PIX 501 & 4700 & virus proction?

Discussion in 'Cisco' started by John Cadella, Nov 21, 2004.

  1. John Cadella

    John Cadella Guest

    Hi,
    I was able to get our 4700 & Pix 501 properly configured thanks to Walter!

    The next task is to protect the 4700 segments from each other in case one
    has a pc or laptop connected that has a virus? The scenario is when we
    bring in customer PCs for repair, we need internet conectivity, but want to
    protect the other segments in the business from potential viruses that might
    spread from the Tech dept segment.

    Would I use an access list or maybe a router can't prevent viruses from
    spreading amoung it's segments?
    John
     
    John Cadella, Nov 21, 2004
    #1
    1. Advertising

  2. In article <A8Rnd.26774$>,
    John Cadella <> wrote:
    :The next task is to protect the 4700 segments from each other in case one
    :has a pc or laptop connected that has a virus? The scenario is when we
    :bring in customer PCs for repair, we need internet conectivity, but want to
    :protect the other segments in the business from potential viruses that might
    :spread from the Tech dept segment.

    :Would I use an access list or maybe a router can't prevent viruses from
    :spreading amoung it's segments?

    You might try an approach such as this:

    Set aside specific jacks for connecting customer computers. Put those
    jacks into different vlans (from anything else you use; different
    than the other customer jacks too so you don't end up spreading
    viruses between customer computers.) Set a specific customer IP address
    for each vlan.

    On the 4700, set up one interface or subinterface (as appropriate)
    for each VLAN, and set ACLs on that interface to permit out -only-
    the one IP you have assigned for use on that VLAN, and set the ACLs
    to permit traffic to -only- the systems and ports that you absolutely
    need in order to launch the tools you need to repair and cleanse
    the system. Keep in mind, though, that if a system is infected,
    then it may be infected in a way that disables virus checkers and
    so on from running correctly, so really you should book from a
    special CD (or floopy) that contains thorough checking and repair tools.

    You want to set up these ACLs on the 4700 rather than the PIX for
    a couple of reasons.

    1) The 4700 can handle VLANs [if you have an appropriate software
    release] but the PIX 501 has no VLAN support. (The 515/515E, 520, 525,
    and 535 all have VLAN support as of 6.3.1, and the 506/506E gained
    support for 1 VLAN in 6.3(4)).

    2) You don't want the various vlans to have a chance to route to each
    other before you get to the filtering device, so you don't want to just
    route on the 4700 and send the packets to the PIX: that would allow the
    customer computers to talk to each other and to your internal machines
    without the PIX getting involved.
    --
    When your posts are all alone / and a user's on the phone/
    there's one place to check -- / Upstream!
    When you're in a hurry / and propagation is a worry/
    there's a place you can post -- / Upstream!
     
    Walter Roberson, Nov 21, 2004
    #2
    1. Advertising

  3. John Cadella

    John Smith Guest

    above all else, if virus protection is your biggest concern when connecting
    _external_ pcs to your network invest in some commercial quality virus
    protection software, especially something server/client based.
    viruses/trojans can spread randomly through any port they are programmed to
    spread through (not just via email anymore) so it is impossible to build
    ACLs based on _only_ known viruses. SYmantec or McAfee should suit your
    needs on this... make sure your server antivirus software is updating
    _daily_ and that your client antivirus software is configured properly to
    pull virus defs from your internal server... even if you only give one pc
    access to one pc accross vlans, all it takes is one unprotected pc to catch
    a virus and spread it to all others in the same vlan...

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:cnp2bl$5qk$...
    > In article <A8Rnd.26774$>,
    > John Cadella <> wrote:
    > :The next task is to protect the 4700 segments from each other in case one
    > :has a pc or laptop connected that has a virus? The scenario is when we
    > :bring in customer PCs for repair, we need internet conectivity, but want
    > to
    > :protect the other segments in the business from potential viruses that
    > might
    > :spread from the Tech dept segment.
    >
    > :Would I use an access list or maybe a router can't prevent viruses from
    > :spreading amoung it's segments?
    >
    > You might try an approach such as this:
    >
    > Set aside specific jacks for connecting customer computers. Put those
    > jacks into different vlans (from anything else you use; different
    > than the other customer jacks too so you don't end up spreading
    > viruses between customer computers.) Set a specific customer IP address
    > for each vlan.
    >
    > On the 4700, set up one interface or subinterface (as appropriate)
    > for each VLAN, and set ACLs on that interface to permit out -only-
    > the one IP you have assigned for use on that VLAN, and set the ACLs
    > to permit traffic to -only- the systems and ports that you absolutely
    > need in order to launch the tools you need to repair and cleanse
    > the system. Keep in mind, though, that if a system is infected,
    > then it may be infected in a way that disables virus checkers and
    > so on from running correctly, so really you should book from a
    > special CD (or floopy) that contains thorough checking and repair tools.
    >
    > You want to set up these ACLs on the 4700 rather than the PIX for
    > a couple of reasons.
    >
    > 1) The 4700 can handle VLANs [if you have an appropriate software
    > release] but the PIX 501 has no VLAN support. (The 515/515E, 520, 525,
    > and 535 all have VLAN support as of 6.3.1, and the 506/506E gained
    > support for 1 VLAN in 6.3(4)).
    >
    > 2) You don't want the various vlans to have a chance to route to each
    > other before you get to the filtering device, so you don't want to just
    > route on the 4700 and send the packets to the PIX: that would allow the
    > customer computers to talk to each other and to your internal machines
    > without the PIX getting involved.
    > --
    > When your posts are all alone / and a user's on the phone/
    > there's one place to check -- / Upstream!
    > When you're in a hurry / and propagation is a worry/
    > there's a place you can post -- / Upstream!
     
    John Smith, Nov 21, 2004
    #3
  4. John Cadella

    Tosh Guest

    > The next task is to protect the 4700 segments from each other in case one
    > has a pc or laptop connected that has a virus? The scenario is when we
    > bring in customer PCs for repair, we need internet conectivity, but want
    > to protect the other segments in the business from potential viruses that
    > might spread from the Tech dept segment.
    >

    You can plug in a "content inspector" like fortigate, it'll analize all the
    traffic flowing through it against viruses and attacks, this is what they
    say about their product.
    Bye,
    Tosh.
     
    Tosh, Nov 22, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Francisco Rivas

    Cisco 4700/2600 running as PPPoE Terminator

    Francisco Rivas, Jul 21, 2003, in forum: Cisco
    Replies:
    1
    Views:
    1,388
    Francisco Rivas
    Jul 22, 2003
  2. John Cadella

    using 4700 to study for CCNA & CCSP

    John Cadella, Dec 14, 2003, in forum: Cisco
    Replies:
    2
    Views:
    451
    ganlet
    Dec 15, 2003
  3. Paul Hardy

    Corrupt images on a 4700 router

    Paul Hardy, Feb 18, 2004, in forum: Cisco
    Replies:
    1
    Views:
    399
    Hansang Bae
    Feb 19, 2004
  4. JohnC
    Replies:
    5
    Views:
    1,551
    Walter Roberson
    Nov 19, 2004
  5. Andre
    Replies:
    7
    Views:
    743
    Andre
    Feb 20, 2005
Loading...

Share This Page