03-23-2005 12:34 PM - edited 03-05-2019 11:28 AM
We've had a few instances where development testing in our lab has caused the entire network to be compromised. I'd like to keep this from happening, but I'm trying to get some ideas besides my own. I have attempted other solutions in the past, but they have been frustrating for the users, and were abandoned. Here is a quick idea of the network:
192.168.128.0/255.255.248.0, corporate LAN now using 192.168.131.0 and 192.168.132.0.
The lab is currently connected to unmanaged switches, which are connected in turn to the corporate LAN. The lab needs to access the corporate LAN, and vice versa, but should not be able to flood the corporate LAN with packets in the event of a test gone awry. A router seems a simple solution, however, our corporate router is managed. I also have a spare PIX 515 and Catalyst 3550 with which to work...any suggestions?
03-23-2005 05:07 PM
If you put in a VPN gateway (or two - one for each direction) between the two it should isolate any issues to the Lab and still allow (very controllable) access in either direction.
If you set it up for L2TP / PPTP, then any MS client should be able to access without additional per-client charges.
If any malicious activity does occur, it can be traced back to a host or two and traced further to the offending system in the Lab.
Good Luck
Scott
03-25-2005 09:31 AM
Ben,
I'd suggest putting the PIX515 between your lab and your corporate network. With your corporate network being your "internal" interface and your lab would be "external".
It would be very easy to write the rules as needed to allow very specific traffic from the lab into your corporate network. Additionally, you would have the option of specifying who from your corporate network would be able to access the lab environment.
HTH
Steve
03-25-2005 09:51 AM
Thanks for the responses...I was thinking the PIX would be the best option as well, so I'll try to implement that...
Ben
03-26-2005 11:53 PM
Well, the lab environment should not be anywhere near the production network. Secondly, a router is part of the solution that came to mind. How about a 2514 or if it's in the budget a 2610 with a NM-16A or NM-32A module. You could configure the 2514 or 2610 as an Access Server providing complete out-of-band management of the lab via asynch interfaces (reverse telnet), and in-band access to the lab from the production network would be limited to the ethernet interface of the Access Server. You would also gain the ability to restrict access to and from the lab with ingress and egress access-lists. The main objective is to make sure that none of the lab devices are able to pass frames or packets upstream into the production network except ssh, and/or telnet .
-C
03-31-2005 11:06 AM
It seems to me that you want to isolate the lab environment which is normally a good thing, but at the same time you need to access your production LAN. These two statements are mutually exclusive. The solutions using the PIX and/or the dual interface router are reasonable given that you are not really creating an isolated lab environment. Pick whichever one you feel most comfortable with and understand what the interfaces are between your Production and Lab "compartments".
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide