bergman on 6 Jan 2008 08:12:58 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Sharing an Internet Connection

In the message dated: Sun, 06 Jan 2008 10:45:58 EST,
The pithy ruminations from holdenergy on 
<[PLUG] Sharing an Internet Connection> were:
=> --===============1582340107==
=> Content-Type: multipart/alternative; 
=> 	boundary="----=_Part_19161_5912794.1199634358517"
=> ------=_Part_19161_5912794.1199634358517
=> Content-Type: text/plain; charset=ISO-8859-1
=> Content-Transfer-Encoding: 7bit
=> Content-Disposition: inline
=> Hi - What might be the quickest/cheapest/easiest way to securely share an
=> internet connection.

Your desires are:


Fortunately, the first 3 can be satisfied simultaneously. Satisfying the 4th 
criteria (security) basically rules out the first and 3rd, and possibly the 
second desire. Depending on how heavily you weight the 3rd criteria, that may 
rule out the other desires.

=> Let me explain. In a shared community with only one DSL connection, multiple
=> different entities connected through one DSL connection but requiring that

How many entities? Do any of the fall under existing statutes or requirements for
data protection (ie., patient records and HIPPA, school records, e-commerce and 
credit card data, social security numbers, etc.)?

=> records be kept for each port, so that in the extreme case of a visit from

What kind of records (ie. DHCP assignments per port? full traffic sniffing? 
authenticated users per port? inbound & outbound connections per port, with 
duration, data volume, and protocol?) are you talking about? Where will the 
records be kept? For how long? With what level of security? This requirement 
is so vague and potentially vast that it could be the deciding factor for the 
entire solution.

=> FBI/RIAA etc only that port is an issue. Ideally getting 2 IPs from the DSL
=> provider would be perfect but that adds $$ if they'd even do it.

It sounds like the easiest/secure answer would be to have a distinct internet 
connection for each entity.

Do the entities ever share data or network resources with each other without 
going through the internet (ie., are the shared printers, network storage, 
etc.)? If not, then there is no logical reason to have a single network 

Do the entities have different security requirements, or do they have different 
bandwidth needs, or do they have different levels of risk. Remember, with a 
single DSL connection, the upstream ISP won't distinguish the fact that you may 
have logically separate networks serving different entities. If little Johnny is doing 
a lot of P2P filesharing, when the ISP shuts down the connection, it will also 
take CEO Mary off the internet.

Conversely, when someone from the outside conducts a DoS attack against Mary's 
company, it'll take Johnny's classroom network off the internet too.

=> Furthermore, we don't want one entity soaking up all available bandwidth, so

It sounds like the easiest/secure answer would be to have a distinct internet 
connection for each entity.

=> what would be the device to throttle each port to a certain percentage of
=> available, and we actually want to maintain a certain port dedicated for
=> VOIP to ensure quality of service even if the DSL is otherwise at capacity.

Again, I'd suggest that distinct physical networks would be the easiest and 
most secure answer, though not the cheapest (and possibly not the quickest).

=> I have not seen these features in consumer grade routers and I am not sure
=> how far we have to step up to get it, or is there a Linux solution for which
=> I'd be happy to re-purpose an old PC or laptop.

For the cheapest solution, you might be able to use something like the Linksys
WRT45G, and ignore the wireless network. If you get the correct model (ie.,
running Linux, and hackable), you can configure routing and QoS for the
individual wired ports.

Of course, this would be a complex solution, and would be difficult to get 
support. How important is the "easiest" criteria in your list of desires, vrs 
"cheapest"? The "quickest" aspect would depend on your abilities, the available 
time, and how well the network requirements are defined. Remember, sometimes 
it's much quicker and easier to configure and operate a more complex (and 
expensive) piece of hardware, and much slower to use a cheaper solution.

The professional services cost required to properly set up and do on-going
maintenance of a segmented network, with QoS, different per-port security and
bandwidth requirements, and "record keeping" of data traffic is many, many
orders of magnitude greater than the per-month DSL line charges. If the budget
is so low that the DSL charges for additional lines are significant, then I
don't think that it's possible to meet your criteria (particularly the
"security" and "easiest" goals), with any provision for long-term maintenance
and continuity of management.

=> Thanks for any help,
=> -Andrew

Mark Bergman    Biker, Rock Climber, Unix mechanic, IATSE #1 Stagehand

I want a newsgroup with a infinite S/N ratio! Now taking CFV on:
15+ So Far--Want to join? Check out:

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --