"I don't pretend to have experience with anything in the previous sentence, and the better the physical separation I can achieve, the safer I feel - at least until I get a bunch more education/experience under my belt"
If that is the case purchase some cheap home routers and create a seperate VLAN on the backbone wired network to get them access to a DSL/FIOS/Broadband connection. Lock them to only be on for just so many hours per day and work days. If possible and the wire exists already instead of a seperate VLAN put them on a seperate wired network. I was able to do the VLAN method at the last gig I had and all was good. Our external consultant came in and pen tested the networks to verify no leakage from one to the other prior to going live and was there the day we went live the check everything again. Seperate networks are so much nicer and if the user just had to use the Guest WiFi then they had to use VPN to access internal stuff. Some times it is just better to be the one that says no and keeps it that way. The powers that were, were not happy paying for the second connection but a couple of months later it became very handy when some "visitors" just had to have access to the Internet and they flooded the Guest network with traffic from an infected machine. Having a seperate Guest network also comes in handy when testing remote access to the network. Jon On Wed, Jun 9, 2010 at 6:12 PM, Kurt Buff <kurt.b...@gmail.com> wrote: > AFAIK, nmap and wireshark won't tell you as much as you need to know > about arp flooding, vlan hopping and suchlike. Well, wireshark might, > but you'll need to monitor it pretty much continuously, and that's > probably a full time job. > > For assurance, initially you'll need a pen-test and/or an full audit > by someone who knows what they're doing, then put in place good > IDS/IPS systems that are tuned for your environment. > > I don't pretend to have experience with anything in the previous > sentence, and the better the physical separation I can achieve, the > safer I feel - at least until I get a bunch more education/experience > under my belt. > > Kurt > > > On Wed, Jun 9, 2010 at 14:29, Jason Gauthier <jgauth...@lastar.com> wrote: > > You should provide specifics, instead of ambiguity. > > Ambiguity helps no one, last I checked. > > > > > > -----Original Message----- > > From: Kurt Buff [mailto:kurt.b...@gmail.com] > > Sent: Wednesday, June 09, 2010 4:50 PM > > To: NT System Admin Issues > > Subject: Re: OTish: Wireless network configuration > > > > And more than that will be needed, as well. > > > > On Wed, Jun 9, 2010 at 13:44, Phil Brutsche <p...@optimumdata.com> > wrote: > >> Or use Wireshark to make sure you don't see traffic you shouldn't. > >> > >> On 6/9/2010 3:41 PM, Jason Gauthier wrote: > >>> You use NMAP to do network scans to determine what is accessible and > what isn't. > >> > >> -- > >> > >> Phil Brutsche > >> p...@optimumdata.com > >> > >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < > http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
