Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

"secure" path out to the net for vendors

Dear Pros:

I am looking to give my users full access to the production network, but vendors without credentials access only to the Internet. Unfortunately, a lot of our internal web content is wide open, and management is concerned that vendors could get access to these websites.

Is there a way to route a vendor directly out to the internet, without exposing any internal resources. I realize there are details to address such as name resolution and ip addressing, but let's put those aside for a minute and just focus on securing a route out.

ps: now that i think about it, i could create a vlan and attach it to an interface outside our internet facing firewall, but is there another way?

thanks!

7 REPLIES

Re: "secure" path out to the net for vendors

Hello,

There are several possibilities depending on the type of equipment in place.

On a router you could use policy routing to send traffic from specific source IPs out a specific interface. This approach is not among the most scalable ones. From a security point of view this is somewhat cumbersome, because PBR will only work if the outgoing interface is available. If not, then normal IP routing kicks in again and the users will be treated all the same.

You could use a firewall to sort out the privileges. Placing the less privileged users in a separate VLAN would be one option, IF you can make sure they cannot access other VLANs. 802.1x could be one way to go to assure proper VLAN placement of users.

Generally I would recommend using a firewall in a security relevant environment. That´s after all one purpose a firewall has been buit for.

Hope this helps! Please rate all posts.

Regards, Martin

New Member

Re: "secure" path out to the net for vendors

thanks for the response. perhaps i didn't point out the fact that i am using a 4404 and ap 1130's on the wireless side. the internal routers are all cisco, if that helps.

New Member

Re: "secure" path out to the net for vendors

I am going through this exact scenario. Be fore warned, that the way DHCP works with the 4400 controllers leaves a lot to be desired. We are trying to have a guest WLAN be cordoned off with an ASA, but the way the ASA handles non-broadcast DHCP traffic is to drop it..and there is no work around according to TAC. We are now looking at ACLs on the WLAN but we don't feel super secure doing that. If anyone has suggestions I would love to hear them. Thanks.

New Member

Re: "secure" path out to the net for vendors

come on cisco engineers...share the love! according to the video on site, this is how their system is set up.

New Member

Re: "secure" path out to the net for vendors

Something similar to what you've described. Create another dynamic interface (VLAN) and create a WLAN (SSID) just for your vendors.

The other method, and this is what we're considering is using a smaller (older) controller (4101, or a 4024) and Anchor (Mobility Anchor) the WLAN on the controller. We'd place this controller outside our firewall. The controllers would setup GRE tunnels between themselves (this happens automagicly when you place them in mobility groups) so the traffic would be essentially tunneled outside of your localnetwork, and dropped off outside of your firewall.

This is a relativily new feature, only since the 3.2 release train of code.

New Member

Re: "secure" path out to the net for vendors

By far the easiest and most secure way I've found to do this is to purchase a DSL connection, stick a small firewall on it (Pix 505), and create a Vlan with this router to the DSL as the gateway. Create this Vlan on your access points and broadcast your SSID (or not). This gives vendors access to the Internet and doesn't compromise your network at all. This is not the cheapest solution, however.

New Member

Re: "secure" path out to the net for vendors

Maybe this wont work for your setup, but I have just completed a full scale install with 1121's, 1130, 1231, and 1310 radios managed by a WLSE. I used a Cisco switch to connect the AP's and trunked them so there are seperate VLANs, then terminated them onto a dot1q trunk to a 2621 XM router. I then firewalled the router so one VLAN cant see the other, and setup WPA autehnetication for the Guest ssid, and leap for the Voice network, and management network, and for their internal network I am going to be setting up Active Directory authentication through the WLSE. The Guests can get out onto the internet, but cant get anywhere else on the LAN. I restricted it to data only, no voice QOS on that vlan either, and the 2621Xm controls all QOS so a guest can overrun the voice vlan.

If your router supports 802.1q trunking, and you have a fairly recent Cisco switch, trunk into the AP, then setup vlans for access to the internet for guests and then put in an ACL on the interfaces to control who goes where.

128
Views
5
Helpful
7
Replies
CreatePlease to create content