I am in the IT department for a retail chain that sells -- oh, let's say coffee. (Not really, but it will do for this example.)
Our core business is selling coffee and coffee-related products. The remote shops rely on internet connectivity to do this. Credit card transactions, inventory maintenance, technical support, e-mail, etc. They do a bunch of stuff over the internet, and any downtime is a big problem.
The marketing department has decided that it would be a really big selling point if we allowed customers to use the Internet while they are in our shop.
I have a problem with this. I don't want Joe Hacker coming in with his computer full of viruses getting on my network to download 500MB of .mpg files and sending out a spam blast.
I told the marketing department that the only way I will support this is to put a separate Internet line in the store -- totally different circuit, totally different subnet.
However, I have been asked to reconsider this position.
So my question is: is there any solution that would allow me to safely segregate my existing network into two subnets.
Right now at each location I have a t1 connection with a 1700 router doing VPN back to the corporate office.
I'm guessing that probably the best design would involve putting in some kind of Pix for the new network. Not sure what model or how I'd configure. Would I need to upgrade the 1700? Maybe put in a router that can hold another card? (If there even is such a thing.)
Anyway, I'm hoping I can get some suggestions here. It's really a pretty straightforward objective -- I'm just not experienced enough with all the various firewalls and routers and IOSes to know what the safest, most cost effective solution is or how to implement it.