We have a few sales vendors that need to get access to the Internet when they come on-site. What is the best way to protect our network while allowing different vendors to use their laptops. My biggest fear is they bring in an infected laptop and it spreads to our network. Put them on a seperate VLAN?
You'll need to go beyond simply establishing another "untrusted" VLAN, since it's only protecting you until you get to that first router hop. Knowing nothing about your network, I'll assume that you want to enable "guest" access at every LAN port and over wireless. Enable dot1x port security on your switch ports. Establish an "untrusted" VLAN that becomes the "home of the homeless" for unauthenticated laptops (those without a cert from your certificate server) Firewall that VLAN off on your switches, routers and ASA/PIX appliances so that the ONLY path that they have is outbound to the Internet. That will save you from layer 3 (IP) threats.
Thanks Jackko, I was also thinking of NAC. Only thing I have a dept head that wants this by next week, imagine that, LOL. I may setup another DMZ and vlan that port off, I think that should protect us.
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
