Firewall Wizards mailing list archives
RE: Discretionary WiFi Access
From: StefanDorn () bankcib com
Date: Fri, 8 Jul 2005 11:13:35 -0500
One thing to consider is that once you've set up a separate network inside your infrastructure, how are you going to monitor it? It would be pretty irresponsible these days to just set up a 'fire and forget' guest network, even if it isn't connected to your main network. Disclaimer or not, you'd need to consider logging options, and security is still an important piece, since your guest network is a doorway for potential information leaks. Your main network may be very secure, but will that stop someone from transferring data by plugging in to your unsecured network? Nope. You also would have to consider using strong web blocking, AV, and firewall rule sets, since you could easily damage your business image (not to mention generate a ton of bad audit results) by running an unsecured network within your infrastructure. Stefan Dorn firewall-wizards-admin () honor icsalabs com wrote on 07-08-2005 07:48:45 AM:
Keeping it simple:Physical segregation and only Internet access Provide access points ONLY at cafeterias and conference rooms. Have
separate
L2, L3 devices for these access points and donor interface at any point
with
the company LAN.Limit signal strength to within your premises. Have a separate Firewall and provide outbound access, with standard
gateway
controls like AV, URL filter . --------------------------------------------- Some companies implement MAC-address-locking for guests. Give your
driving
license and take a wireless card. U always remember to take your license back. Jose Varghese Paladion Networks Application Security Magazine http://palisade.paladion.net -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Dave
Null
Sent: Friday, July 08, 2005 2:17 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Discretionary WiFi Access Its not firewall related, but there's some smart minds on this list. My company has started looking into campus-wide WiFi. I'll keep my
personal
feeling on this to myself though. One thing that keeps comming up is
that
one of the largest user communities that would take advantage of this
would
be non-employees. Vendors, Salesmen, people meeting with GMs/VPs/Execs
are
probably going to be the main users of this. My question is, if you currently have a similar situation in your work environment, how do you handle granting these people temp/guest WiFi access. Access controls for employees can be fairly stringent (i.e. only connect from company owned assets who's MAC is inventoried, use of 2 factor authentication, etc), but a lot of this isnt applicable for temporary visitors. I know one company that would give you a WiFi card when you
signed
in that was in their database of 'allowed' MAC addresses (I know, dont
get
me started on MAC spoofing), however I would bet cash money that those
cards
walked away regularly. Similar thing with issuing a temporary token fob (SecureID or the like). I know the easy answer here is 'Dont give them WiFi access', but I don't think that is going to be an option. Thoughts, comments, flames? -noid _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Discretionary WiFi Access Dave Null (Jul 07)
- Re: Discretionary WiFi Access John Adams (Jul 08)
- Re: Discretionary WiFi Access Sp0oKeR Labs (Jul 08)
- Re: Discretionary WiFi Access Kevin (Jul 08)
- RE: Discretionary WiFi Access Jose Varghese (Jul 08)
- Re: Discretionary WiFi Access Brenno Hiemstra (Jul 14)
- RE: Discretionary WiFi Access StefanDorn (Jul 14)
- Re: Discretionary WiFi Access Vinicius Moreira Mello (Jul 21)
- Re: Discretionary WiFi Access Jim Seymour (Jul 21)
- Re: Discretionary WiFi Access Josh Welch (Jul 14)
- Re: Discretionary WiFi Access Paul D. Robertson (Jul 21)
- Re: Discretionary WiFi Access Jim Seymour (Jul 21)
- Re: Discretionary WiFi Access Josh Welch (Jul 22)
- Re: Discretionary WiFi Access Roger Rustad (Jul 21)
- Re: Discretionary WiFi Access Josh Welch (Jul 22)
- Re: Discretionary WiFi Access Paul D. Robertson (Jul 21)
- Re: Discretionary WiFi Access Tom Carmichael (Jul 14)
- Re: Discretionary WiFi Access Chris Byrd (Jul 14)