03-14-2006 10:40 AM - edited 03-09-2019 02:15 PM
We have a few sales vendors that need to get access to the Internet when they come on-site. What is the best way to protect our network while allowing different vendors to use their laptops. My biggest fear is they bring in an infected laptop and it spreads to our network. Put them on a seperate VLAN?
03-14-2006 12:53 PM
You'll need to go beyond simply establishing another "untrusted" VLAN, since it's only protecting you until you get to that first router hop. Knowing nothing about your network, I'll assume that you want to enable "guest" access at every LAN port and over wireless. Enable dot1x port security on your switch ports. Establish an "untrusted" VLAN that becomes the "home of the homeless" for unauthenticated laptops (those without a cert from your certificate server) Firewall that VLAN off on your switches, routers and ASA/PIX appliances so that the ONLY path that they have is outbound to the Internet. That will save you from layer 3 (IP) threats.
03-14-2006 10:38 PM
the best approach is to implement cisco nac.
basically, a laptop will not get any connectivity before verifying the os patch level as well as the anti-virus updates.
have a look at the cisco page:
http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html
03-15-2006 08:01 AM
Thanks Jackko, I was also thinking of NAC. Only thing I have a dept head that wants this by next week, imagine that, LOL. I may setup another DMZ and vlan that port off, I think that should protect us.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide