I've been thinking about breaking out network into subnets for a while now, and I just used this experience as a prime example to make the case for it to my boss. We also have a web server that I think should be sitting on a DMZ instead of right here on the main network with everything else.


Tell your boss from me:-

Everything that cannot be implicitly trusted must not be allowed on the trusted network... period. This includes services that are available to the public such as HTTP, SMTP, FTP etc. and laptops that are unable to restrict the user from altering the security settings set via policy by the IT department, (or the local geek in your case...). Entities such as that should be DMZed or placed outside the firewall and any access to the trusted network from them should be on a different service or, at a minimum, a different type of the service that requires an attacker to have two simultaneously unpatched exploits for different systems. Uncontrolled laptops should attach to the WAP and have to VPN into the trusted network under restricted conditions. The only exception I can think of for this is Outlook Web Access over SSL.... I still can't find a sensible solution for this that doesn't allow several critical ports to be opened from the DMZ to the trusted as opposed to the single port allowed directly through... What can I say? I'm an idiot....