Ideas for securing network from unsecured devices

Unanswered Question
Apr 7th, 2010

Below is the scenario I was presented with.  My first thought was to suggest small ASAs at each endpoint and have then centrally managed with a Security Manager server.  The devices are medical imaging, etc that the vendors are not willing to let the customer control, load patches or otherwise secure from viruses and other vulnerabilites.  This could potentially become hundreds of devices if the solution makes sense.

Any ideas would be appreciated.

As we discussed yesterday, here is some information on the solution we're looking for to provide security for our unpatched devices.  We're looking for some sort of Isolation Appliance that would sit between the Unsecure Device and our network, that would provide protection equivalent to a fully patched OS running anitvirus software.  Ideally, the Isolation Appliance would meet the following criteria:

Would protect Unsecured Device from malicious activity occuring on our network and, if the Unsecured Device did get infected, would prevent malicious activity from being transmitted to network.

Would not require any modification of Unsecured Device or software/clients to be loaded on Unsecured Device.  Possible exception would be a change of IP on the Unsecured Device.

Would be able to plug into whatever VLAN exists at the site and communicate using the IP originally assigned to the Unsecured Device (to minimize the need to make configuration changes on any remote hosts to which the Unsecured Device communicates.)

Would be administered via a Centralized Management System.  If Isolation Appliance makes use of a rule base, the rule base would be managed through the Centralized Management System.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Wed, 04/07/2010 - 17:20

ASA with an Ironport solution.

http://www.ironport.com/products/ironport_s660.html

The Cisco-IronPort S-Series web security appliance is the industry's first and only secure web gateway to combine next generation Web Usage Controls, reputation filtering, malware filtering and data security on a single platform to address these risks.

-KS

David Schau Thu, 04/08/2010 - 08:53

I don't know that the Ironport would fit very well for this unfortunately.  These devices would be spread out over many locations and it would probably be very difficult to make this viable due to cost and complexity of getting the traffic to it.  They really want the solution to more transparent other than the protection thay need.  On another note, is there any online demo of the Security Manager to learn more of how tis could be used to manage policies?

Collin Clark Thu, 04/08/2010 - 09:28

It stinks when vendors won't secure things. The Ironport is not what you need. Since you have zero control of the end device, I guess that a firweall might be the best solution. It depends on the ports that need to be open for the device to function though. Most worms/virus/etc run on common ports now a days. You can make them transparent which may help in deployment. You can download an eval of CSM here (requires CCO login). http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=280033778

Hope it helps.

Actions

This Discussion