on a separate VLAN with internet access only, limit their throughput and forget them.

    Spice (9) flagReport
    4 found this helpful thumb_up thumb_down
  • VLAN them and bandwidth limit as needed

    Spice (5) flagReport
    1 of 2 found this helpful thumb_up thumb_down
  • my gut says make them get their own connectivity.  Anytime they are touching your equipment even if they are firewalled off you are going to get support calls.

    Do you want to manage the sublets network?  because that is what will happen

    If you do provide connectivity make sure you charge them for it and write some sort of basic chargeable support agreement into the contract

    Spice (11) flagReport
    4 found this helpful thumb_up thumb_down
  • Subnet a sublet... nice one!  This will get real messy real fast...  I wouldn't entertain the idea of sharing networks, not in this age of ransomeware etc.  But as mentioned, we're only IT and not management.  If management understands the risk, and is willing to share, then the VLAN and internet access only sounds like your best option.  But charge them a premium price for this action.   Perhaps they will think twice about sharing?

    Spice (4) flagReport
    1 found this helpful thumb_up thumb_down
  • create a vlan and plug the single port into that providing you have enough bandwith. Depending on what they will be doing can't you plug in a 4g router?

    Spice (1) flagReport
    1 found this helpful thumb_up thumb_down
  • We have this situation. We give the sublet a subnet off the main router so they can only get internet and not see our network. We throttle them so that they don't impact our experience (we have a 100/100Mbps connection, they get a maximum of 15Mbps). We are basically their ISP, so we charge them 25% of what we pay for our connection, plus a support charges. All in, they pay for 50% of the connection even though they only get 15% of the speed. We don't have any fixed contract so they are free to get out of this arrangement and do their own thing if they want to at any time. But they don't.

    Spice (3) flagReport
    1 found this helpful thumb_up thumb_down
  • I'm sure someone has the correct technical answer to your question, but think about this:

    In a real life scenario, is it worth the potential downtime and flack to provide these guys with an internet connection for such a limited time?  I'd rather focus on other more critical items that require attention and arrange for a temporary alternative internet connection and keep them off your network completely.

    This may not be worth any spice, but perhaps worth a ponder..

    Have a good one!

    Spice (2) flagReport
    2 found this helpful thumb_up thumb_down
  • We have two 4G routers at home, much faster than the ADSL in the area.  Thinking out of the box!

    chris.hone.5688 wrote:

    create a vlan and plug the single port into that providing you have enough bandwith. Depending on what they will be doing can't you plug in a 4g router?

    1 found this helpful thumb_up thumb_down
  • I agree with the folks who say make everything completely separate.  No support, no bandwidth issues, and they can provide what they want for themselves.

    2 found this helpful thumb_up thumb_down
  • What kind of service do you have from your ISP? We have Comcast, and their modem has several ports, so I could easily do this by giving them one of the ports and a static IP (for a share of the service cost) for their firewall and providing a fully separate network for them by segregating connections internally. I would probably color code the jacks and/or faceplates where they could connect to make it obvious.

    Spice (2) flagReport
    1 found this helpful thumb_up thumb_down
  • Have to admit I am not sure I 100% fully understand, but if this is to provide an internet connection for someone subleasing space, the easiest way I found to do this in a past life without the hassle of setting up VLAN's or one-to-one NAT's was to just get a block of public IP's from the ISP, and install a second router solely for the use of the subleasor. Each router has it's own public IP and physically separate LAN. The cost would be added to their weekly or monthly lease fee.

    This of course precludes them from sharing office resources.

    Spice (1) flagReport
    1 found this helpful thumb_up thumb_down
  • Directly to your question "from a security standpoint", make them get their own connection.

    Arguments to the contrary could be made from an economics, ease of using existing infrastructure or practicality standpoint but for security, it's a no-brainer.

    Spice (2) flagReport
    2 found this helpful thumb_up thumb_down
  • folowing

    Was this post helpful? thumb_up thumb_down
  • Ideally everything would be physically separated but without knowing the size of the office, number of users under this sublet, any on-prem services requiring fixed IPs yourselves or they will be running or the terms of any agreement that may already have been signed I can't make a definitive recommendation.

    As a minimum if things can't be fully separated for some reason I'd be looking at using VLANs, traffic shaping; bandwidth throttling and traffic prioritisation (especially if you use a VOIP system). If they and yourselves have sufficiently small amounts of equipment you could also consider implementing MAC based restrictions in various aspects of your network that support that.

