Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Isolating critical PCs fr usual office PCs

Posted on 2017-09-11
11
Medium Priority
?
70 Views
Last Modified: 2017-10-14
In an audit finding, critical PCs (used to transfer large funds n these PCs do not hv Internet
access Nor email clients in them)  were found to be pingable n could map drives to normal
PCs ( to hv internet access n drive sharing can propagate ransomwares/malware) in same
subnet.

We were told these 2 different categories of PCs she'd be logically segregated.  As we don't want
To create separate Vlans n do major network restructuring, Can we do
1. Super sub netting n use Cisco ACLs to segregate the 2 groups of PCs?  Is this ACLs
     using MAC address?
2. Create Windows firewall rules on the critical PCs
3. What else?
0
Comment
Question by:sunhux
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 80

Assisted Solution

by:arnold
arnold earned 400 total points
ID: 42290139
Seems you have the right approach.
Use MAC address to tag the vlan for these systems.
And then use appropriate ACLs to limit what access if any exists to this vlan.
The only issue, is that records have to ve maintained if additional, replacement systems are added, to include their MAC address to make sure they wind up in the same new vlan.

...
0
 
LVL 7

Assisted Solution

by:lapatiya
lapatiya earned 1100 total points
ID: 42290151
Disable admin shares, so nobody can map your workstation's volumes in another places.
https://winaero.com/blog/disable-administrative-shares-in-windows-10-windows-8-and-windows-7/

ACL using MAC addresses can be done in cisco. check this link out for more details,
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/asr903/sec-data-acl-xe-3s-asr903-book/mac-access-control-lists.html

If vLan is not an option, doing ACL list on your Cisco router/FW properly should be enough to protect your high-security workstations. ACL (Access Control List) defines who can/can't access (not even can ping)
1
 
LVL 80

Assisted Solution

by:arnold
arnold earned 400 total points
ID: 42290170
System to system on the same segment would not go through a firewall, a switch ACL will gave to ve used (level 3)
Potentially, likely makes it difficult to manage.
Does your environment include 801.x setup. That can be used to retain the blame on which the system will show up through radius respinse to the switch.
Using AD computer group to auto isolate any system in that security group.
1
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Assisted Solution

by:lapatiya
lapatiya earned 1100 total points
ID: 42290286
@arnold,

not entirely true about access list. true the IP ACL list works on layer 3. But don't forget that MAC ACL works on layer 2. So MAC ACL can filter same segment non-ip based traffic. look at the below example,
1
 
LVL 36

Assisted Solution

by:Shaun Vermaak
Shaun Vermaak earned 500 total points
ID: 42291404
Use tier isolation, create a new tier for these computers. Windows Firewall is also a must
https://www.experts-exchange.com/articles/29515/Active-Directory-Simple-Tier-Isolation.html
1
 
LVL 80

Assisted Solution

by:arnold
arnold earned 400 total points
ID: 42291612
lapatiya,

not sure what you are addressing?
If one places an ACL rule on the ACL while the systems are connected to a switch, not sure how the firewall ACL restricting access to system A where any other system is on the same segment.

the infrastructure is further unclear on whether all systems that needs isolation are on the same switch .....
0
 

Author Comment

by:sunhux
ID: 42292270
Arnold or anyone,

Most of the users' switches are Layer 2 switches, so is MAC ACLs supported?
Or it has to be an L3 switch (which we use mostly for servers)?
0
 

Author Comment

by:sunhux
ID: 42292281
What about super subnetting where we define subnet masks like
255.255.255.252  ?  

For a critical PC at 10.5.80.5 can't be reached from non-critical PCs
10.5.80.X (where X is 33-253) ?  Can this be achieved using L2 switch?
0
 
LVL 7

Accepted Solution

by:
lapatiya earned 1100 total points
ID: 42292290
L3 switches are for IP routing; meaning to control/point traffic between different networks (VLANs). In your case, since you have a single subnet (assuming), you can use an L2 switch (a good cisco switch) would do. All you need to do is configure MAC ACL, because MAC (Media access control) address is the L2 identified address in a network. in a same segment network (single subnet) traffice is forwaded from one device to another or between each other with the help of MAC address (to find the original source and the destination)
1
 
LVL 7

Assisted Solution

by:lapatiya
lapatiya earned 1100 total points
ID: 42292305
vlan and super-subnetting (micro subnetting) more likely the same. you can't you need to have a rounting table (L3 switch or router) to communicate between different vlans, as well as different subnets, this is in brief. there can be similarities and differences in vlan and what you call super-subnetting, but ultimately, segmenting the switching portions of the network.
0
 
LVL 80

Expert Comment

by:arnold
ID: 42292309
How is super subnetting differ from implementing the issue using vlan?
In both cases you gave to go through a configuration change?

Analyze what you need to achieve the end result, setup it up, place on of the systems into it............ Test....
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question