Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
332
Views
0
Helpful
3
Replies

Ideas for securing network from unsecured devices

David Schau
Level 1
Level 1

‎04-07-2010 04:21 PM - edited ‎03-11-2019 10:30 AM

Below is the scenario I was presented with.  My first thought was to suggest small ASAs at each endpoint and have then centrally managed with a Security Manager server.  The devices are medical imaging, etc that the vendors are not willing to let the customer control, load patches or otherwise secure from viruses and other vulnerabilites.  This could potentially become hundreds of devices if the solution makes sense.

Any ideas would be appreciated.

As we discussed yesterday, here is some information on the solution we're looking for to provide security for our unpatched devices.  We're looking for some sort of Isolation Appliance that would sit between the Unsecure Device and our network, that would provide protection equivalent to a fully patched OS running anitvirus software.  Ideally, the Isolation Appliance would meet the following criteria:

Would protect Unsecured Device from malicious activity occuring on our network and, if the Unsecured Device did get infected, would prevent malicious activity from being transmitted to network.

Would not require any modification of Unsecured Device or software/clients to be loaded on Unsecured Device.  Possible exception would be a change of IP on the Unsecured Device.

Would be able to plug into whatever VLAN exists at the site and communicate using the IP originally assigned to the Unsecured Device (to minimize the need to make configuration changes on any remote hosts to which the Unsecured Device communicates.)

Would be administered via a Centralized Management System.  If Isolation Appliance makes use of a rule base, the rule base would be managed through the Centralized Management System.

Labels:
0 Helpful
3 Replies 3

Kureli Sankar
Cisco Employee
Cisco Employee

‎04-07-2010 05:20 PM

ASA with an Ironport solution.

http://www.ironport.com/products/ironport_s660.html

The Cisco-IronPort S-Series web security appliance is the industry's first and only secure web gateway to combine next generation Web Usage Controls, reputation filtering, malware filtering and data security on a single platform to address these risks.

-KS

0 Helpful

David Schau
Level 1
Level 1
In response to Kureli Sankar

‎04-08-2010 08:53 AM

I don't know that the Ironport would fit very well for this unfortunately.  These devices would be spread out over many locations and it would probably be very difficult to make this viable due to cost and complexity of getting the traffic to it.  They really want the solution to more transparent other than the protection thay need.  On another note, is there any online demo of the Security Manager to learn more of how tis could be used to manage policies?

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to David Schau

‎04-08-2010 09:28 AM

It stinks when vendors won't secure things. The Ironport is not what you need. Since you have zero control of the end device, I guess that a firweall might be the best solution. It depends on the ports that need to be open for the device to function though. Most worms/virus/etc run on common ports now a days. You can make them transparent which may help in deployment. You can download an eval of CSM here (requires CCO login). http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=280033778

Hope it helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card