Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Ideas for securing network from unsecured devices

Below is the scenario I was presented with.  My first thought was to suggest small ASAs at each endpoint and have then centrally managed with a Security Manager server.  The devices are medical imaging, etc that the vendors are not willing to let the customer control, load patches or otherwise secure from viruses and other vulnerabilites.  This could potentially become hundreds of devices if the solution makes sense.

Any ideas would be appreciated.

As we discussed yesterday, here is some information on the solution we're looking for to provide security for our unpatched devices.  We're looking for some sort of Isolation Appliance that would sit between the Unsecure Device and our network, that would provide protection equivalent to a fully patched OS running anitvirus software.  Ideally, the Isolation Appliance would meet the following criteria:

Would protect Unsecured Device from malicious activity occuring on our network and, if the Unsecured Device did get infected, would prevent malicious activity from being transmitted to network.

Would not require any modification of Unsecured Device or software/clients to be loaded on Unsecured Device.  Possible exception would be a change of IP on the Unsecured Device.

Would be able to plug into whatever VLAN exists at the site and communicate using the IP originally assigned to the Unsecured Device (to minimize the need to make configuration changes on any remote hosts to which the Unsecured Device communicates.)

Would be administered via a Centralized Management System.  If Isolation Appliance makes use of a rule base, the rule base would be managed through the Centralized Management System.

Cisco Employee

Re: Ideas for securing network from unsecured devices

ASA with an Ironport solution.

The Cisco-IronPort S-Series web security appliance is the industry's first and only secure web gateway to combine next generation Web Usage Controls, reputation filtering, malware filtering and data security on a single platform to address these risks.


New Member

Re: Ideas for securing network from unsecured devices

I don't know that the Ironport would fit very well for this unfortunately.  These devices would be spread out over many locations and it would probably be very difficult to make this viable due to cost and complexity of getting the traffic to it.  They really want the solution to more transparent other than the protection thay need.  On another note, is there any online demo of the Security Manager to learn more of how tis could be used to manage policies?

Re: Ideas for securing network from unsecured devices

It stinks when vendors won't secure things. The Ironport is not what you need. Since you have zero control of the end device, I guess that a firweall might be the best solution. It depends on the ports that need to be open for the device to function though. Most worms/virus/etc run on common ports now a days. You can make them transparent which may help in deployment. You can download an eval of CSM here (requires CCO login).

Hope it helps.