Segmenting one Workstation and Various Ways to do so

vssp · ‎10-23-2012

Goal: We have a workstation that processes sensitive information and we want that workstation to only have access to very select endpoints on our LOCAL LAN and also internet access.

Solutions:

1. At first we explored VACL, this worked well except when the workstation needed to be moved around the environment to a switch that didn't support VACL (2960).

2. We explored a VLAN but thought that a routable VLAN with one single IP Address was somewhat wasteful, hoped there was something easier

I thought I'd pose the question to everyone to see what other options we have that can achieve this segregation, any examples or links is much appreciated. Thank you in advance, this is my first post so I'm new to the community.

shillings · ‎10-23-2012

I would have thought the best security would be a firewall/IPS - i.e. a dedicated interface off a firewall/IPS appliance. Then you have excellent control of what goes to and from the workstation.

Not sure if that works for you though, especially when you talk of moving the workstation around the environment.

vssp · ‎10-23-2012

Yes, we are likely to move this anywhere, the boss would like to see it done with some type of hardware "switch" security. One idea was to lock it down from communicating anywhere with the windows firewall on the box but that is deemed still easily manipulated.

Anyone have options using a Cisco 2960 or like model? Either using VLAN with one IP or some other ACL type solution that I have yet to think of.