Firewall Wizards mailing list archives
Re: Discretionary WiFi Access
From: jseymour () linxnet com (Jim Seymour)
Date: Fri, 8 Jul 2005 09:57:56 -0400 (EDT)
Dave Null <noid23 () gmail com> wrote:
[snip]
My company has started looking into campus-wide WiFi. I'll keep my personal feeling on this to myself though.
WiFi doesn't *have* to be a problem. Use WPA for your secure WLAN.
One thing that keeps comming up is that one of the largest user communities that would take advantage of this would be non-employees. Vendors, Salesmen, people meeting with GMs/VPs/Execs are probably going to be the main users of this. My question is, if you currently have a similar situation in your work environment, how do you handle granting these people temp/guest WiFi access.
We don't--currently. But the issue has been raised.
Access controls for employees can be fairly stringent (i.e. only connect from company owned assets who's MAC is inventoried,
Worthless measure. I did away with MAC address ACLs when I added my second AP. (We have a kind of "MAC access control" due to the use of DHCP for address assignment, but, of course, that would be trivial to get around.)
use of 2 factor authentication, etc), but a lot of this isnt applicable for temporary visitors.
Yup. [snip]
I know the easy answer here is 'Dont give them WiFi access', but I don't think that is going to be an option.
Of course, when it blows up in management's collective faces, they will take responsibility for that, *and* see to it the IT dept. is compensated for the extra time spent cleaning up, right?
Thoughts, comments, flames?
There are a couple of ways to go, but both of them involve setting up a completely separate WiFi network, with a completely separate (set of) WiFi AP(s) running in "open" mode. One way is to terminate the "guest" WLAN on a dedicated port on your existing firewall or Internet border router. Another way would be to terminate the guest WLAN at a firewall connecting to your existing LAN. I don't like the latter option. And if your Internet firewall is anything like mine, your guests would probably find the resulting 'net access largely useless, anyway. (No IMAP/POP/SMTP or IM of any type through the firewall. ActiveTrojan filtered/blocked. Etc., etc.) If the idea of running an open mode WLAN scares you (it ought to), you *could* compromise on a WEP or WPA-PSK WLAN. But those would almost certainly involve you in tech. support for your guests. And, of course, if anything should break coincident with whatever you did to get them on your guest WLAN... Airports, coffee houses and the like use some sort of system that lets guests on the WLAN, but all traffic leads to a firewall and HTTP requests get them to a system that lets them buy time with a CC. Maybe something like that? You'd still need a completely separate WLAN, of course. Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at <http://jimsun.linxnet.com/scform.php>. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Discretionary WiFi Access, (continued)
- Re: Discretionary WiFi Access Vinicius Moreira Mello (Jul 21)
- Re: Discretionary WiFi Access Jim Seymour (Jul 21)
- Re: Discretionary WiFi Access Vinicius Moreira Mello (Jul 21)
- Re: Discretionary WiFi Access Josh Welch (Jul 14)
- Re: Discretionary WiFi Access Paul D. Robertson (Jul 21)
- Re: Discretionary WiFi Access Jim Seymour (Jul 21)
- Re: Discretionary WiFi Access Josh Welch (Jul 22)
- Re: Discretionary WiFi Access Roger Rustad (Jul 21)
- Re: Discretionary WiFi Access Josh Welch (Jul 22)
- Re: Discretionary WiFi Access Paul D. Robertson (Jul 21)
- Re: Discretionary WiFi Access Tom Carmichael (Jul 14)
- Re: Discretionary WiFi Access Chris Byrd (Jul 14)
- Re: Discretionary WiFi Access Jim Seymour (Jul 14)
- RE: Discretionary WiFi Access Brian Loe (Jul 21)
- Re: Discretionary WiFi Access vbwilliams (Jul 08)
- RE: Discretionary WiFi Access Orca (Jul 21)