    Things to bear in mind though are that VLANs are no substitute for physical isolation; they're better than nothing but not a silver bullet on a multi-occupied site. Also, sharing an Internet connection likely opens you up to potential legal action should they misuse it; at the very least some of your IPs may end up getting blacklisted. 

    Was this post helpful? thumb_up thumb_down
  • We did this with an organization at our office a few years back.  Gave them a different subnet and set all their traffic to use a different external IP address. About 6 months later we got a subpoena from the state that inappropriate websites were being accessed from one of our external IP addresses.  It just so happens that it was on the IP address that was assigned to this other organization.  We provided the state with a copy of our firewall config showing our traffic all used one external address and the other organization used the IP address they were looking for.  Haven't heard back from the state and it's been over 5 years.

    Spice (8) flagReport
    2 found this helpful thumb_up thumb_down
  • For one day a week your tenant is not going to want to pay for a separate internet connection. Physically separate their network from yours. One cable from their router to an open DMZ port on yours. You also want a detailed statement of work for all of the tasks associated with that one cable. Your hourly rate for working on the tenant's equipment should be significantly higher than your standard rate.

    Was this post helpful? thumb_up thumb_down
  • Find out how much it is to get an ADSL or cable modem service in the building.  Charge AT LEAST that much to them to provide Internet service.  Basically, make it more enticing for them to provide their own internet.  If they choose not to, then at least it's not a cost or resources drain on your IT department.

    Do not bury the charge in their leasing payments. Make it separate so that it can be revoked if they abuse the service you provide.

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • itaintbroke wrote:

    For one day a week your tenant is not going to want to pay for a separate internet connection. Physically separate their network from yours. One cable from their router to an open DMZ port on yours. You also want a detailed statement of work for all of the tasks associated with that one cable. Your hourly rate for working on the tenant's equipment should be significantly higher than your standard rate.

    If the tenant (or prospective tenant) isn't willing or able to swing the cost of a basic Internet connection they're probably also not someone you want subletting. It's a basic cost of doing business. It doesn't matter if they want to or not; if your business depends on the Internet you pony up the cost.

    Provided that it's not excessively expensive to obtain a reliable connection I still say make the tenant get their own service. From a security, maintenance, legal/liability, potential pain in the butt stance it's the only thing that makes sense.

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • The simplest solution is to have them bring in their own connection and then patch in that port for them to use.  It's risky for the business to share the connection unless there are rules in place.  A few things to think about if the connection is shared:

    • How much bandwidth are they going to use and how will it be handled if they have too much traffic and cause slowness for you?
    • If you throttle their connection, will there be complaints?
    • Will the business be compensated for offering a share of your internet connection, or do they get it for "free"?
    • What if they do something illegal or questionable, who's at fault and how can that be proved it wasn't you?
    • What will the cost be of downtime if the connection goes down due to maintenance or an incident?  Are you liable to them to have a connection?

    I would make sure management understands the risk of sharing the network with this company and leave it up to them to decide if the sublet should get their own.

    1 found this helpful thumb_up thumb_down
  • I would make sure your ISP doesn't have any rules about sub letting your connection and if not definitely get a lawyer and make sure they get a good legal binding contract that would absolve you of any wrongdoing if they were to do anything illegal or what not with that connection! As well as weighing the pros and cons of: does all this time and effort of CYA(covering your assets) going to pay off in the long run. E.G. are you going to make enough money on this deal in the next 6 months, 1 year, etc. to pay for the time and money you've spent. As someone also mentioned is it worth the added risk of having someone else using your public IP to access the internet and basically advertising that info beyond your control. I think you also should make sure you aren't the only person making this decision you may also want to think about putting together a group of tech savy uper management to talk about and discuss the pros and cons. Last thing, think about how your decision may effect your relationship with that organization. If you decide not to provide them internet maybe you atleast offer to help them choose a low cost ISP option or like someone else mentioned a cellular data ISP but atleast offer in some way to help them. I don't think a hard no! leave us alone is the right decision but I also don't think completely opening up for them and letting them take advantage of you is good either! So just try your best to make the best decision for your organization while also not hurting the image of your organization!

    1 found this helpful thumb_up thumb_down
  • There are lots of ways to handle the technical side of this.  But do you really want to take on the role of ISP?  YOU - Sorry lessor, our ISP is down.  YOUR CUSTOMER - How do I know that you are not handling things correctly in your router.  And on and on ad nauseum.

    1 found this helpful thumb_up thumb_down
  • Matthew8703 wrote:

    We did this with an organization at our office a few years back.  Gave them a different subnet and set all their traffic to use a different external IP address. About 6 months later we got a subpoena from the state that inappropriate websites were being accessed from one of our external IP addresses.  It just so happens that it was on the IP address that was assigned to this other organization.  We provided the state with a copy of our firewall config showing our traffic all used one external address and the other organization used the IP address they were looking for.  Haven't heard back from the state and it's been over 5 years.

