Changing Internet providers
-
@Dashrender said:
@coliver said:
@Dashrender said:
@coliver While I understand why you say that, even Network Nerd made mention that I will have better results from something like Cox's connection versus directly over the internet.
Out of curiosity how is Cox's connection not directly over the internet? I'm assuming they are your provider (or would be)?
Cox's connection would be over a Metro Area connection between them and me. The big thing that I am wondering about.. on that separate connection, should I put a firewall - I'm thinking almost certainly.
Depends. Metro Area is usually L2 still with public IPs but physicall on the same switches, subnet and vlan at the local ISP. It's not truely on the internet until it gets routed (using L3 Gateway at the ISP). You can either use Static Routes with Firewall (or none if you don't need any for the type of business that doesn't have much confidential data, only the ISP could intercept it) or use a Lightweight vpn like TINC between the sites.
-
@coliver said:
@Dashrender said:
@coliver While I understand why you say that, even Network Nerd made mention that I will have better results from something like Cox's connection versus directly over the internet.
Out of curiosity how is Cox's connection not directly over the internet? I'm assuming they are your provider (or would be)?
Cox does provide Internet. But the last mile is not Internet, it is just a WAN link. If they provide a service directly over that WAN link it is not over the public internet but over a private network. It is no more part of the Internet than your internal LAN is (which is to say that in some ways it is as everything connected to the Internet is the Internet, but it is still a private, controlled, "portion" of the Internet.)
-
Wait, wait, wait...
You're over complicating it, I think.They have an internal network for their SIP switch, that network will be connected to my network over a MAN connection and terminate at a Edgemark where it will convert into an IP on my network (their proposal).
Now if their network is completely isolated from the internet (seems unlikely, but what do I know) then I don't need to worry about firewalling it. But in the off chance someone could breach that network and reach my network through that MAN, wouldn't I be safer just putting in a ERL that keeps that network only talking to my FPBX?
-
@scottalanmiller said:
@coliver said:
@Dashrender said:
@coliver While I understand why you say that, even Network Nerd made mention that I will have better results from something like Cox's connection versus directly over the internet.
Out of curiosity how is Cox's connection not directly over the internet? I'm assuming they are your provider (or would be)?
Cox does provide Internet. But the last mile is not Internet, it is just a WAN link. If they provide a service directly over that WAN link it is not over the public internet but over a private network. It is no more part of the Internet than your internal LAN is (which is to say that in some ways it is as everything connected to the Internet is the Internet, but it is still a private, controlled, "portion" of the Internet.)
Good to know. That was the info I was looking for. So they can "guarantee" the speed/latency requirements to their end points/customers. I could see where considering them for your primary SIP Trunk then would make sense, especially if they can exchange to POTS from inside that network.
-
@scottalanmiller said:
@coliver said:
@Dashrender said:
@coliver While I understand why you say that, even Network Nerd made mention that I will have better results from something like Cox's connection versus directly over the internet.
Out of curiosity how is Cox's connection not directly over the internet? I'm assuming they are your provider (or would be)?
Cox does provide Internet. But the last mile is not Internet, it is just a WAN link. If they provide a service directly over that WAN link it is not over the public internet but over a private network. It is no more part of the Internet than your internal LAN is (which is to say that in some ways it is as everything connected to the Internet is the Internet, but it is still a private, controlled, "portion" of the Internet.)
So if you were doing this, would you put a firewall on that connection?
-
@Dashrender said:
@scottalanmiller said:
@coliver said:
@Dashrender said:
@coliver While I understand why you say that, even Network Nerd made mention that I will have better results from something like Cox's connection versus directly over the internet.
Out of curiosity how is Cox's connection not directly over the internet? I'm assuming they are your provider (or would be)?
Cox does provide Internet. But the last mile is not Internet, it is just a WAN link. If they provide a service directly over that WAN link it is not over the public internet but over a private network. It is no more part of the Internet than your internal LAN is (which is to say that in some ways it is as everything connected to the Internet is the Internet, but it is still a private, controlled, "portion" of the Internet.)
So if you were doing this, would you put a firewall on that connection?
Normally if you aren't using hub and spoke for internet (to route all internet traffic through one site) you'll be using this connection for your internet uplink as well so you will have some sort of firewall/router on it.
-
@thecreativeone91 said:
Normally if you aren't using hub and spoke for internet (to route all internet traffic through one site) you'll be using this connection for your internet uplink as well so you will have some sort of firewall/router on it.
Not in this case. I will be presented with 2 connections, one that is real internet route able IPs, and a second that will have a preassigned IP on my network. Completely separate.
-
@Dashrender said:
@scottalanmiller said:
@coliver said:
@Dashrender said:
@coliver While I understand why you say that, even Network Nerd made mention that I will have better results from something like Cox's connection versus directly over the internet.
Out of curiosity how is Cox's connection not directly over the internet? I'm assuming they are your provider (or would be)?
Cox does provide Internet. But the last mile is not Internet, it is just a WAN link. If they provide a service directly over that WAN link it is not over the public internet but over a private network. It is no more part of the Internet than your internal LAN is (which is to say that in some ways it is as everything connected to the Internet is the Internet, but it is still a private, controlled, "portion" of the Internet.)
So if you were doing this, would you put a firewall on that connection?
Depends what it is exposed to on your end. What a lot of people do in a situation like this is having the phones on their own network with nothing exposed except the phones. If the PBX is the absolutely only thing on the connection and the phones are behind the PBX then the only real risk here is your PBX being compromised and if this is supposed to be a private network and any compromise would be legally the responsibility of the ISP then I'd skip the firewall because you aren't looking at company damage or loss of trade secrets that you cannot recoup, only financial costs that you could hold the ISP accountable for.
-
The problem with this is putting the phones on it's own network mean (I assume) you can't run the PC's through the phones.
-
@Dashrender said:
The problem with this is putting the phones on it's own network mean (I assume) you can't run the PC's through the phones.
Actually you can with Voice VLANs.
-
@thecreativeone91 said:
@Dashrender said:
The problem with this is putting the phones on it's own network mean (I assume) you can't run the PC's through the phones.
Actually you can with Voice VLANs.
I was wondering if this was going to be good enough considering Scott's recommendation? As long as I don't recreate a route between the VLANs I guess it should be.
-
@thecreativeone91 said:
@Dashrender said:
The problem with this is putting the phones on it's own network mean (I assume) you can't run the PC's through the phones.
Actually you can with Voice VLANs.
That's true. That would be another pretty solid layer of security. VLANs are very secure. It's not quite the same as full physical separation, but it is really close. And we are talking about a second layer of pretty extreme separation, both needing to be compromised in order for there to be a risk. I would be pretty comfortable with that.
-
@Dashrender said:
I was wondering if this was going to be good enough considering Scott's recommendation? As long as I don't recreate a route between the VLANs I guess it should be.
Right, you would want to keep them as gapped as possible.