Sign in with
Sign up | Sign in
Your question
Solved

feasibility of two LAN networks with different ISP on same hardware in small office

Last response: in Networking
Share
October 15, 2013 10:58:05 AM

Hi,

I'm in the early stages of setting up a medical office. It will have 3 high end desktops, they need to have enough power to run Dragon Medical and my ASP hosted EMR on Windows 8. There will also be two office assistant dsektops, likely a more affordable all-in-one machine also running windows 8, a printer and a scanner as well. I am planning on getting a in house server to handle print server, domain controlling, backups etc (and have gotten really useful help on this site for this!)-- this will all be on the same LAN. I am planning on connecting this LAN with a entry level Cisco configurable switch (apparently geared at small business). The switch will connect to the router which is supplied from the ISP. It is not a public internet connection, it is a secured provincially run WAN (I'm in Canada, no HIPAA fyi) .

Initially I thought this would be sufficient, however the private WAN has significant limitations, including limited port options, and limited bandwidth (5Mb/s for 5 users). So I want to look into getting a second public ISP. This is where it gets a bit over my head (don't worry I'll have IT support for all of this, but need an idea of what is feasible)

The government strictly disallows mixing the private WAN with a public ISP connection. My idea was to add a hardware firewall from the public ISP demarc point, then hook this connection up into the switch, and create two VLANs in the switch, one for the secured WAN and one for the public internet. I could run virtual machines on each of the 3 desktops, and connect each virtual machine to the public VLAN on the switch. For this to work securely I'm assuming I would need two ethernet adaptors on each desktop? Is there a way to somehow securely setup an external network connection on a virtual machine that is not available to the host computer?

I guess the other problem would be that I would not be able to access my server from both VLANs unless I ran two virtualized domain servers for that as well.

Is this a feasible solution for my problem? If it is I will make sure the desktops are really spec'd out with RAM and processing power. If not maybe my money would be better spent just buying 3 separate desktops for the offices? Or should I just deal with slow internet and strict firewall?

Appreciate any feedback!

Best solution

a b X LAN
October 15, 2013 1:05:59 PM

You could use 2 nics but you could if you buy the proper switches use 802.1q trunk ports and device virtual nics on the PC. Most PC have the ability buried far down in nics to do this. There is some other strange windows limitation that I forget to make it work on a single nic but it can be done.

I would suspect you are very much in the grey area of is a PC running 2 virtual machines the same or different networks. You get into what the definition of a "machine" is. It is very possible to share things between the virtual machines. In fact you could bridge the nic and use 2 different IPs and they would appear to be on different networks even though they are not.

If you were just trying to get around a restriction on hulu letting you watch videos or something I would say go for it. When you deal with the government regulations you have to know they will always interpret the law in a way that makes your life as hard as possible. I would opt for 2 machines
Share
October 15, 2013 5:24:21 PM

bill001g said:
You could use 2 nics but you could if you buy the proper switches use 802.1q trunk ports and device virtual nics on the PC. Most PC have the ability buried far down in nics to do this. There is some other strange windows limitation that I forget to make it work on a single nic but it can be done.

I would suspect you are very much in the grey area of is a PC running 2 virtual machines the same or different networks. You get into what the definition of a "machine" is. It is very possible to share things between the virtual machines. In fact you could bridge the nic and use 2 different IPs and they would appear to be on different networks even though they are not.

If you were just trying to get around a restriction on hulu letting you watch videos or something I would say go for it. When you deal with the government regulations you have to know they will always interpret the law in a way that makes your life as hard as possible. I would opt for 2 machines


Thanks for the help! Yeah I know what you mean in terms of the grey area. If something like this is setup professionally with the right equipment would it be considered secure (I know thats a relative term).. but I guess what I mean is would this be an acceptable practice is most office networks? I might just have to get their IT guys to sign off on it to make sure I'm not infringing

Here is what they stipulate on the regulations document, beside it is a basic diagram of a DMZ

1 The security appliance must be provided through a separate,
dedicated hardware appliance.
2 The security appliance must have a secure, HTTPS protocol
based administration interface.
3 The security appliance must include firewall security configured
for Stateful Packet Inspection
Does not allow any network traffic originating from the
practice segment or its public Internet connection into
the PPN segment.
By default be configured to restrict all network traffic
originating from the PPN segment to the practice
segment and its public Internet connection, according to
principle of Least Privilege.

The security appliance must include Intrusion Detection and
Prevention software running that inspects/blocks malicious
network traffic originating from the practice segment or its public
Internet connection

The security appliance must include inline Anti Virus software
with malware protection (e.g. for trojans, worms, spyware) that
inspects/blocks malicious network traffic originating from the
practice segment or its public Internet connection.


Maybe I will just wait and see how much of an inconvenience the slow connection is. I guess it would also not be that bothersome to have a seperate network, can just use laptops on a wireless LAN I suppose. The only major annoyance would be the server, it seems like a waste to not let it be used on both networks. Would it be reasonable to atleast setup two seperated virtual servers with seperate NICs on it? This must be common practice?
m
0
l
Related resources
a b X LAN
October 15, 2013 5:40:34 PM

The risk is how secure the virtualization software is.
Just as a example since I know you do not plan to connect a firewall between the segments.

You buy a $50,000 firewall that deep down inside is pretty much a dual nic pc running a linux variant that has been stripped of every feature that may allow the basic OS to be compromised. They remove every non essential software that prevents bypassing any rule restrictions for traffic between the nic cards.

Now you take a general purpose server with dual nics and load a virtualization OS and a couple of end target OS to run your software.

What is the difference you still have a piece of hardware with a nic on the secure segment and one on the non secure. In the case of the firewall it has been hardened to prevent traffic from going across. In the case of a general purpose box its major function it to provide a service to make it easier to run multiple OS. BUT both are firewall even if they are not called that because they must prevent traffic from moving across. Although the general purpose device may be made just as secure it take a much higher level of knowledge to set it up. This is why you pay so much for a true firewall because someone else is making it easy to get a secure network.

I am just pointing out that if you put a server or even the clients on both networks you are now responsible for making sure no traffic can cross due to bugs or misconfiguration.....and if they get real picky technically any dual nic machine is a firewall just because there is the possibility for traffic to cross.
m
0
l
October 15, 2013 7:23:22 PM

bill001g said:
The risk is how secure the virtualization software is.
Just as a example since I know you do not plan to connect a firewall between the segments.

You buy a $50,000 firewall that deep down inside is pretty much a dual nic pc running a linux variant that has been stripped of every feature that may allow the basic OS to be compromised. They remove every non essential software that prevents bypassing any rule restrictions for traffic between the nic cards.

Now you take a general purpose server with dual nics and load a virtualization OS and a couple of end target OS to run your software.

What is the difference you still have a piece of hardware with a nic on the secure segment and one on the non secure. In the case of the firewall it has been hardened to prevent traffic from going across. In the case of a general purpose box its major function it to provide a service to make it easier to run multiple OS. BUT both are firewall even if they are not called that because they must prevent traffic from moving across. Although the general purpose device may be made just as secure it take a much higher level of knowledge to set it up. This is why you pay so much for a true firewall because someone else is making it easy to get a secure network.

I am just pointing out that if you put a server or even the clients on both networks you are now responsible for making sure no traffic can cross due to bugs or misconfiguration.....and if they get real picky technically any dual nic machine is a firewall just because there is the possibility for traffic to cross.


Yeah that makes a lot of sense. Well its good to know its possible,and sounds like it would be kinda interesting to setup. But I guress practically speaking given the size of my office its probably not the best idea. Between the decreased RAM requirements, extra Win8 pro liscence on each desktop and the extra IT hours I could probably pay for the additonoal hardware and maybe a second small server or NAS type solution for the less secured network...
m
0
l
October 15, 2013 8:33:15 PM

While I'm on the topic... if I do go with the 2nd sepearte network. Can you recommend a router/firewall/wireless solution? Should I go for a product like the Sonicwall TZ-205 or TZ 210 UTM, a wired router/firewall + a seperate WAP, or is this overkill for my needs (as above this would not have any connection to patient records/files) ? Could I just use a ddwrt flashed consumer grade product?

It'll be about a 1000Sqft office, likely <15 devices, maybe a printer and NAS; supposed to have RADIUS like security for wireless; may be nice to have seperate SSID for guests in the waiting room (but not needed)
m
0
l
!