We have a few sales vendors that need to get access to the Internet when they come on-site. What is the best way to protect our network while allowing different vendors to use their laptops. My biggest fear is they bring in an infected laptop and it spreads to our network. Put them on a seperate VLAN?
You'll need to go beyond simply establishing another "untrusted" VLAN, since it's only protecting you until you get to that first router hop. Knowing nothing about your network, I'll assume that you want to enable "guest" access at every LAN port and over wireless. Enable dot1x port security on your switch ports. Establish an "untrusted" VLAN that becomes the "home of the homeless" for unauthenticated laptops (those without a cert from your certificate server) Firewall that VLAN off on your switches, routers and ASA/PIX appliances so that the ONLY path that they have is outbound to the Internet. That will save you from layer 3 (IP) threats.
Thanks Jackko, I was also thinking of NAC. Only thing I have a dept head that wants this by next week, imagine that, LOL. I may setup another DMZ and vlan that port off, I think that should protect us.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...