[c-nsp] Securing virtual networks

Nate Carlson cisco-nsp at natecarlson.com
Thu Mar 13 19:18:31 EDT 2008


On Thu, 13 Mar 2008, Higham, Josh wrote:
> I know that I can isolate it in a VLAN, but I want to avoid having a 
> single point of failure.  If someone puts a port into the wrong VLAN, 
> and the user gets a DHCP address (two segregated user access networks, 
> for example) we might not know until it actually causes a problem by 
> releasing a virus (or worse, a directed malicious attack).
>
> This is historically the reason for using physical seperation, but 
> that's no longer viable.  I am just wondering if there are any good ways 
> to protect against user error, or if people just ignore it.

Got'cha.

You could always use NAC to ensure users are on the network they are 
supposed to be on, and then not require NAC on a 'guest network' users 
tend to not like that too much, however.  ;)

------------------------------------------------------------------------
| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
|       depriving some poor village of its idiot since 1981            |
------------------------------------------------------------------------


More information about the cisco-nsp mailing list