Network Separation / Cisco 2960

Dear Experts,

Please advise on how to correctly separate the networks and what devices should be used and configured.  I have two networks - Public (internet access, etc.) and Private (should not be accessible from/to the Internet, but should be accessible from certain machines on the Public network).  Currently, all computers (belongs to both Public & Private networks) are sharing the same Cisco 2960 switch, but "separated" by their IP's on the subnets they belong to.  For instance,

Public subnet: 192.168.13.x
Private subnet: 192.168.1.x

Computer A on Public subnet has 2 adapters - IP and IP
Computer B on Private subnet communicates with Computer A on IP

My concerns are:
is this enough to separate the two subnets as they are now
what if Computer A is compromised, would devices on Private network be compromised as well; if yes, what would be a correct way to "completely" separate them and how.

swgitIT ProfessionalAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I am assuming you have everything on the same LAN, and do not have the public/private subnets on their own vlans.  You need to have the subnets on seperate vlans.  This will force the subnets to go to the layer 3 router to communicate.  Now that the layer 3 router is controlling the exchange of information, you can set up access control lists to allow/deny traffic between the two vlans, and the internet.

To secure the devices that have access to the internet and your private network, you should separate those devices on a third vlan.  Then only allow traffic from the third vlan to your private network as needed.  Meaning deny everything but the specific applications that the internal network users need from this network.  This will limit the exposure that the possibly compromised computers can have on the private network.

What router are you using?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
swgitIT ProfessionalAuthor Commented:
the router is of an mpls
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.