Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2547
Views
0
Helpful
4
Replies

New Branch Office - High Security

vishal.rane
Level 1
Level 1

‎06-25-2012 11:19 PM - edited ‎03-03-2019 06:39 AM

Hello

we plan to have 5 branch offices each with around 40 users. All branches will be in different geographical locations. Best Security needs to be implemented in all branches. All services email, SAP, Portals are hosted in the HeadOffice Datacenter. Each Branch will have dedicated internet 5MB for Voice and DATA

Guidelines for security  -

  • ensure users cannot insert usb or cd on laptops /desktops
  • laptops/desktops are allowed to access restrictive internet from Office
  • Outside Laptops / Tablets not allowed to connect to network but allowed internet via wireless using Guest
  • to access internet from home or Cafe users needs to connect to office VPN and then access from local Internet server (Proxy)

vendors proposed following ;-

  • 3921 router for branch
  • ASA 5510 for branch
  • 3945 router for HeadOffice ( VPN )
  • Filtering - Web Washer - Mcafee

Experts can advice what hardware will best fit on branches, what other devices I need to achieve the above goals

Thanks

Vishal

Labels:
0 Helpful
4 Replies 4

sean_evershed
Level 7
Level 7

‎06-26-2012 03:59 AM

Hi,

If you want to support wireless in every branch you are going to need Wireless Access Points (WAPs) in each location. The latest model is the 3602.

You then need to decide whether you will have a centralised Wireless LAN Controller (WLC) in the Data Centre or individual WLCs in each branch to manage the WAPs. For the centralised model have a look at the 5508 vs the 2500 for the distributed model. The choice of using the distributed model also depends on the speed of your WAN links. If these links are low speed then you will need to use the distributed model.

Is the VPN for remote access from home at the Data Centre? If so I would terminate this on a firewall like the 5510 rather than a router.

To deny access to third party laptops you are going to need an 802.1X policy. To achieve this you are going to need either an Access Control Server or the newer Identity Services Engine.

Don't forget to rate all posts that are helpful.

0 Helpful

vishal.rane
Level 1
Level 1
In response to sean_evershed

‎06-26-2012 01:51 PM

Sean,

thanks for your valuable input. Can you give more information on how to achieve 802.1x policy using ACS or ISE. what license is needed on 3945 if decided to terminate VPN.  is VPN Hardware Encryption module built in on 3945 router or need to specify to this our vendor.

Cisco got any solution for Web Filtering.

thanks

Vishal

0 Helpful

Mohamed Sobair
Level 7
Level 7

‎06-27-2012 04:34 AM

Hello Vishal,

I would recommend the following:

For Branches:

1-  Cisco : 2921 : Voice Licensed (you dont need a higher end above this series for 40 users).

2-  Cisco ASA 5510: (This will be your Security appliance at each branch).

For Head Quarter:

1-  Cisco ASA 5520: (This Will be Your HQ Security Appliance).

2-  Cisco 3925 or 3945 router (Voice Licensed).

For Your Security Guidelines, here is my answers:

  • ensure users cannot insert usb or cd on laptops /desktops

FOr this purpose, you Can disable the administrative privelege on the Notebooks and PCs for All users and remove the software driver for thier USPs.

  • laptops/desktops are allowed to access restrictive internet from Office

FOr this Purpose, I would recommend using Cisco IronPort WebFiltering, it Can be easily Integrated with your Active Directory and Enforces all Filtering Policy you would require.

  • Outside Laptops / Tablets not allowed to connect to network but allowed internet via wireless using Guest

For this Purpose, I would recommend deploying Wireless LAN Controller at your HQ to have benefit and full advantage of managing your Wireless Infrastructure.

  • to access internet from home or Cafe users needs to connect to office VPN and then access from local Internet server (Proxy)

FOr this Purpose , I would also say Your Best Option is to have Remote Access VPN & (VPN Client) deployed at all employee's Notebook. Though, You Can have another Option which to have SSL-VPN deployed at your HQ, but this will have additional cost as its added value featured licensed per number of users.

Let me Know if this answers your Question Or if you require additional assistance.

Regards,

Mohamed

0 Helpful
Customers Also Viewed These Support Documents