Ideas for vendor workstation isolation

Unanswered Question

I have to install a vendor workstation on our network that I would like to isolate from the rest of our WAN. The workstation does not need to connect to any of our systems and only needs to be able to make a vpn connection with the vendors equipment. In the past we have built vlans for these types of machines and then created access lists on the switch that only allows the workstation to access its vpn peer ip, but this doesn't seem as secure as it could be.

could a GRE tunnel between the router at the site and our edge router or something similar work better in this situation. I think ideally we could provide that workstation with a public ip at our edge so it couldn't see anything within our network.

Thanks

Here is a brief overview of the network:

Vendor WS -> C2950 Switch -> C28xx RTR -> Optical Ethernet -> C3800 RTR -> C3750 Swiches -> 525 PIX -> C28xx RTR -> ISP

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Wed, 09/08/2010 - 08:27

I don't think ACLs to allow one host only reach one ip is not secure.

Another potential solution is VACL (vlan ACLs) where you use ACLs to allow traffic in a vlan.

To isolate hosts also you can try private vlans. An isolated private vlan cannot talk to other hosts. I would suggest looking into http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml

I hope it helps.

PK

Actions

This Discussion