    This is the only way to do this, if at all.  You need to assign all their traffic a static external address.   

    Was this post helpful? thumb_up thumb_down
  • While you may well only give them internet, when you have a problem, they will have a problem and likely calling you while you are busy trying to resolve the issue to complain about the interruption in service. That is best scenario; worst scenario is that you have a catastrophic failure and they sue you for lost productivity. I agree with those here who stated that everything should have been settled long before and by management.

    1 found this helpful thumb_up thumb_down
  • Well the OP hasn't replied once so I doubt they are really that interested in the detail but simply put

    This is a legal decision first, then it security, then it operations.

    I don't know what county you are in but typically your company with the contract with the ISP is legally responsible for everything done on that internet access. The contract may not even allow the use by organizations other than your company (especially if not commercial) as they are an ISP and want to sell services not you.

    If legal agree you can and agree to the risks, then it security say Y/N then operations. So if you are asking maybe you are the only IT and so you are IT security and operations - so do you agree? If you are at all unsure then the simple answer is no. get your own ISP link. If you want to offer the option make sure the CISO/MD/CEO/company owner plus data officer(whoever legally responsible for data)  approves in writing - they are the person legally responsible.

    Then if you still want to share give them direct connection to the ISP if possible, if not new security device before your firewall to completely split and make sure it logs. You want to be real sure they cannot access your company, and very sure you can prove to the ISP it was them if they do something illegal.

    Spice (2) flagReport
    1 found this helpful thumb_up thumb_down
  • Just like guest WiFi, but hardwired.

    If I had a public IP address to spare, I'd make a public IP address available for their router. Otherwise, it's sectioning off a VLAN (or physical LAN, if my router has multiple interfaces) and isolating that particular port to that particular VLAN, with appropriate firewall rules between my network and their network.

    If you're sharing the same public IP address, then that implies that you'll be giving them an address in a private IP space to assigne to their router's LAN, which means it's going to be behind a NAT layer, which means that their client devices will be double-NATted (unless you agree on addressing and routing to avoid the additional NAT layer). Most things nowadays work OK with double NAT, but some don't.

    Make sure both you and the sublessor understand and agree on what YOU will provide. The last thing you want to do is become their IT without an agreement.

    Was this post helpful? thumb_up thumb_down
  • I don't know if the OP bryanclarke hasn't checked back in or was overwhelmed with the response to their question but it seems like this thread has pretty well played out.

    Was this post helpful? thumb_up thumb_down
  • You can share only in case you get paid extra for supporting their network connectivity. Otherwise, make them get their own connectivity from ISP.

    Was this post helpful? thumb_up thumb_down

Read these next...

  • No Network Access

    No Network Access

    Networking

    Hello,Suddenly, my Windows 2012R server has NO network access through either of its two nic cards; it is a DELL PE T430. It is configured to get IP info from DHCP, and that works ok; both NICs can get an IP just fine, but after I get the IP address,  I am...

  • Understanding VPNs

    Understanding VPNs

    Security

    Hello I'm trying to learn the concept of VPN's and there's some aspect of VPN's I'm not sure about. When I configure a remote access VPN on a Fortigate, I configure the following client range 192.168.3.10-192.168.3.40When the client connects and I do a ro...

  • Snap! Outlook crashes, getting phished, supermoon, CyberOne, DALL·E 2 + SpiceRex

    Snap! Outlook crashes, getting phished, supermoon, CyberOne, DALL·E 2 + SpiceRex

    Spiceworks Originals

    Your daily dose of tech news, in brief. We made it to Friday! Before we consider our weekend plans, let's look back in time. While not the storage we're accustomed to, back on August 12, 1877 (although there appears to be some debate on the actual ...

  • Spark! Pro series – 12th August 2022

    Spark! Pro series – 12th August 2022

    Spiceworks Originals

    I want my… I want my…. Spark!    Just a reminder, if you are reading the Spark!, Spice it up. We like it spicy here! Today in History: The IBM PC Introduced August 12, 1981 IBM introduces its ...

  • Repeated Attacks on my Firewall - What to Do ??

    Repeated Attacks on my Firewall - What to Do ??

    Security

    I've got a UTM Firewall and I'm constantly getting notifications that someone is trying to gain access through an SSL-VPN. The attacking IP address is almost always different, so blocking the IP every time is not a sustainable solution. They haven't got t...