[c-nsp] Cisco noob -- design guidance request

Niels Bakker niels=cisco-nsp at bakker.net
Sun Sep 2 10:51:46 EDT 2007


>> Where is the access list that is going to prevent cross talk between the 
>> subnets ?  Otherwise rogueware on one tenants computer will attack the 
>> other tenants. Simply splitting each tenant onto its own vlan is ncie but 
>> its a far cry from secure if you tie the subnets into a router that is 
>> happy to pass traffic between the vlans !!

* nntp at deskoptional.com (David L. West) [Sun 02 Sep 2007, 16:28 CEST]:
>Ah. Wasn't sure if the VLANs were sufficient to isolate the tenants and so 
>had only recently started boning up on ACLs. Will come back around to that 
>once I firm up the rest of my design -- thanks for the heads up!

I assume you'll be selling these people Internet access.  Their
neighbours are also part of the Internet.  I see no reason why you
should protect those from each other but not any other host connected to
the Internet.

(I, for one, will have my internet transparent please, thankyouverymuch)

The per-customer VLANs are to keep them from playing layer-2 games, 
which is a completely different attack vector.


	-- Niels.

-- 


More information about the cisco-nsp mailing list