Isolating critical PCs fr usual office PCs

In an audit finding, critical PCs (used to transfer large funds n these PCs do not hv Internet
access Nor email clients in them)  were found to be pingable n could map drives to normal
PCs ( to hv internet access n drive sharing can propagate ransomwares/malware) in same
subnet.

We were told these 2 different categories of PCs she'd be logically segregated.  As we don't want
To create separate Vlans n do major network restructuring, Can we do
1. Super sub netting n use Cisco ACLs to segregate the 2 groups of PCs?  Is this ACLs
     using MAC address?
2. Create Windows firewall rules on the critical PCs
3. What else?
sunhuxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Seems you have the right approach.
Use MAC address to tag the vlan for these systems.
And then use appropriate ACLs to limit what access if any exists to this vlan.
The only issue, is that records have to ve maintained if additional, replacement systems are added, to include their MAC address to make sure they wind up in the same new vlan.

...
0
lapatiyaCommented:
Disable admin shares, so nobody can map your workstation's volumes in another places.
https://winaero.com/blog/disable-administrative-shares-in-windows-10-windows-8-and-windows-7/

ACL using MAC addresses can be done in cisco. check this link out for more details,
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/asr903/sec-data-acl-xe-3s-asr903-book/mac-access-control-lists.html

If vLan is not an option, doing ACL list on your Cisco router/FW properly should be enough to protect your high-security workstations. ACL (Access Control List) defines who can/can't access (not even can ping)
1
arnoldCommented:
System to system on the same segment would not go through a firewall, a switch ACL will gave to ve used (level 3)
Potentially, likely makes it difficult to manage.
Does your environment include 801.x setup. That can be used to retain the blame on which the system will show up through radius respinse to the switch.
Using AD computer group to auto isolate any system in that security group.
1
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

lapatiyaCommented:
@arnold,

not entirely true about access list. true the IP ACL list works on layer 3. But don't forget that MAC ACL works on layer 2. So MAC ACL can filter same segment non-ip based traffic. look at the below example,
1
Shaun VermaakTechnical Specialist IVCommented:
Use tier isolation, create a new tier for these computers. Windows Firewall is also a must
https://www.experts-exchange.com/articles/29515/Active-Directory-Simple-Tier-Isolation.html
1
arnoldCommented:
lapatiya,

not sure what you are addressing?
If one places an ACL rule on the ACL while the systems are connected to a switch, not sure how the firewall ACL restricting access to system A where any other system is on the same segment.

the infrastructure is further unclear on whether all systems that needs isolation are on the same switch .....
0
sunhuxAuthor Commented:
Arnold or anyone,

Most of the users' switches are Layer 2 switches, so is MAC ACLs supported?
Or it has to be an L3 switch (which we use mostly for servers)?
0
sunhuxAuthor Commented:
What about super subnetting where we define subnet masks like
255.255.255.252  ?  

For a critical PC at 10.5.80.5 can't be reached from non-critical PCs
10.5.80.X (where X is 33-253) ?  Can this be achieved using L2 switch?
0
lapatiyaCommented:
L3 switches are for IP routing; meaning to control/point traffic between different networks (VLANs). In your case, since you have a single subnet (assuming), you can use an L2 switch (a good cisco switch) would do. All you need to do is configure MAC ACL, because MAC (Media access control) address is the L2 identified address in a network. in a same segment network (single subnet) traffice is forwaded from one device to another or between each other with the help of MAC address (to find the original source and the destination)
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lapatiyaCommented:
vlan and super-subnetting (micro subnetting) more likely the same. you can't you need to have a rounting table (L3 switch or router) to communicate between different vlans, as well as different subnets, this is in brief. there can be similarities and differences in vlan and what you call super-subnetting, but ultimately, segmenting the switching portions of the network.
0
arnoldCommented:
How is super subnetting differ from implementing the issue using vlan?
In both cases you gave to go through a configuration change?

Analyze what you need to achieve the end result, setup it up, place on of the systems into it............ Test....
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.