Maximum network protection with public Internet access

5 pts.
Tags:
Cisco ASA 5510
Cisco Routers
IP address
Network design
Network security
What is the best way to give public access to the internet yet protecting my company network?  We have a Cisco ASA 5510 firewall and wireless access points.

Software/Hardware used:
windows xp, Cisco ASA 5510 firewall
ASKED: January 22, 2011  9:18 PM
UPDATED: February 23, 2011  4:37 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

I reckon that depends on where your biggest threat lives.

I would start by hardening the wireless piece by not allowing wireless access to the router and changing the admin password quarterly. It should be a complex password as well.Once you get a complex password in your head you can make minor changes that will make sense to you and still keep it changing.

Turning off the SSID broadcast can make life harder for war drivers with a single mouse click. MAC Address filtering is another way to keep unwanted machines off your network.

Blocking certain internet sites and virus scanning emails is fairly simple to implement with your firewall. It’s better to lock it down tight and let your users request access to sites than to leave it too lax.

Be sure to timeout VPN access if the connection has been idle for x minutes. I’d put it at 20 minutes which, depending on the work your users are doing, may be too generous.

Where I’m at now the use of usb drives has been turned off via policy and a bios setting. It’s a pita but there’s not much chance of a virus creeping in. Very few users have local admin permissions on their machines so adding software is tightly controlled.

The more critical it is for your machines and your data to be available the tighter the controls that need to be in place. Having a 100K executive sitting idly for half a day or more while his laptop gets cleaned amkes the extra steps up front well worth the effort.

—————————————

If you want to let public “guests” connect to the internet through your wireless system while protecting your LAN, you can do so by:
1) set up VLANs – one for the wireless guests and another for your internal use,
2) if your AP supports it, you might be able to use “wireless isolation” – where associated devices cannot see anything BUT the internet (Some AP’s can do that per VLAN)
3) if needed, set up some ACLS / Firewall rules blocking the guest VLAN from your internal network…

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Spadasoe
    vlan isolation
    5,130 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following