What is the minimum needed for switch port based security?
What im after is if a member of staff plugs in a company system it is given access to company resources but if an unknown device is connected it is either denied or given basic internet access only depending on what we want for the particular site.
This is needed to work over a wan, currently all running on catalyst
2950's or above. Upto 1000 systems spread over multiple sites, anything from 5 - 150 desktops at each site. Running Microsoft 2k/2k3 & XP clients currently.
How secure does this have to be? Is it enough for it to just be a nuisance (e.g., to keep people from casually adding systems)? Should an authorized device always be authorized without any further controls, or should people have to authenticate to use the devices? If you are using an authentication scheme and someone puts on an unauthorized device, then is it enough for them to authenticate on it, or should the device be blocked anyhow? Does it need to be secure against people changing MAC addresses?
Is your concern with accidental viruses and trojans and the like, and ensuring that potentially "contaminated" devices are not allowed access until they have been checked out? Or is your concern with *who* is allowed access to the network?
Its plain corporate, current wan is entirely open end to end from a plug in and see network, use resources or have access to resources.
Its a first step into controlling things and it'll all boil down to price - they may want military, medical type security when they're asking for it - they most certainly won't pay for it (Unless of course prices have levelled and providing it will allow a client to plug in without hurdles and get basic internet access as a minimum)
So, to keep it real im saying its for keeping the inner network clear from unauthorised, potentially damaging machines like someone's home laptop or a guests laptop full of virus, etc or a contractor working for short periods of time with their own equipment.
Shared offices with clients, 3rd party contractors and guests are not uncommmon in the same office.
But, they will also want guests to have basic internet access to allow for meetings, presentations, access to their own networks via vpn, etc and we'll be wanting shared vlans for shared printers, nas, scanners, etc to hand out to these guests if required.
The main network is only to be accessed via our own issued systems on a single w2k3 domain with all users having active directory accounts.
They seem to go beyond our requirements with regards to repairing non conforming machines and quarantining non compliant machines.
We already use epo server for mcafee enterprise which manages the domain antivirus policies and sus for critical patches, although that'll move over to wsus shortly so the patch/antivirus management side of the cisco offering may not be required, unless it has benefits over and above our existing setup, which would again depend on price or if its simply included in the base setup.
I know enough about cisco to not assume anything - so will these products allow the configuration of guest access so a non domain machine or an unknown domain machine can connect without requiring software or configuration of any kind and to have them put into a vlan for guest access to the network, ie - basic internet & shared resource vlan (printers, etc) but no access to main company network resources.
If not, am I looking more to a radius/802.1x only setup which can do this or is that something else entirely?
I'm no expert regarding this but I did go to a Cisco Self-Defending Networks presentation last year where they were talking about this - dynamically assigning guest VLANs based on unidentified users, or out of date Anti Virus software e.t.c.
I think this is the relevant page on Cisco's site:-
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.