On Mon, Sep 19, 2011 at 10:26, Paul Hutchings <[email protected]> wrote: > I think there are a few ways to skin this cat so I’m throwing it open for > any views on the pros and cons of each. > > An office, network ports are wall mounted and all go back to a central comms > cupboard. > > In the office are two groups of people. > > The two groups need an area where they can store/share files, but whilst one > group has access to the regular LAN one group is untrusted so we want them > as far away from the regular LAN as possible. > > How would you do it?
This should do it. 1) visibly mark all jacks as either production or guest 2) make sure that any unused network jacks are disconnected on the back end. 3) segment your network so that machines that are plugged into jacks designated as guest don't have access to the production network - you'll need a router/firewall/separate connection to make this happen. 4) depending on your needs and your level of paranoia, put up something like arpwatch on the production network so that any new machines plugged into it are detected and you are notified immediately, probably via email. You'll need a managed switch to make this happen, or something similar. 5a) set up a small file server in the guest network to which staff on the production network have access, or 5b) set up a file upload/download facility on your production LAN (probably web based) and limit access to it via a firewall/router ACL. I'd go for 5a, personally, all other things being equal, but if circumstances dictated I wouldn't mumble too much about 5b. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
