From a network perspective, we cater for two types of client. Those who have their own firewall or router and would like to have public, unfiltered and untranslated IPs (Unmanaged) and those who would like us to provide this service for them (Managed).
For Clients that want to have an Unmanaged Network
Some clients prefer to manage their own networks, and want responsibility for their own IP addressing, security and routing. When a client does this we lose the ability to perform in depth support for their network, especially their local network (or LAN), as we have no visibility of it. There are many different styles of unmanaged network deployments, some involve our equipment more than others.
Generally we will require a customer to install their own router or firewall under the following circumstances:
They wish to operate their own DHCP Scope (Private IP Address range)
They wish to host services that require an inbound IP translation, such as email or remote access
They wish to set up a permanent IPSec/VPN tunnel - VPN - Virtual Private Network
They have complex/bespoke security policies
They have their own Voice system - see this article - Client owned Phone Systems and Connect
Customers who install their own router/firewall device will be issued a Public IP (either from a /30 or a /29), and their traffic will be carried as layer-2 past our shared firewall. There is no need for ACL's at this level, as the IPs are public.
How this will be set up...
To understand how this needs to be set up, please see this article - Activating a Public IP or Unmanaged Network
This article explains the Public IP service in more detail and how to add this on Connect.
Once the service is set up and activated on Connect, the Public IP details will be available for the client via the Service Guide
For Clients that require a Managed Network
Essentially, essensys is responsible for managing all aspects of a managed network.
A managed network is how we would refer to a network which is created, configured and supported by Connect and the essensys switches in your comms/server room. Most of the clients in your building will use a managed network, as it allows you to easily add and change ports, create WiFi networks and monitor their usage in great detail. Managed networks are simple for us to support as we have full visibility of them, A-Z.
This is done through our shared firewall offering allows any traffic outbound, and no traffic inbound. We do not set up port or static NAT translations, as this will compromise the overall security of the offering, and greatly increase the difficulty in managing the service.
We will issue a customer with a /24 network from the 172.16.0.0/12 RFC1918 block, and set up a DHCP scope for them. The DHCP scope will follow a standard structure, with .1 being the router, and .2-.20 being excluded from the scope for use on servers/printers/etc. The Private IP details will be available for the client via the Service Guide
ACL's will prevent routing between 172.16 networks aside from into this utilities network, to isolate customer networks. The firewall will NAT the 172.16 addresses to its external IP, which is then routed out to the Internet.
On majority of our sites we utilise 802.1X authentication (WPA2 Enterprise) which involves three parties: a supplicant, an authenticator, and an authentication server. The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN. The authenticator is a network device, such as an Ethernet switch or wireless access point; and the authentication server is typically a host running software supporting the RADIUS and EAP protocols.
The WiFi Network is set up the same way as the above managed and unmanaged network but with the extension of customer network being broadcasted over the WiFi. As the customer login details and accounts are set up against their VLAN's therefore devices only connect and stay within their respective network.
Please see the below video to go through a Managed and Unmanaged network connection,