Security in network

[fs483]

Hello,

I'm in the process of setting up a new network and want to maximize security mostly from Internal threats. I have already ordered an ASA5510 with security bundle, 2 ESW540-24p-k9 switches and an Aironet 1141N with multiple SSIDs (public and private). An outside vendor will be setting up the VLAN/QOS for the IP phones once the model is decided. This question involves a multitude of configuration from different equipment.

How would I setup the following security on my network or is it even possible:

The IP phones will be located on a subnet 192.168.10.x and will get their IP from the Windows 2008 server. If an internal employee connects their PC or laptop (company owned or authorized personal lapotp) to either the wired network or the private SSID Access Point, they get an IP from the 192.168.2.x range and have full network access. If a guest connects their laptop to the wired network or public SSID Access Point, they will get an IP from a different range (10.10.10.x) and will only have access to the Internet. Those guests shouldn't be able to connect to the private Access Point unless an employee gives them the pass key. When the guests connects to either the wired or wireless network, they should be getting their IP from the DHCP server ideally on the ASA however, if not possible, the internal server (Windows 2008) can serve them IPs but using ISP DNS IP. Now to make matters even more complicated, could I allow a guest to access a printer that is located on the 192.168.2.x network? Many years ago, I had played around with MAC address filtering on the old Cisco switches but only to lock out completely guest access or only allow specific Nics to connect to specific ports on the switch. Now we need to allow the guest to access the Internet through our network. I know the solution will involve at least 3 VLANS (1 for the IP Phones, 1 for employee access and 1 for guest access) and some mac filtering (MACS of all authorized devices). Dedicating specifics wall jacks just for guests is not possible. We want to make the process as easy as possible because onsite IT is not always available. Am I asking for two much?

Thanks,
FS483

 

[fs483]

I just found out Link Layer Filtering from Windows 2008 should be able to do what I want. Wished that was available on Windows 2003.

 

[unclerico]

honestly your best bet is to enable 802.1x on all access ports to authenticate your internal devices while keeping guest machines off of your internal network. add port-security in there also as an added security measure.

require that all guests be able to connect wirelessly. by having your guests connect wirelessly you can grant access to the internet as well as grant them the ability to print to your printer. the only problem with this is that if your printer is on print server in a domain you'll need to have a domain user account setup for them to connect with. you might want to have a separate print server that is a member of a workgroup and strip down the security on it so that guests can connect to the printer anonymously.

802.1x has guest VLAN capabilities but it's only for clients that don't have an 802.1x supplicant installed, which 99% of all machines today do.

the only way that i know of that would allow you distinguish guests from internal when they are hardwired would be some form of NAC. mac address filtering could work, but you'll run into issues with it when your guest comes in with a nic with the same oui of your internal machines. trying to manage individual mac's would be a huge pain.

let me know if i'm off base here.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[burtsbees]

What about an L3 switch as an access or collapsed core? You could route the vlans and do acl's...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!