[c-nsp] Cisco noob -- design guidance request

[C. Jon Larsen]

On Sun, 2 Sep 2007, Niels Bakker wrote:

>>> Where is the access list that is going to prevent cross talk between the
>>> subnets ?  Otherwise rogueware on one tenants computer will attack the
>>> other tenants. Simply splitting each tenant onto its own vlan is ncie but
>>> its a far cry from secure if you tie the subnets into a router that is
>>> happy to pass traffic between the vlans !!
>
> * nntp at deskoptional.com (David L. West) [Sun 02 Sep 2007, 16:28 CEST]:
>> Ah. Wasn't sure if the VLANs were sufficient to isolate the tenants and so
>> had only recently started boning up on ACLs. Will come back around to that
>> once I firm up the rest of my design -- thanks for the heads up!
>
> I assume you'll be selling these people Internet access.  Their
> neighbours are also part of the Internet.  I see no reason why you
> should protect those from each other but not any other host connected to
> the Internet.
>
> (I, for one, will have my internet transparent please, thankyouverymuch)
>
> The per-customer VLANs are to keep them from playing layer-2 games,
> which is a completely different attack vector.

I agree with you, if said customers are providing their own firewalls. But 
if they are not (as is common in multi tenant access type configs) then 
the provider should either filter using acls or require such firewalls.

Otherwise the reliability of the network will take a nosedive when hacked 
computers are spewing out traffic searching for other computers to infect.


> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>