Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 80
  • Last Modified:

Isolating critical PCs fr usual office PCs

In an audit finding, critical PCs (used to transfer large funds n these PCs do not hv Internet
access Nor email clients in them)  were found to be pingable n could map drives to normal
PCs ( to hv internet access n drive sharing can propagate ransomwares/malware) in same
subnet.

We were told these 2 different categories of PCs she'd be logically segregated.  As we don't want
To create separate Vlans n do major network restructuring, Can we do
1. Super sub netting n use Cisco ACLs to segregate the 2 groups of PCs?  Is this ACLs
     using MAC address?
2. Create Windows firewall rules on the critical PCs
3. What else?
0
sunhux
Asked:
sunhux
  • 4
  • 4
  • 2
  • +1
8 Solutions
 
arnoldCommented:
Seems you have the right approach.
Use MAC address to tag the vlan for these systems.
And then use appropriate ACLs to limit what access if any exists to this vlan.
The only issue, is that records have to ve maintained if additional, replacement systems are added, to include their MAC address to make sure they wind up in the same new vlan.

...
0
 
lapatiyaCommented:
Disable admin shares, so nobody can map your workstation's volumes in another places.
https://winaero.com/blog/disable-administrative-shares-in-windows-10-windows-8-and-windows-7/

ACL using MAC addresses can be done in cisco. check this link out for more details,
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/asr903/sec-data-acl-xe-3s-asr903-book/mac-access-control-lists.html

If vLan is not an option, doing ACL list on your Cisco router/FW properly should be enough to protect your high-security workstations. ACL (Access Control List) defines who can/can't access (not even can ping)
1
 
arnoldCommented:
System to system on the same segment would not go through a firewall, a switch ACL will gave to ve used (level 3)
Potentially, likely makes it difficult to manage.
Does your environment include 801.x setup. That can be used to retain the blame on which the system will show up through radius respinse to the switch.
Using AD computer group to auto isolate any system in that security group.
1
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
lapatiyaCommented:
@arnold,

not entirely true about access list. true the IP ACL list works on layer 3. But don't forget that MAC ACL works on layer 2. So MAC ACL can filter same segment non-ip based traffic. look at the below example,
1
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
Use tier isolation, create a new tier for these computers. Windows Firewall is also a must
https://www.experts-exchange.com/articles/29515/Active-Directory-Simple-Tier-Isolation.html
1
 
arnoldCommented:
lapatiya,

not sure what you are addressing?
If one places an ACL rule on the ACL while the systems are connected to a switch, not sure how the firewall ACL restricting access to system A where any other system is on the same segment.

the infrastructure is further unclear on whether all systems that needs isolation are on the same switch .....
0
 
sunhuxAuthor Commented:
Arnold or anyone,

Most of the users' switches are Layer 2 switches, so is MAC ACLs supported?
Or it has to be an L3 switch (which we use mostly for servers)?
0
 
sunhuxAuthor Commented:
What about super subnetting where we define subnet masks like
255.255.255.252  ?  

For a critical PC at 10.5.80.5 can't be reached from non-critical PCs
10.5.80.X (where X is 33-253) ?  Can this be achieved using L2 switch?
0
 
lapatiyaCommented:
L3 switches are for IP routing; meaning to control/point traffic between different networks (VLANs). In your case, since you have a single subnet (assuming), you can use an L2 switch (a good cisco switch) would do. All you need to do is configure MAC ACL, because MAC (Media access control) address is the L2 identified address in a network. in a same segment network (single subnet) traffice is forwaded from one device to another or between each other with the help of MAC address (to find the original source and the destination)
1
 
lapatiyaCommented:
vlan and super-subnetting (micro subnetting) more likely the same. you can't you need to have a rounting table (L3 switch or router) to communicate between different vlans, as well as different subnets, this is in brief. there can be similarities and differences in vlan and what you call super-subnetting, but ultimately, segmenting the switching portions of the network.
0
 
arnoldCommented:
How is super subnetting differ from implementing the issue using vlan?
In both cases you gave to go through a configuration change?

Analyze what you need to achieve the end result, setup it up, place on of the systems into it............ Test....
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 4
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now