Isolating my own addresses on a multi-server lan

[Fran]

I have a small network with a Windows 2000 server running Active
Directory sharing the same address subnet as another company. I need
to isolate us from that network but still have access to some of those
resources on that other network.

e.g. Subbet is now 192.168.002.001 through 192.168.002.250

We take up 11 of those addresses. I want to have our own subbet (e.g.
192.168.008.xxx)

What do I need in the way of equipment? What's involved in sharing
resources from one network to another? Do I need to route from one to
another? We also share a common internet connection and we have two
remote users that will need access (via RealVNC) to their desktop
machines.

Any advice is appreciated.

Fran

 

[Phillip Windell]

e.g. Subbet is now 192.168.002.001 through 192.168.002.250

Don't put leading 0's in an IP#.

What do I need in the way of equipment?
Router(s)

What's involved in sharing resources from one network to another?

Same as now. It is not related to subnets. Sharing is part of Windows
Networking. Subnetting is part of the "network infastructure",....the two
are not related.

Do I need to route from one to another?

Do you want to? Do you need to? Only you will know that.

We also share a common internet connection and we have two
remote users that will need access (via RealVNC) to their desktop
machines.

Who owns the Internet Connection? The truth is, you can't go off and do
this on your own in this situation. You need to work together with the other
company you are involved with because this effects the design of both sides
of this. Also, even subnetting this network won't change how anything works
and will not protect either of you from the other unless you plan to write
ACLs to put on the Router,...and if you knew how to do this with a router,
then you would already know enough about all this that you wouldn't have had
to ask.

So,..it comes down to this,...you need to get together with this other
company you are involved with and work it out with them. This involves both
of you equally.

 

[Fran]

Do you want to? Do you need to? Only you will know that.

Since there are shared resources on their network that we need access
to, yes.

Who owns the Internet Connection?

They own the internet connection.

It was always my intent to get them involved in this. I just want to
be sure I know what things we will need to cover and initiate. My goal
is to take our Active Directory network off of theirs, add DHCP to our
server (instead of using theirs) and properly configure our DNS.

 

[Phillip Windell]

It was always my intent to get them involved in this. I just want to
be sure I know what things we will need to cover and initiate. My goal
is to take our Active Directory network off of theirs, add DHCP to our
server (instead of using theirs) and properly configure our DNS.

You can do all that and never touch the addressing scheme, except for DHCP.
The two Domains will need a trust relationship between them if you want to
access resources at the File System level (NTFS Permissions). Other services
(Web, SQL, etc) can be done with or without a Trust.

If you want to run DHCP then you do need a separate subnet and be sure to
*not* config the router to forward the DHCP request packets.

The main purpose of subnetting is to make the network more effiecient by
reducing broadcasts when it gets up to a few hundred machines on the system.
Subnets can also help with security by using ACLs on the Routers between
them, but that only happens at the Layer3 & 4 levels and should never be
look upon as the primary means of security. Most of your security comes
from either Active Directory (permissions given to or not given to) or the
security elements built into the individual "services" made available (SQL
Server, IIS [Web], ect).

I'm afraid that security is more of a science and an art and not simply a
matter of splitting something into subnets and tossing a firewall between
the segments.