Secure LAN within existing office LAN
Solution 1:
First off: If you are under legal obligations to provide traffic separation, always get someone with the authority to do so to sign off on any plan as within the legal requirements before you begin implementing it. Depending on the specific legal requirements, it just might be that you will have to provide physically separate networks with no common trust point.
That said, I think you basically have three options: 802.1Q VLANs (better) and multiple layers of NAT (worse) and physically separate networks (most secure, but also complicated and likely most expensive due to physical rewiring).
I'm assuming here that everything that is already wired up is Ethernet. One part of the overall Ethernet standard is what is known as IEEE 802.1Q, which describes how to establish distinct link-layer LANs on the same physical link. This is known as VLANs or virtual LANs (note: WLAN is completely unrelated and in this context normally stands for Wireless LAN and very often refers to one of the IEEE 802.11 variants). You can then use a higher-end switch (the cheap stuff that you can buy for home use generally doesn't have this feature; you want to look for a managed switch, ideally one that specifically advertises 802.1Q support, though be prepared to pay a premium for the feature) configured to segregate each VLAN to a set of (possibly just one) port(s). On each VLAN, then, common consumer switches (or NAT gateways with an Ethernet uplink port, if desired) can be used to further distribute traffic within the office unit.
The upside of VLANs, compared to multiple layers of NAT, is that it's completely independent of the type of traffic on the wires. With NAT, you are stuck with IPv4 and maybe IPv6 if you are lucky, and also have to contend with all the traditional headaches of NAT because NAT breaks end-to-end connectivity (the simple fact that you can get a directory listing from a FTP server through NAT is a testimony to the ingenuity of some of the people who work with that stuff, but even those workarounds usually assume that there is only one NAT along the connection route); with VLANs, because it uses an addition to the Ethernet frame, literally anything that can be transferred over Ethernet can be transferred over VLAN Ethernet and end-to-end connectivity is preserved, so as far as IP is concerned, nothing has changed except the set of nodes that are reachable on the local network segment. The standard allows for up to 4,094 (2^12 - 2) VLANs on a single physical link, but specific equipment may have lower limits.
Hence my suggestion:
- Check to see if the master equipment (what's in that big rack of switches in the network room) supports 802.1Q. If it does, then find out how to configure it, and set it up correctly. I would recommend starting out by doing a factory reset, but make sure you don't lose any important configuration by doing so. Be certain to properly advice anyone who relies on that connectivity that there are going to be service disruptions while you do this.
- If the master equipment doesn't support 802.1Q, find some that does and meets your needs in terms of number of VLANs, number of ports, and so on, and buy it. Then find out how to configure it, and set it up correctly. This does have the bonus that you could keep it separate while setting things up, reducing downtime for any existing users (you would set it up first, then remove the old equipment and hook up the new, so the downtime would be limited to basically how long you need to unplug and re-plug everything).
- Have each office unit use a switch, or a home or small business "router" (NAT gateway) with an Ethernet uplink port, to further distribute network connectivity among their own systems.
When you configure the switches, absolutely do make sure to limit each VLAN to its own set of ports, and make sure all of those ports go only to a single office unit. Otherwise, the VLANs will be little more than courtesy "do not disturb" signs.
Because the only traffic that reaches each unit's Ethernet outlets would be their own (thanks to your configuring separate, segregated VLANs), this should provide adequate separation without requiring you to rewire everything as truly physically separate networks.
Also, especially if you implement VLANs or end up rewiring everything, do take the opportunity to correctly tag all cables with unit and port numbers! It will take some extra time, but will be more than worth it going forward especially if there is any kind of network problem in the future. Check out I've inherited a rat's nest of cabling. What now? on Server Fault for some helpful hints.