I'm curious what others may recommend for connecting internal networks that are also untrusted. We've got a teaching department that will probably end up running their own DHCP and DNS services, in addition to a cybersecurity program (clean lab only.. dirty lab should always be isolated). We've previously had issues with students in these classes not following instructions and running rogue DHCP servers on bridged connections or doing ARP/Penetration scans without limiting the target ranges.
My thought was to directly connect their switch with our A/S 5250 firewalls. Currently they're on a VLAN that flows through some of the building switches but I even want to remove that... even layer 2 some of those things they've done in the past has caused connectivity issues for users on other VLANs if the network hardware is in common.
I would think the firewalls we have should be able to handle pretty much anything these folks could thow at them but of course I recognize internal traffic and attacks (malicious or not) can be very different than what the Internet can throw at you. Of course I don't want it to affect production, and we do pipe internal traffic through it as a central means of controlling access and security.
I'm curious what others may have done or recommend and if there are any specific areas of the config I should look at (flood control caught my eye for example).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!