Below is the scenario I was presented with. My first thought was to suggest small ASAs at each endpoint and have then centrally managed with a Security Manager server. The devices are medical imaging, etc that the vendors are not willing to let the customer control, load patches or otherwise secure from viruses and other vulnerabilites. This could potentially become hundreds of devices if the solution makes sense.
Any ideas would be appreciated.
As we discussed yesterday, here is some information on the solution we're looking for to provide security for our unpatched devices. We're looking for some sort of Isolation Appliance that would sit between the Unsecure Device and our network, that would provide protection equivalent to a fully patched OS running anitvirus software. Ideally, the Isolation Appliance would meet the following criteria:
Would protect Unsecured Device from malicious activity occuring on our network and, if the Unsecured Device did get infected, would prevent malicious activity from being transmitted to network.
Would not require any modification of Unsecured Device or software/clients to be loaded on Unsecured Device. Possible exception would be a change of IP on the Unsecured Device.
Would be able to plug into whatever VLAN exists at the site and communicate using the IP originally assigned to the Unsecured Device (to minimize the need to make configuration changes on any remote hosts to which the Unsecured Device communicates.)
Would be administered via a Centralized Management System. If Isolation Appliance makes use of a rule base, the rule base would be managed through the Centralized Management System.