![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
I've taken on the task of revamping a small web-hosting network and there is one area that I am unsure of the best route to take for security. Currently there are shared hosting plans and dedicated servers. The dedicated servers are Windows-based and the clients are given TS access to their machine(s). The area that I am stuck with is how to best segregate the dedicated servers so they cannot, in any way, poke or prod at others' servers. Up to now, where this has "mattered", there are additional firewalls put into place in front of each client that needs the protection, but I figure there has got to be a better way to handle this than installing routers everywhere. Preferably, this wouldn't involve software as the clients can add/remove whatever they like from their server(s).
As an example, let's say we have one router between the LAN and WAN sides with a switch on both ends. There are 10 separate servers that need to be on the LAN side, but the clients has access to their servers and could add as many additional IP addresses as they'd like, potentially hitting a subnet that another server may be on. If This malicious client tries hard enough, or another client keeps their server "open" (let's say anonymous ftp with full access, or admin/password credentials for TS), bad things could happen between the two machines. What is the best way of preventing this situation? It has got to be something else besides having routers with a large number of ports on hand...
Ideas? Solutions? I am planning for growth without limits, even if it never occurs, so any solution should work as well with 100 or 1,000 dedicated machines. I assume VLANs are about as good as one can get.
As an example, let's say we have one router between the LAN and WAN sides with a switch on both ends. There are 10 separate servers that need to be on the LAN side, but the clients has access to their servers and could add as many additional IP addresses as they'd like, potentially hitting a subnet that another server may be on. If This malicious client tries hard enough, or another client keeps their server "open" (let's say anonymous ftp with full access, or admin/password credentials for TS), bad things could happen between the two machines. What is the best way of preventing this situation? It has got to be something else besides having routers with a large number of ports on hand...
Ideas? Solutions? I am planning for growth without limits, even if it never occurs, so any solution should work as well with 100 or 1,000 dedicated machines. I assume VLANs are about as good as one can get.
Last edited: