Re: Discretionary WiFi Access

[jseymour () linxnet com (Jim Seymour)]

Dave Null <noid23 () gmail com> wrote:
>
[snip]
> My company has started looking into campus-wide WiFi. I'll keep my
> personal feeling on this to myself though. 

WiFi doesn't *have* to be a problem.  Use WPA for your secure WLAN.

>                                            One thing that keeps
> comming up is that one of the largest user communities that would take
> advantage of this would be non-employees. Vendors, Salesmen, people
> meeting with GMs/VPs/Execs are probably going to be the main users of
> this. My question is, if you currently have a similar situation in
> your work environment, how do you handle granting these people
> temp/guest WiFi access.

We don't--currently.  But the issue has been raised.

> Access controls for employees can be fairly stringent (i.e. only
> connect from company owned assets who's MAC is inventoried, 

Worthless measure.  I did away with MAC address ACLs when I added my
second AP.  (We have a kind of "MAC access control" due to the use of
DHCP for address assignment, but, of course, that would be trivial to
get around.)

>                                                             use of 2
> factor authentication, etc), but a lot of this isnt applicable for
> temporary visitors. 

Yup.

[snip]
> I know the easy answer here is 'Dont give them WiFi access', but I
> don't think that is going to be an option. 

Of course, when it blows up in management's collective faces, they will
take responsibility for that, *and* see to it the IT dept. is
compensated for the extra time spent cleaning up, right?

>                                            Thoughts, comments, flames?

There are a couple of ways to go, but both of them involve setting up a
completely separate WiFi network, with a completely separate (set of)
WiFi AP(s) running in "open" mode.  One way is to terminate the "guest"
WLAN on a dedicated port on your existing firewall or Internet border
router.  Another way would be to terminate the guest WLAN at a firewall
connecting to your existing LAN.  I don't like the latter option.  And
if your Internet firewall is anything like mine, your guests would
probably find the resulting 'net access largely useless, anyway.  (No
IMAP/POP/SMTP or IM of any type through the firewall.  ActiveTrojan
filtered/blocked.  Etc., etc.)

If the idea of running an open mode WLAN scares you (it ought to), you
*could* compromise on a WEP or WPA-PSK WLAN.  But those would almost
certainly involve you in tech. support for your guests.  And, of
course, if anything should break coincident with whatever you did to
get them on your guest WLAN...

Airports, coffee houses and the like use some sort of system that lets
guests on the WLAN, but all traffic leads to a firewall and HTTP
requests get them to a system that lets them buy time with a CC.  Maybe
something like that?  You'd still need a completely separate WLAN, of
course.

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/scform.php>.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards