Security issues sharing internet connection among different users

Factual Questions
1

A non-profit organization I help to run may need to share its new office space by subleasing a portion to an unaffiliated non-profit. My organization expects to provide internet access to its tenant. The organization will need a network that allows it to share files internally among a few users (no more than five for now) and likely to share a printer. The organization also wants to offer its visitors wireless internet access without letting those visitors onto the private parts of its network. Installing two internet connections seems like a needless expense so hopefully one connection will do.

  1. How can the organization isolate the private parts of its network from its tenant if they share one internet connection? I assume that if the tenant just plugs its computers into the cable modem for internet access, the tenant will be able to intercept all the unencrypted files travelling on or stored on the computers on my organization’s network unless there are safeguards.

  2. How can the organization provide wireless access to the public without those people being able to intercept its internet or network traffic? Is this as simple as installing two different wireless routers with different passwords on the same internet modem? Would this allow the public users to trawl through the private parts of the network?

Low cost and ease of use are priorities. Clearly I’m not that technically sophisticated but I’m among the tech savviest people they have. Ideally we’d find something that could be installed without requiring a ton of maintenance or ongoing service fees.

Thanks in advance.

2

You are looking for network isolation, or guest networks is what it is called on some products:

You buy a cable modem, then your own router to go behind the modem BTW, and the router is the important part.

More expensive routers have more options here, but it is definitely possible to set this up with one internet connection. You may need more technical expertise than you have available and slightly more expensive router equipment than consumer grade options thought, especially if you want to set up different wireless networks AND different wired networks. Some expensive consumer routers can handle the case of Company 1 Wired + Wireless, Company 2 wireless, and Guest network, where Company 1 is isolated from Company 2 and both are isolated from the guest network. Few consumer routers can handle the case of Company 1 Wired + Wireless, Company 2 Wired + Wireless, Guest network. Because to do that you have to be able to isolate specific ports off the router from other ports.

3

You want at least two VLANs (Virtual Local Area Networks). VLANs allow separate networks to be isolated from one another even though all the relevant computers are plugged into the same switch(es). You could theoretically get some isolation by putting each of the various networks on different subnets with the appropriate subnet mask, but this is essentially security through obscurity (which isn’t security at all). Pay a consultant to set up some VLANs.

Not quite. Ethernet hubs, which are outdated and essentially not on the market anymore, broadcast all network traffic to all ports. Ethernet switches, however, send the traffic between the computers that “need” to see that traffic, e.g., between computer A (a server) and computer B (a client). Computer C can’t see (or “sniff”) that traffic because the ethernet switch isn’t sending it to the port into which computer C is plugged.

However, it’s not too hard to make a switch “fail open” and act as a hub after a buffer overflow or similar attack. So ethernet switches basically just keep the honest people out. A VLAN will help a lot, and so will encrypting all the traffic you can by default. Encryption doesn’t take much overhead these days, so there’s not a good reason not to use it. Plus, that’ll help with wireless traffic, which is available for anyone with the network password to sniff.

Ubiquti’s Edgerouter X and Edgerouter Lite can handle fancy VLANs and isolate networks in the way you want, and the Edgerouter X is only something like $55-$60. But you have to understand networking reasonably well to set it up (or to set up any network incorporating VLANs). For this use case, their Edgerouter is probably preferable, mostly because it has eight ports. If you need 3-4 VLANs and a few wireless access points plugged in, you’ll use up the 4-5 ports on the Edgerouter X pretty quickly. You’ll probably want separate switches for each of the VLANs,

This isn’t an unreasonable question, but anyone who asks it probably isn’t familiar enough with networking to properly set up VLANs. The hardware cost is dwarfed by the cost of hiring a networking consultant to set things up the way you want. That might cost $500-$1000, depending. But it’s worth it to have things set up by someone who knows what they’re doing.

Put a wireless access point on a third VLAN. That’s pretty much it. Again, you probably want to pay a local consultant to set up both the router and the access points.

Once this system is set up, it shouldn’t require much tweaking, and it doesn’t require recurring fees. You’ll spend $500-$1000/year on a networking consultant, but it will totally be worth it.

Good luck!

4

Thanks jacobsta811 and EdelweissPirate.

I suspect that offering wifi to the sublettor would be sufficient so Company 1 Wired, Company 2 Wireless, and Guest Wireless would probably be fine as long as it did not expose Company 1’s network to Company 2 and neither was exposed to guests. Any suggestions?

Thanks. This is incredibly helpful. Does the EdgeRouter come with instructions? Chances are, we’d hire a consultant but I appreciate having some idea what kind of numbers we might be looking at.

Two companies sharing the space would need no more than two LANs and no more than three wifi connections including one for guests. I’m sure the two companies can share the guest wifi network. Only one company is likely to have an appreciable number of visitors. Sharing the internet connection will save the sublettor perhaps $60 per month. If accommodating the sublettor on the internet connection would cost more than, let’s say, $1000 over a two-year lease, the answer to the sublettor will be that the space doesn’t come with internet. It seems like the marginal hardware for this purpose and the IT consulting to set up the network should be less than that. That’s good to know.

5

I get asked to do this all the time. Doing this kind of thing correctly is pricey and many of the recommended routers will be far more expensive. If a prospective tenant is so hard up that a free internet connection is a deal-breaker, I question that the tenant is financially prepared for an office space or will be unrepentant abusers of the service.

Beyond the obvious security aspects are the far more common issues of bandwith usage and TOS violations. if they are torrenting movies and someone catches it, fingers point to you. if you try a DIY solution and fail to set up bandwith limiting or QOS type features, you could find yourself having a hard time doing work up against your tenants streaming music and movie habits.

Also if you are providing internet, in the event of an outage, would this cripple their ability to do business? how are they going to feel about that?

This is 100x simpler if you just dont offer. Let them get their own ISP or buy a separate account and roll it into their rent. IME non-profits spend plenty of money on things that are important to them even if it is not part of the direct mission. I have been into dozens of NPO’s with gorgeous well decorated offices in expensive areas of town wanting to haggle over $400 desktop computers or a couple hours of labor @$80/hour.

6

The subleased space is likely to rent for perhaps $500-$600 per month. The potential internet savings represents roughly 10% of the cost of the rent and makes it easier for my organization to ask for the higher amount. It basically comes down to whether my organization could provide internet at a cost that would more than offset its cost to provide that service. It seems like the answer is yes.

Point taken that the solution needs to apportion bandwidth between the users. This is a helpful tip.

I’m sure they would be disappointed, as would my organization. The fact that there may be disruptions to internet services would be disclosed in the lease. We’re talking about four to five people in an office though; this isn’t Google. They’ll live if it takes a day or two for the ISP to come out and fix a problem. In the meantime, they have smartphones to check email.

Every business is infinitely easier if it chooses not to be in business at all. Of course, this means foregoing every business opportunity, which is not how fortunes are made. This is a poor choice for most businesses. It would be a poor choice for my organization to needlessly forego revenue to avoid a manageable hassle.

This does not describe my non-profit organization. We strive to use money wisely in all aspects of our operation. This is just one area I am trying to help optimize.

7

Spend some money on a higher end programmable router. Sonicwall, WatchGuard, etc. make programmable firewalls where the various ports can be programmed, load balancing and throttling are possible.

the concept would be the firewall would have two separate LANs using the same internet connection. One ethernet port, for example, would be 192.168.0.0-255, and the other would be 192.168.1.0-255
The firewall would be programmed to allow both these subnets out to the internet, but no traffic between the two. The wire from each firewall port would go to a separate switch for each group; 8-port gigabit switches are as low as $30 nowadays. (Simpler than programming VLANs which would require smart switches, more expensive.) Each group is free to provide their own wifi (a home router with DHCP turned off) just don’t share passwords.

When I did some volunteer work for a charity non-profit, they considered it “donated services” at a reasonable rate (say, $50/hr) since I was a professional who did this job and I did it for them for free. I got a tax receipt which helped against taxes. (At least, in Canada. Not sure about the situation in the USA)

8

As others said, you can set up a guest network. I think most routers (and I’m talking about ‘normal’ ones from Amazon/Best Buy etc) have the ability. I’ve never attempted to break through it, but the feature is there.
When the credit card processors started getting serious about PCI/DSS, I turned it off and just tell people ‘we don’t have wifi, sorry’. How they know that the randomly named network has anything to do with us, I don’t know, but if they push the subject* I end up just telling them that we don’t allow anyone on the network for security issues.

*And with that, IMO, it takes some nerve to ask a business for their wifi password and it borders on rude when you ask a second time after being told you can’t have it.

9

Thanks. Those sound like really good solutions but it looks like the hardware alone for those systems runs around $400 to $500, plus another $100 for a couple of wifi routers. Once we add professional installation, we’re looking at over $1000. That’s pretty close to the breakeven point where this isn’t worth doing versus the cost of just getting two cable internet connections and adding two wifi routers that each have guest capability. There are plenty of wifi printers that we could share through such an informal network. There isn’t much more we would need a network to do in the beginning. We would just hold onto our cloud-based document sharing service in lieu of network-based backups.

We receive a fair amount of donated professional services and we are happy to provide donated services documentation. Are you volunteering? :slight_smile:

Thanks for the tip. This might be the easiest solution.

I agree that people demanding wifi passwords are rude but perhaps you could try saying that you don’t offer wifi. People can see that your equipment runs on wifi and guess that the really strong wifi signal belongs to you. They feel lied to when you say you don’t have wifi so they push back, rudely and unreasonably but somewhat understandably. Saying you don’t offer wifi seems more like a fair policy applied to all rather than a personal slight just to them. Or maybe it won’t make a difference. America doesn’t lack for well-developed senses of entitlement.

10

I have set up this sort of thing before. VLANs and the like are all well and good - and I use them myself here at home - but you need to take a pessimistic, security conscious, perspective and simply have a second, dedicated, independent line for the tenant. This will prevent both legal and technical troubles. You really do not want kiddie porn associated with your external IP address. That cuts both ways too, so if they have confidential data they can guarantee that you won’t see it.

11

Thanks Quartz. After reading through this thread and considering the complexity, I’m leaning in this direction too.

12

It’s probably still worth mentioning that qualifying non-profits can get substantially discounted Cisco networking gear from TechSoup.

13

If a WatchGuard/Sonicwall level router is beyond your budget - A SUPER cheap and dirty solution is to buy three home routers. Plug one into the internet. Plug each of the other two into that router. This guarantees neither side can see what’s behind the other’s router. Since you probably already have one router, you only need 2 secondaries. Make those secondaries Wifi routers and you’re off to the races.

(Most cheap home routers don’t allow you to program the individual LAN ports for separate subnets)

The two secondary routers’ WAN ports would be set to DHCP and obtain addresses from the LAN of the main router. There’s nothing wrong with cascading routers. I’ve seen a lot of that. One for each since if one network goes “through” the other’s network, the secondary can see what’s on the main network. The only “gotcha” is that the secondary routers cannot be the same IP range (subnet) as the main router. I.e. a router cannot have 192.168.0.1-254 on both sides of the router, WAN and LAN. Since this is the default IP for 99% of the home routers, you would have to change the main router’s LAN to something else (i.e. 10.0.0.1-254; any 192.168.x.x and 10.x.x.x ranges are acceptable for private networks. Remember to change DHCP address range handed out too on the main router)

In fact, if both secondary routers used the same IP range that would be an added security measure. (But make it harder to diagnose which network a workstation connected to, if you have confusing wiring in the offices)

Routers by definition don’t allow traffic into the network unless the conversation was started from the inside or that port number is specifically forwarded to a PC/server inside the firewall of the router. So going from inside Router B to inside router C is just as difficult as getting from the internet to inside a home router.

Oh, and don’t forget to change the passwords on the routers (and write it down somewhere!! Heck, write down the whole configuration of the networks.) I run across situations all the time where the router still has the default factory password. If strange people can plug into your network, that gives them easy control on allowing remote access too.

14

Speaking of wiring, if a patch panel is involved, colour-code the cables. One set of colours for you, another set for them.